5202002

7/27/2019 5202002

1/68

Module 2: ManagingUser and Computer

Accounts

Contents

Overview 1

Lesson: Creating User Accounts 2

Lesson: Creating Computer Accounts 18

Lesson: Modifying User and Computer

Account Properties 26

Lesson: Creating a User Account Template 33

Lesson: Managing User and Computer

Accounts 39Lesson: Using Queries to Locate User and

Computer Accounts in Active Directory 48

Lab: Managing User and Computer

Accounts 56

7/27/2019 5202002

2/68

Information in this document, including URL and other Internet Web site references, is subject to

change without notice. Unless otherwise noted, the example companies, organizations, products,domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,

and no association with any real company, organization, product, domain name, e-mail address,

logo, person, place or event is intended or should be inferred. Complying with all applicable

copyright laws is the responsibility of the user. Without limiting the rights under copyright, nopart of this document may be reproduced, stored in or introduced into a retrieval system, or

transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or

otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

The names of manufacturers, products, or URLs are provided for informational purposes only and

Microsoft makes no representations and warranties, either expressed, implied, or statutory,

regarding these manufacturers or the use of the products with any Microsoft technologies. Theinclusion of a manufacturer or product does not imply endorsement of Microsoft of the

manufacturer or product. Links are provided to third party sites. Such sites are not under the

control of Microsoft and Microsoft is not responsible for the contents of any linked site or any linkcontained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for

webcasting or any other form of transmission received from any linked site. Microsoft is providing

these links to you only as a convenience, and the inclusion of any link does not imply endorsementof Microsoft of the site or the products contained therein.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectualproperty rights covering subject matter in this document. Except as expressly provided in any

written license agreement from Microsoft, the furnishing of this document does not give you anylicense to these patents, trademarks, copyrights, or other intellectual property.

! 2005 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, ActiveX, Authenticode, BizTalk, IntelliMirror, MSDN, MS-DOS,

Outlook, PowerPoint, Visual Basic, Win32, Windows, Windows Media, Windows NT, and

Windows Server are either registered trademarks or trademarks of Microsoft Corporation in theUnited States and/or other countries.

All other trademarks are property of their respective owners.

7/27/2019 5202002

3/68

Module 2: Managing User and Computer Accounts iii

Instructor NotesThis module provides students with the skills and knowledge that they need tocreate, modify, and manage user and computer accounts on computers runningMicrosoftWindows Server 2003 in a networked environment.

After completing this module, students will be able to:

! Create user accounts.

! Create computer accounts.

! Modify user and computer account properties.

! Create a user account template.

! Manage user and computer accounts.

! Use queries to locate user and computer accounts in Active Directorydirectory service.

To teach this module, you need the following materials:

! Microsoft Office PowerPointfile 2273b_02.ppt

! The multimedia presentation Types of User Accounts

! The multimedia presentationIntroduction to Locating User and ComputerAccounts in Active Directory

To prepare for this module:

! Read all of the materials for this module.

! Complete the practices and lab.

! Review the Types of User AccountsandIntroduction to Locating User and

Computer Accounts in Active Directorymultimedia presentations for thismodule.

Presentation:150 minutes

Lab:

30 minutes

Required materials

Preparation tasks

7/27/2019 5202002

4/68

iv Module 2: Managing User and Computer Accounts

How to Teach This ModuleThis section contains information that will help you to teach this module.

Multimedia

The multimedia files are on the instructor computer. To open a multimediapresentation, click the animation icon on the slide for that multimediapresentation.

Practices and Labs

Explain to the students that the practices and labs are designed for this course.A module includes two or more lessons. Most lessons include a practice. Aftercompleting all of the lessons for a module, the module concludes with a lab.

This course does not include instructor demonstrations, but you shoulddemonstrate many of the administrative tasks as you teach them. After you have

covered the contents of the topic and demonstrated the procedures for thelesson, explain that a practice will give students a chance for hands-on learningof all the tasks discussed in the lesson.

At the end of each module, the lab enables the students to practice the tasks thatare discussed and applied in the entire module.

Using scenarios that are relevant to the job role, the lab gives students a set ofinstructions in a two-column format. The left column provides the task (forexample, Create a group ). The right column contains specific instructions thatthe students will need to perform the task (for example, In Active DirectoryUsers and Computers, double-click the domain node ).

An answer key for each lab exercise is located on the Student Materialscompact disc, in case the students need step-by-step instructions to complete thelab. They can also refer to the practices and instructions in the module.

Lesson: Creating User Accounts

This section describes the instructional methods for teaching this lesson.

Students will likely be familiar with user accounts. Briefly explain the purposesof user accounts, and then start the multimedia presentation Types of UserAccounts. After the presentation, ensure that students can distinguish betweenlocal and domain user accounts.

Define the five types of names associated with a domain user account. Giveexamples of when each type of name is used. Be sure that students realize thatthey use the Lightweight Directory Access Protocol (LDAP) relativedistinguished name in scripts.

Review the guidelines. Ask the students to create a naming convention for afictitious organization.

Practices

Labs

What Is a User Account?

Names Associated withDomain User Accounts

Guidelines for Creatinga User Account NamingConvention

7/27/2019 5202002

5/68

Module 2: Managing User and Computer Accounts v

Point out that in most situations, systems administrators work in a predefinedActive Directory hierarchy. However, it is important for students to understandthat they must create user accounts in the appropriate containers in thehierarchy.

Open the Propertiesdialog box for a user account, and point out the passwordoptions that the administrator can set. The next topic explains when to select the

different options.

Emphasize the security impacts of passwords.

Discuss the various tools that can be used to create user accounts. Demonstratethe procedures to create a user account by using Active Directory Users andComputers and the dsaddcommand.

In this practice, students create user accounts by using Active Directory Usersand Computers and the dsaddcommand.

Discuss the recommendations for local and domain user accounts. Ask studentswhat the account creation policies are in their organization. For example, howdo they generate users initial passwords?

Lesson: Creating Computer Accounts


Explain the difference between a user account and a computer account.

Explain the main functions of computer accounts. Explain that a computeraccount allows auditing and authentication and the ability to manage thecomputer in Active Directory.

Because users can create computer accounts when they join a computer to thedomain, systems administrators must be aware that those user-created computeraccounts exist in the Computers container. Depending on the Active Directorydesign, the computer accounts might need to be moved to specificorganizational units. Describe how to change the default location for computeraccounts.

Explain the implications of the preMicrosoft Windows2000 assignment to acomputer account. Describe what it means to assign a computer as a backupdomain controller. Emphasize that students should only select this option in aspecific environment. Demonstrate the procedure to create a computer account

by using Active Directory Users and Computers and dsadd.

In this practice, students create computer accounts by using Active DirectoryUsers and Computers and the dsaddcommand.

User Account Placementin a Hierarchy

User Account PasswordOptions

When to Require orRestrict PasswordChanges

Tools to Create UserAccounts

Practice: Creating UserAccounts

Best Practices forCreating User Accounts

What Is a ComputerAccount?

Why Create a ComputerAccount?

Where ComputerAccounts Are Created ina Domain

Computer AccountOptions

Practice: Creating aComputer Account

7/27/2019 5202002

6/68

vi Module 2: Managing User and Computer Accounts

Lesson: Modifying User and Computer Account Properties


Point out that students can assign values to the account properties discussed inthis lesson during account creation. However, it is often easier to create

accounts with the minimum amount of information and then add additionalinformation later. Explain the role that these property values play in locatingresources in Active Directory.

Open the Propertiesdialog box for a user account, and then review the mostcommon options on each tab.

Point out that renamed user accounts maintain all the other propertiesassociated with the old account name. Demonstrate how to rename useraccounts.

Open the Propertiesdialog box for a computer account, and then review themost common options on each tab.

In this practice, students will modify the properties of a user account and acomputer account.

Lesson: Creating a User Account TemplateThis section describes the instructional methods for teaching this lesson.

Explain the purpose of a user account template. You might need to explain thata user account template is used only when creating a new account. Changes tothe template will not affect existing accounts.

Discuss the properties that are copied in a user account template.

Review the guidelines for user account templates. Demonstrate the procedurefor creating a user account template.

In this practice, students will create a user account template.

Lesson: Managing User and Computer Accounts


Explain situations in which accounts should be disabled. Ask the students tooffer other examples.

Explain how a user account becomes locked out. Attempt to log on by using theJeff Hay user account with an incorrect password. Repeat the attempts until theaccount is locked out. Demonstrate how to unlock the account.

Explain the circumstances in which you would need to reset a users password.Point out that the administrator cannot recover the original password withoutthird-party tools. Demonstrate how to reset a password.

When to Modify Userand Computer AccountProperties

Properties Associatedwith User Accounts

Renaming a UserAccount

Properties Associatedwith Computer Accounts

Practice: Modifying Userand Computer AccountProperties

What Is a User AccountTemplate?

What Properties Are in aTemplate?

Guidelines for CreatingUser Account Templates

Practice: Creating aUser Account Template

Why Enable or DisableUser and ComputerAccounts?

What Are Locked-OutUser Accounts?

When to Reset UserPasswords

7/27/2019 5202002

7/68

Module 2: Managing User and Computer Accounts vii

Explain the circumstances in which you would need to reset a computeraccount. Describe the difference between resetting an account and deleting andre-creating the computer account.

In this practice, students will reset and test a users password. They will alsodisable a user account and test the results.

Lesson: Using Queries to Locate User and Computer Accounts in

Active Directory


Start the multimedia presentationIntroduction to Locating User and ComputerAccounts in Active Directory. The following topics expand on the informationin the presentation.

Suggest that students open the Find Users, Contacts, and Groupsdialog box

and explore the drop-down lists while you discuss the search types.

In Active Directory Users and Computers, point out the Saved Queries folder.Explain the benefit of saving customized queries.

Describe and demonstrate how to import and export queries to XML files tomake them available on other domain controllers.

In this practice, students will create a saved query.

Lab: Managing User and Computer Accounts

Before beginning the lab, students should have completed all of the practices.

Remind the students that they can review the module for assistance incompleting the lab. Tell students that a detailed answer key for each lab is

provided in the Labdocs folder on the Student Materials compact disc.

When to ResetComputer Accounts

Practice: Resetting andDisabling a UserAccount

Multimedia: Introductionto Locating User andComputer Accounts inActive Directory

Search Types

What Is a Saved Query?

Importing and ExportingSaved Queries

Practice: Using Queriesto Locate User andComputer Accounts inActive Directory

7/27/2019 5202002

8/68

7/27/2019 5202002

9/68

Module 2: Managing User and Computer Accounts 1

Overview

*****************************ILLEGAL FOR NON-TRAINER USE******************************

One of your functions as a systems administrator is to manage user andcomputer accounts. These accounts are Active Directorydirectory service

objects, and you use these accounts to enable individuals to log on to thenetwork and access resources. In this module, you will gain the skills andknowledge that you need to modify user and computer accounts on computers

running MicrosoftWindows Server 2003 in a networked environment.

After completing this module, you will be able to:

! Create user accounts.! Create computer accounts.! Modify user and computer account properties.! Create a user account template.! Manage user and computer accounts.! Use queries to locate user and computer accounts in Active Directory.

Introduction

Objectives

7/27/2019 5202002

10/68

2 Module 2: Managing User and Computer Accounts

Lesson: Creating User Accounts


As a systems administrator, you give users access to various network resources.To do this, you will need to know how to create and configure user accountsand how to establish these accounts within your organizations system. Withthis knowledge, you will ensure that your Windows Server 2003 networkidentifies and authenticates users before granting them access to the network.

After completing this lesson, you will be able to:

! Explain the purpose of user accounts.

! Describe the types of names associated with domain user accounts.

! Explain guidelines for creating a convention for naming user accounts.

! Describe user account placement in an Active Directory hierarchy.

! Describe user account password options.

! Determine when to require password changes on domain user accounts.

! Describe the tools to create user accounts.

! Create local and domain user accounts.

! Apply best practices when creating user accounts.

Introduction

Lesson objectives

7/27/2019 5202002

11/68


What Is a User Account?


A user account is an object that consists of all the information that defines auser in Windows Server 2003. The account can be either a local or a domainaccount. A user account includes the user name and password as well as groupmemberships.

You can use a user account to:

! Enable someone to log on to a computer based on a user accounts identity.

! Enable processes and services to run under a specific security context.

!

Manage a users access to resources such as Active Directory objects andtheir properties, shared folders, files, directories, and printer queues.

To view the Types of User Accountspresentation, open the Web page on theStudent Materials compact disc, click Multimedia, and then click the title ofthe presentation.

The Types of User Accountspresentation explains how using accounts thatgrant different levels of access to the network meets the requirements ofnetwork users.

Definition

Multimedia: Types ofUser Accounts

7/27/2019 5202002

12/68


Names Associated with Domain User Accounts


Five types of names are associated with domain user accounts. InActive Directory, each user account consists of a user logon name, a preWindows 2000 user logon name (Security Accounts Manager account name), auser principal logon name, a Lightweight Directory Access Protocol (LDAP)distinguished name, and a LDAP relative distinguished name.

When creating a user account, an administrator types a user logon name. Userlogon names must be unique in the forest in which the user account is created.Users use this name only during the logon process. The user enters the userlogon name, a password, and the domain name in separate fields on the logon

screen.

User logon names can:

! Contain up to 20 uppercase and lowercase characters. (The name can bemore than 20 characters, but Windows Server 2003 recognizes only 20.)

! Include a combination of special and alphanumeric characters, except thefollowing: " / \ [ ] : ; | = , + * ? < >

! Have any combination of uppercase and lowercase letters. User logonnames are case-retained, but not case-sensitive. For example, the userTAdams can enter any combination of uppercase and lowercase letters whenlogging on.

Some examples of user logon names are Terryadamsand Tadams.

Introduction

User logon name

7/27/2019 5202002

13/68


You can use the preWindows 2000 network basic input/output system(NetBIOS) user account to log on to a Microsoft Windowsdomain fromcomputers running preWindows 2000 operating systems by using a name withtheDomainName\UserNameformat. You can also use this name to log on toWindows domains from computers running Microsoft Windows 2000 orMicrosoft Windows XP or servers running Windows Server 2003. The pre

Windows 2000 logon name must be unique in the domain. Users can use thislogon name with the runascommand or on a secondary logon screen. Thisname is limited to 15 characters.

The user principal name (UPN) consists of the user logon name and the userprincipal name suffix, joined by the at sign (@). The UPN must be unique inthe forest.

The second part of the UPN is the user principal name suffix. The user principalname suffix can be the Domain Name System (DNS) domain name, the DNSname of any domain in the forest, or an alternative name that an administratorcreates only for logon purposes. Users can use this name to log on with therunascommand or on a secondary logon screen.

An example of a UPN is [email protected].

The LDAP distinguished name uniquely identifies the object in the forest. Usersnever use this name, but administrators use this name to add users to thenetwork from a script or command line. All objects use the same LDAP namingconvention, so all LDAP distinguished names must be unique in the forest.

The following are examples of an LDAP distinguished name:

! CN= terry adams,ou=sales,dc=contoso,dc=msft

! CN=computer1,ou=sales,dc=contoso,dc=msft

The LDAP relative distinguished name uniquely identifies the object within its

parent container. The following are examples of an LDAP relativedistinguished name:

! CN= terry adams

! CN=computer1

PreWindows 2000logon name

User principal logonname

LDAP distinguishedname

LDAP relativedistinguished name

7/27/2019 5202002

14/68


From the information provided when a security principal object is created,Windows Server 2003 generates a security ID (SID) and a globally unique ID(GUID) used to identify the security principal. If the object is created usingActive Directory Users and Computers, Active Directory also creates an LDAPrelative distinguished name, based on the security principal full name.Therefore, the full name must be unique in the container in which the user

account is created. An LDAP distinguished name and a canonical name arederived from the relative distinguished name and the names of the domain andcontainer contexts in which the security principal object is created. If an objectis created from a script or command line, the LDAP distinguished name is

provided and the relative distinguished name and canonical name are derivedfrom it.

If your organization has several domains, you can use the same user name orcomputer name in different domains. The SID, GUID, LDAP distinguishedname, and canonical name generated by Active Directory will uniquely identifyeach user, computer, or group in the forest. If the security principal object ismoved to a different domain, the SID, LDAP relative distinguished name,LDAP distinguished name, and canonical name will change, but the globally

unique ID generated by Active Directory will not change.

How names areassigned

7/27/2019 5202002

15/68


Guidelines for Creating a User Account Naming Convention


A naming convention establishes how user accounts are identified in thedomain. A consistent naming convention makes it easier for you to rememberuser logon names and locate them in lists. It is a good practice to adhere to thenaming convention already in use in an existing network that supports a largenumber of users.

Consider the following guidelines for creating a naming convention:

! Maintain a consistent corporate standard for user names. Accounts adheringto a standard are easier to understand, search for, and create. For example, if

your company usesfirstname.lastname(judy.lew) as the standard, anaccount created usingfirstinitiallastname(jlew) is confusing.

! If you have a large number of users, your naming convention for user logonnames should accommodate employees with identical names. A method toaccomplish this is to use the first name and the last initial, and then addadditional letters from the last name to accommodate duplicate names. Forexample, for two users named Judy Lew, one user logon name can be Judyland the other can be Judyle.

! In some organizations, it is useful to identify temporary employees by theiruser accounts. To do so, you can add a prefix to the user logon name, suchas a Tand a hyphen. An example is T-Judyl.

! User logon names for domain user accounts must be unique in the forest.

Full names for domain user accounts must be unique in the container inwhich you create the user account.

Introduction

Guidelines

7/27/2019 5202002

16/68


User Account Placement in a Hierarchy


You can place domain user accounts in any domain in the forest and anyorganizational unit in the domain. Typically, account hierarchies are based ongeopolitical boundaries or business models.

Place user accounts in an Active Directory hierarchy based on the way the useraccounts are managed. For example, security principals that will have similarsecurity requirements, will have the same Group Policy settings, or will bemanaged by the same administrative personnel can be placed in the sameorganizational unit hierarchy.

The Users container is not an organizational unit. It is a system containerthat houses the administrative accounts and groups. More importantly, GroupPolicy objects cannot be directly assigned to the Users container, and the Userscontainer cannot contain any child organizational units. Although you cancreate user accounts in the Users container, as a best practice the Userscontainer should be reserved for administrative groups and service accounts.

In a geopolitical design, you place users in organizational units that match theirphysical location. You can create an organizational unit hierarchy using parentcontainers based on city or region.

When the hierarchy of organizational units is based on business models, you

place your sales personnel in a Sales organizational unit and manufacturingpersonnel in a Manufacturing organizational unit.

In many cases, one domain will work for a corporate environment. Youcan still separate administrative control of users by placing them intoorganizational units.

Introduction

Note

Geopolitical design

Business design

Note

7/27/2019 5202002

17/68


User Account Password Options


As a systems administrator, you can manage user account password options.These options can be set when the user account is created or in the Propertiesdialog box of a user account.

The administrator can choose from the following password options to protectaccess to the domain or a computer:

! User must change password at the next logon. Use this option when anew user logs on to a system for the first time or when the administratorresets forgotten passwords for users. This is the default for new user

accounts.! User cannot change password. Use this option when you want to prevent a

user from changing his or her account password.

! Password never expires.This option prevents the password from expiring.To maintain security best practice, do not use this option.

! Account is disabled. This option prevents the user from logging on to theselected account.

Introduction

Password options

7/27/2019 5202002

18/68


By default, passwords in a Windows 2003 Active Directory domain must meetseveral minimum requirements.

! Must not contain all or part of the users account name.

! Must be at least seven characters in length.

! Must contain characters from three of the following four categories:

# English uppercase characters (A through Z)

# English lowercase characters (a through z)

# Base 10 digits (0 through 9)

# Nonalphabetic characters (for example, !, $, #, %)

If an administrator changes the password complexity requirements, the newrequirements will be enforced the next time passwords are changed or created.

These requirements are not enforced on stand-alone servers for local accountsbut are still recommended practices.

Default passwordsettings

7/27/2019 5202002

19/68


When to Require or Restrict Password Changes


To create a more secure environment, require password changes on useraccounts and restrict password changes on service accounts. The followingtable describes when you need to restrict or require password changes.

Option Use this option when you:

Require password

changes

# Create new domain user accounts. Select the check box that

requires the user to change the password the first time the user

logs on to the domain.

# Reset passwords. This option enables the administrator to reset

a password when the password expires or if the user forgets it.

Restrict password

changes

# Create local or domain service accounts. Service accounts

typically have many dependencies on them. As a result, you

might want to restrict the password change policy so that

service account passwords are changed by the administrator

who is responsible for the applications that depend on the

service account.

For more information about service accounts, see Services permissions on theMicrosoft TechNet Web site.

For more information about changing passwords, see:

! Article 324744, How to Prevent Users from Changing a Password ExceptWhen Required in Windows Server 2003, in the Knowledge Base on theMicrosoft Help and Support Web site.

! Article 320325, User May Not Be Able to Change Their Password If YouConfigure the User Must Change Password at Next Logon Setting, in theKnowledge Base on the Microsoft Help and Support Web site.

Introduction

Password modificationsoptions

Additional reading

7/27/2019 5202002

20/68


Tools to Create User Accounts


Domain user accounts enable users to log on to a domain and access resourcesanywhere on the network. Local user accounts enable users to log on and accessresources only on the computer on which you create the local user account. As asystems administrator, you must create domain and local user accounts tomanage your network environment. A number of tools are available for thecreation of user accounts, including legacy tools such as User Manager forDomains and command-line and batch utilities.

Active Directory Users and Computers is the primary tool used for day-to-dayadministration of Active Directory. Similar to the file system displayed in

Windows Explorer, Active Directory Users and Computers displays ActiveDirectory by using the left pane for a tree view of the domain and the right paneto display the detailed view. You can use Active Directory Users andComputers to create new objects, such as user, group, and computer accounts,and to manage existing objects.

Another way to create a domain user account is to use the dsaddcommand.The dsadd usercommand adds a single user to the directory from a command

prompt or batch file.

Type:

dsadd user UserDN[-samidSAMName][-upnUPN] [-fnFirstName] [-lnLastName] [-displayDisplayName]

[-pwd{Password|*}]

Use " " if there is a space in any variable.

For the complete syntax of the dsadd usercommand, at a commandprompt, type dsadd user /?.

Introduction

Using Active DirectoryUsers and Computers

Using a command line

Note

7/27/2019 5202002

21/68


An example of dsadd useris shown here:

dsadd user "cn=test user,cn=users,dc=contoso,dc=msft" samid

testuser upn [email protected] fn test ln user display

"test user" pwd Pa$$w0rd

Another way to create a user account is to use net usercommand.

For example, to create a new user named Greg Weber with a password ofPa$$w0rd, you would type the following command:

net user Greg Weber Pa$$w0rd /add

The following example shows the syntax of the net usercommand:

net user [username [password | *] [options]] [/domain]

username {password | *} /add [options] [/domain] username

[/delete] [/domain]

Legacy tools such asUser Manager for Domains

andnet

commands will place newly created user accounts in the Users container bydefault. Also, Microsoft Windows NT4.0 domains that have been upgraded toWindows 2003 Active Directory will place the upgraded user accounts in theUsers container. This default location can be modified by using the Redirusrcommand. For more information, see article 324949, Redirecting the users andcomputers containers in Windows Server 2003 domains, on the MicrosoftHelp and Support Web site.

Batch utilities can be used to import user accounts from input files. TheCSVDE utility uses comma-delimited input files and the LDIFDE utility usesline-delimited files as input to create user accounts and other types of ActiveDirectory objects.

For more information about the CSVDE and the LDIFDE utilities referto Course 2279,Planning, Implementing, and Maintaining a MicrosoftWindows Server 2003 Active Directory Infrastructure.

You can use the Local Users and Groups snap-in in the Computer ManagementMicrosoft Management Console (MMC) to create local user accounts.

You cannot create local user accounts on a domain controller.

A local user name cannot be identical to any other user or groupname on the computer being administered. A local user name can contain up to20 uppercase or lowercase characters, except for the following:

" / \ [ ] : ; | = , + * ? < >

A user name cannot consist solely of periods or spaces.

Important

Using batch utilities

Note

Using the ComputerManagement MMC

Important

Important

7/27/2019 5202002

22/68


Practice: Creating User Accounts


In this practice, you will:

! Create a local user account by using Computer Management.

! Create a domain account by using Active Directory Users and Computers.

! Create a domain user account by using dsadd.

Ensure that the DEN-DC1 virtual machine and the DEN-CL1 virtual machineare running.

!Create a local user account by using Computer Management1. Log on to DEN-CL1 as Judywith the password of Pa$$w0rd.

2. Click Startand then click Control Panel.

3. Click Performance and Maintenance, and then click AdministrativeTools.

4. Right-click Computer Managementand then click Run as.

5. Select The Following usercheck box. Log on usingDEN-CL1\administratorwith a password of Pa$$w0rd.

6. In Computer Management, expand Local Users and Groups.

7. Right-click the Usersfolder, and then click New User.

Objectives

Instructions

Practice

7/27/2019 5202002

23/68


8. In the New Userdialog box, create an account using the followingparameters:

# User name: Service_Backup

# Description: Service Account for Backup Software

# Password: Pa$$w0rd(where 0 is zero)

# Confirm password: Pa$$w0rd

# User must change password at next logon:Cleared

# Password never expires:Selected

9. Click Createand then click Close.

10.Close Computer Management, and then close Administrative Tools.

11.Log off from DEN-CL1.

!Create a domain account by using Active Directory Users andComputers

1. Log on to DEN-DC1 as Administratorwith a password of Pa$$w0rd.

2. Click Start, point to Administrative Tools, and then clickActive Directory Users and Computers.

3. Right-click the IT Admin OU, point to New and then clickUser.

4. In the New Object Userdialog box, enter the following parameters:

# First name: Kerim

# Last name: Hanif

# Full name: Kerim Hanif

# User logon name: Kerim

5. Click Next.

6. In the Passwordand Confirm passwordfields, enter Pa$$w0rd.

7. Clear the User must change password at next logoncheck box.

8. Click Next.

9. Click Finish.

10.Close Active Directory Users and Computers. Do not log off.

11.Test the user account that you just created by logging on to DEN-CL1 asKerim, with a password of Pa$$w0rd.

12.Log off of DEN-CL1.

7/27/2019 5202002

24/68


!Create a domain user account by using dsadd1. On DEN-DC1 open a command prompt window.

2. At the command prompt, type the following command and then pressENTER:

dsadd user "cn=Luis Bonifaz,ou=it admin,dc=contoso,dc=msft" -samid

luis -pwdPa$$w0rd desc Administrator

You should see a dsadd succeeded message.

3. Close all windows and log off of DEN-DC1. Do not shut down the virtualmachines.

If the dsaddcommand does not specify a password and the domainpolicy requires a password, the account will be created but will be disabled untilthe password requirements are met. If the Security Accounts Manager (SAM)name (samid) is not specified, dsaddwill use up to the first 20 characters ofCNto create the SAM account name.

Important

7/27/2019 5202002

25/68


Best Practices for Creating User Accounts


Several best practices for creating user accounts reduce security risks in thenetwork environment. Software products change, however, so be sure to reviewcurrent best practices at www.microsoft.com/security.

Consider the following best practices when creating local user accounts:

! Do not enable the Guest account.

! Limit the number of people who can log on locally.

! Rename the Administrator account.

! Use strong passwords.

Consider the following best practices when creating domain user accounts:

! Avoid using the Users container for ordinary user accounts. The Userscontainer is a system container and should be used to hold administrativegroups or accounts and service accounts.

! Disable any account that will not be used immediately.

! Require users to change their passwords the first time that they log on. Thiswill prevent administrators from having access to user passwords. This isthe default setting for new user accounts.

! As a security best practice, it is recommended that you do not log on to your

computer with administrative credentials.

! When you are logged on to your computer without administrativecredentials, it is recommended that you use the runascommand toaccomplish administrative tasks.

! Rename or disable the Administrator and Guest accounts in each domain toreduce the attacks on your domain.

! By default, all traffic on Active Directory administrative tools is signed andencrypted while in transit on the network. Do not disable this feature.

Introduction

Local user accounts

Domain user accounts

7/27/2019 5202002

26/68


Lesson: Creating Computer Accounts


The information in this lesson presents the skills and knowledge that you needto create a computer account.


! Define a computer account.

! Describe the purpose of computer accounts.

! Describe where computer accounts are created in a domain.

! Describe the various computer account options.

! Create a computer account.

Introduction

Lesson objectives

7/27/2019 5202002

27/68


What Is a Computer Account?


Every computer running Microsoft Windows NT, Windows 2000,Windows XP, or Windows Server 2003 that joins a domain has a computeraccount. Similar to user accounts, computer accounts provide a means forauthenticating and auditing computer access to the network and to domainresources.

In Active Directory, computers are security principals, just like users. Thismeans that computers must have accounts and passwords. To be fullyauthenticated by Active Directory, a user must have a valid user account, andthe user must also log on to the domain from a computer that has a valid

computer account.

You cannot create computer accounts for computers running MicrosoftWindows 95, Microsoft Windows 98, Microsoft Windows Millennium Edition,and Windows XP Home Edition, because their operating systems do not adhereto Active Directory security requirements.

Introduction

What does a computeraccount do?

Note

7/27/2019 5202002

28/68


Why Create a Computer Account?


Computers access network resources to perform key tasks such asauthenticating user logons, obtaining an IP address, and receiving security

policies. To have full access to these network resources, computers must havevalid accounts in Active Directory. The two main functions of a computeraccount are performing security and management activities.

A computer account must be created in Active Directory for users to take fulladvantage of Active Directory features. When a computer account is created,the computer can use advanced authentication processes such as Kerberosauthentication. For each workstation or server running Windows 2000,

Windows 2003, or Windows XP that is a member of a domain, there is adiscrete communication channel, known as the security channel, with a domaincontroller.The security channels password is stored along with the computeraccount on all domain controllers. The default computer account passwordchange period is every 30 days.

The computer also needs a computer account to dictate how auditing is appliedand recorded.

Computer accounts help the systems administrator manage the networkstructure. The systems administrator uses computer accounts to manage thefunctionality of the desktop environment, automate the deployment of software

by using Active Directory, and maintain a hardware and software inventory by

using Microsoft Systems Management Server. Computer accounts in thedomain are also used to control access to resources.

Introduction

Authentication

Auditing

Management

7/27/2019 5202002

29/68


Where Computer Accounts Are Created in a Domain


When systems administrators create a computer account, they can choose theorganizational unit in which to create that account. If a computer joins adomain, the computer account is created in the Computers container, and theadministrator can move the account to its proper organizational unit asnecessary.

You can change the default location for computers joining the domain byusing the redircmpcommand. For more information, see article 324949, Redirecting the users and computers containers in Windows Server 2003

domains, Microsoft Help and Support Web site.

By default, administrators can create computer accounts in any container exceptthe System and NTDS Quotas containers. Computer accounts cannot be createdin those containers. The Account Operators group can create computer accountsin the Computers container and in new organizational units. However, theycannot create computer accounts in the Builtin, Domain Controllers,ForeignSecurityPrincipals, LostAndFound, Program Data, System, or Userscontainers. Also, anyone who has been delegated authority to create computerobjects in an organizational unit can create computers accounts in thatcontainer.

When a user joins a computer to the domain, the computer account is added to

the Computers container in Active Directory. This is accomplished through aservice that adds the computer account on behalf of the user. The systemaccount also records how many computers each user has added to the domain

By default, Active Directory users can add up to 10 computers to the domainwith their user account credentials. This default configuration can be changed.If the systems administrator pre-creates a computer account in Active Directory,a user can join a computer to the domain without using any of the 10 allocatedcomputer accounts.

Introduction

Tip

Who can createcomputer accounts?

Users adding computers

to the domain

7/27/2019 5202002

30/68


Adding a computer to the domain by using a previously created account iscalled pre-staging, which means that computers are added to any organizationalunit for which the systems administrator has permissions to add computeraccounts. Usually, users do not have the appropriate permissions to pre-stage acomputer account, so as an alternative they join a computer to the domain byusing a pre-staged account. You can designate which user or group has the right

to join the computer to the domain during the creation of the computer accountby clicking the Changebutton in the New Object Computerdialog box.

For more information about users adding computer accounts to a domain, seearticle 251335, Domain Users Cannot Join Workstation or Server to aDomain, on the Microsoft Help and Support Web site.

Pre-staged computeraccounts

Additional reading

7/27/2019 5202002

31/68


Computer Account Options


You can enable two optional features when creating a computer account. Youcan assign a computer account as a preWindows 2000 computer or as a backupdomain controller (BDC).

Select the Assign this computer account as a preWindows 2000 computercheck box to assign a password based on the computer name. If you do notselect this check box, a random password is assigned as the initial password forthe computer account. The password automatically changes every five days.This option guarantees that a preWindows 2000 computer will be able tointerpret whether the password meets the password requirements.

Select the Assign this computer as a backup domain controllercheck box ifyou intend to use the computer as a backup domain controller. You should usethis feature if you are still in a mixed environment with a Window Server 2003domain controller and Windows NT 4.0 BDC. After the account is created inActive Directory, you can then join the BDC to the domain during theinstallation of Windows NT 4.0.

Introduction

PreWindows 2000

Backup domaincontroller

7/27/2019 5202002

32/68


Practice: Creating a Computer Account


In this practice, you will

! Create a computer account by using Active Directory Users and Computers.

! Create a computer account by using dsadd.

Ensure that the DEN-DC1 virtual machine and the DEN-CL1 virtual machineare running.

!Create a computer account by using Active Directory Users and

Computers1. Log on to DEN-DC1 by using the Administratoraccount, with a password

of Pa$$w0rd.

2. Click Start, point to Administrative Tools, and then click ActiveDirectory Users and Computers.

3. Right-click the Salesorganizational unit, point to New, and then clickComputer.

4. In the New Object-Computerdialog box, enter Sales2in the Computernamefield.

5. Under The following user or group can join this computer to a domain,click Change.

6. In theSelect User or Group dialog box, type Judy,and then click CheckNames.ClickOK.

7. Click Nexttwice.

8. Click Finish.

9. Close Active Directory Users and Computers.

Objectives

Instructions

Practice

7/27/2019 5202002

33/68


!Create a computer account by using dsadd1. Open a command prompt window.

2. At the command prompt, type the following command and then pressENTER:

dsadd computer "cn=Sales3,ou=sales,dc=contoso,dc=msft" loc

downtown

You should see a dsadd succeeded message.

3. Close all windows and log off of DEN-DC1.

To perform this procedure, you must be a member of the AccountOperators group, the Domain Admins group, or the Enterprise Admins group inActive Directory, or you must be delegated the appropriate authority. As asecurity best practice, consider using runas to perform this procedure.

Do not shut down the virtual machines.

Note

Important

7/27/2019 5202002

34/68


Lesson: Modifying User and Computer AccountProperties


This lesson presents the skills and knowledge that you need to modify user andcomputer accounts.


! Determine when to modify user and computer account properties.

! Describe the properties associated with user accounts.

! Describe how to rename user accounts.

! Describe the properties associated with computer accounts.

! Modify user and computer account properties.

Introduction

Lesson objectives

7/27/2019 5202002

35/68


When to Modify User and Computer Account Properties


As a systems administrator, you might be responsible for creating user andcomputer accounts in Active Directory. You also might be responsible formaintaining those user and computer accounts. To complete these tasks, youmust be very familiar with the various properties for each user and computeraccount.

It is critical that systems administrators are familiar with user accountproperties so that they can manage the network structure. Users might use theuser account properties as a single source of information about other users, likea telephone book, or to search for users based on items such as office location,

supervisor, or department name. The systems administrator can use theproperties of a user account to determine how the user account behaves in aterminal server session or how the user can gain access to the network through adial-up connection.

To maintain computers, you must find the physical location of the computers.The most commonly used properties for computer accounts in Active Directoryare the Locationand Managed byproperties. The Locationproperty can beused to document the computers physical location in your network. TheManaged Byproperty lists the individual responsible for the computer. Thisinformation can be useful when you have a data center with servers for differentdepartments and you need to perform maintenance on the server. You can callor send e-mail to the person who is responsible for the server before you

perform maintenance on the server.

Introduction

User account properties

Computer accountproperties

7/27/2019 5202002

36/68


Properties Associated with User Accounts


The Properties dialog box for a user account contains information about eachuser account that is stored in Active Directory. The more complete theinformation in the Propertiesdialog box, the easier it is to search for users inActive Directory.

The following table lists the most commonly used properties for user accounts.

Tab Properties

General Name, job description, office location, telephone number,

e-mail address, and home page information

Address Street address, city, state or province, postal zip code, and

country

Account Logon name, account options, unlock account, and account

expiration

Profile Profile path, logon scripts, and home folder

Telephone Home, pager, mobile phone, fax, and IP telephone numbers

Organization Title, department, company, manager, and direct reports

Member Of Groups to which the user belongs

Dial-inRemote access permissions, callback options, and static IP

address and routes

EnvironmentOne or more applications to start and the devices to connect

to when a Terminal Services user logs on

Sessions Terminal Services settings

Remote control Terminal Services remote control settings

Terminal Services Profile The users Terminal Services profile

Introduction

User account properties

7/27/2019 5202002

37/68


Renaming a User Account


Occasionally, employees in your organization will need to change their username for personal or legal reasons. For example, employees who get marriedand legally change their surnames will need their user account names updated.Instead of deleting the old account and creating a new user, you can rename theoriginal account. Use the following procedure to rename a user account.

1. Open Active Directory Users and Computers.

2. Right-click the user name that you need to change, and click Renameon theshortcut menu.

3. Type the new user name, and then press Enter.4. In the Rename Userdialog box, change the appropriate fields.

The renamed user account will maintain the same security descriptors,properties, rights, and permissions that were associated with the old accountname.

Introduction

Renaming a useraccount

7/27/2019 5202002

38/68


Properties Associated with Computer Accounts


The Properties dialog box for a computer account contains unique informationabout each computer account that is stored in Active Directory. The morecomplete the information in the Propertiesdialog box, the easier it is to searchfor computers in Active Directory.

The following table lists the most commonly used properties for computeraccounts.

Tab Properties

General Computer name, DNS name, description, and role

Operating System Name and version of the operating system running on the

computer and the latest service pack installed

Member Of The groups in the local domain and any groups to which the

computer belongs

Location The location of the computer

Managed By

Name, office location, street, city, state or province, country or

region, telephone number, and fax number of the person who

manages the computer

Object

The canonical name of the object, object class, the date the

computer account was created, the date it was last modified, and

update sequence numbers (USNs)

Security The users and groups who have permissions for the computer

Dial-in Remote access permission, callback options, and routing options

You can use Active Directory Users and Computers or the dsmodcommand tomodify attributes of existing users or computers in Active Directory.

For the complete syntax of the dsmodcommand, at a command prompt,type dsmod user /? or dsmod computer /?.

Introduction

Computer accountproperties

Tools used to modifyuser or computeraccounts

Note

7/27/2019 5202002

39/68


Practice: Modifying User and Computer Account Properties


In this practice, you will modify user and computer account properties.

Ensure that the DEN-DC1 virtual machine is running.

!Modify user and computer account properties

1. Log on to DEN-DC1 as Administrator, with a password of Pa$$w0rd.


3. In the Salesorganizational unit, right-click Jeff Hay, and then click

Properties. Modify the user properties as follows:

a. On the Generaltab, set

# Telephone number: 204-555-0100

# Office: Downtown

# E-mail: [email protected]

b. On the Dial-intab, set Remote Access Permissionto Allow access.

c. On the Accounttab, click Logon Hours. Configure logon hours to bepermitted between 8:00 A.M. and 5:00 P.M and then click OK.

4. Close Active Directory Users and Computers.

Objective

Instructions

Practice

7/27/2019 5202002

40/68


5. Open a command prompt window, type the following command and thenpress ENTER:

dsmod computer "cn=sales2,ou=sales,dc=contoso,dc=msft" -locDowntown desc Workstation

You should get a dsmod succeeded message.

6. Close all windows and log off of DEN-DC1.

Do not shut down the virtual machines.Important

7/27/2019 5202002

41/68


Lesson:Creating a User Account Template


The information in this lesson presents the skills and knowledge that you needto create a user account template.


! Explain the purpose of a user account template.

! Describe the properties of a user account template.

! Apply guidelines when creating user account templates.

! Create a user account template.

Introduction

Lesson objectives

7/27/2019 5202002

42/68


What Is a User Account Template?


You can simplify the process of creating domain user accounts by creating auser account template. A user account template is an account that hascommonly used settings and properties already configured.

For each new user account, you need to add only the information that is uniqueto that user account. For example, if all sales personnel must be a member of 15sales groups and have the same manager, you can create a template thatincludes membership to all the groups and the reporting manager. When thetemplate is copied for a new salesperson, it retains the group memberships andmanager that were in the template.

Definition

Using account templates

7/27/2019 5202002

43/68


What Properties Are in a Template?


Numerous properties are associated with each account. However, only a limitednumber of properties can be copied in a template. The following table lists theuser properties that can be copied from an existing domain user account to anew domain user account.

Properties tab Properties copied to new domain user account

Address All properties except Street Addressare copied.

Account All properties except Logon Name, which is copied from the

Copy Object Userdialog box, are copied.

Profile All properties except the Profile pathand Home folderentries

are modified to reflect the new users logon name.

Organization All properties except Titleare copied.

Member Of All properties are copied.

For more information about profiles, see article 324749, HOW TO: Create aRoaming User Profile in Windows Server 2003, on the Microsoft Help andSupport Web site.

Form more information about home folders, see article 325853, HOW TO:Use Older Roaming User Profiles with Windows Server 2003, on theMicrosoft Help and Support Web site.

Properties

Additional reading

7/27/2019 5202002

44/68


Guidelines for Creating User Account Templates


Consider the following best practices for creating user account templates:

! Create a separate classification for each department in your business group.

! Create a separate group for short-term and temporary employees with logonand workstation restrictions.

! Set user account expiration dates for short-term and temporary employees toprevent them from accessing the network when their contracts expire.

! Disable the account template.

! Identify the account template. For example, place a T_before the name ofthe account to identify the account as an account template or use an

underscore at the beginning of the account name to ensure that the templatealways appears at the top of an alphabetized list.

Guidelines

7/27/2019 5202002

45/68


Practice: Creating a User Account Template


In this practice, you will create a user account template.

!Create a user account template1. Log on to DEN-DC1 as Administrator, with a password of Pa$$w0rd.


3. In the Salesorganizational unit, create a user account with the followingproperty settings:

Property Value

First name Sales

Last name Template

Full name SalesTemplate

User logon name _SalesTemplatePassword Pa$$w0rd

Description Salesperson

Office Downtown

Member Of G Sales

Department Sales

Profile path \\DEN-SRV1\profiles\%username%

Logon Hours 6:00 A.M 6:00 P.M. Monday to Friday

Disable the account Enable

Objective

Practice

7/27/2019 5202002

46/68


4. Click OKand then close Active Directory Users and Computers.

5. Log off of DEN-DC1.

7/27/2019 5202002

47/68


Lesson:Managing User and Computer Accounts


The information in this lesson presents the skills and knowledge that you needto enable and disable user and computer accounts.


" Explain why you enable and disable user and computer accounts.

" Enable and disable user and computer accounts.

" Explain when to reset user passwords.

" Explain when to reset computer accounts.

" Reset and disable a user account.

Introduction

Lesson objectives

7/27/2019 5202002

48/68


Why Enable or Disable User and Computer Accounts?


After creating user accounts, you perform frequent administrative tasks toensure that the network continues to meet the organizations needs. Theseadministrative tasks include enabling and disabling user and computer accounts.When you enable or disable an account, you give or restrict access to theaccount.

To provide a secure network environment, a systems administrator must disableuser accounts when users do not need their accounts for an extended period butwill need to use them later. The following are examples of when you need toenable or disable user accounts:

! If the user takes a two-month leave of absence from work, you disable theaccount when the user leaves and then enable the account when the userreturns.

! When you add accounts in the network that will be used in the future or forsecurity purposes, you disable the accounts until they are needed.

You can use Active Directory Users and Computers to disable or enable anaccount. When an account is disabled, the user cannot log on. The accountappears in the details pane with an Xon the account icon.

To enable and disable user and computer accounts, you must be a

member of the Account Operators group, the Domain Admins group, or theEnterprise Admins group in Active Directory, or you must be delegated theappropriate authority. As a security best practice, consider using runasto

perform this procedure.

Introduction

Scenarios for enablingand disabling accounts

Tools for enabling anddisabling accounts

Note

7/27/2019 5202002

49/68


You can also enable or disable accounts by using the dsmodcommand. As asecurity best practice, consider using runasto perform this procedure.

To enable or disable accounts by using dsmod:

1. Open a command prompt window by using the runascommand.

2. Type dsmod userUserDN-disabled {yes|no}at the command prompt.

Value Description

UserDN Specifies the distinguished name of the user object to be disabled

or enabled

{yes|no} Specifies whether the user account is disabled for log on (yes) or

enabled (no)


7/27/2019 5202002

50/68


What Are Locked-Out User Accounts?


A user account is locked out if the account has exceeded the account lockoutthreshold for a domain. This might happen if the user has attempted to accessthe account with an incorrect password too many times or if a computer hackerhas attempted to guess users passwords and invoked the lockout policy on theaccount.

Authorized users can lock themselves out of an account by mistyping or bytyping an incorrect password or by changing their password on a computerwhile they are logged on to another computer. The computer with the incorrect

password continuously tries to authenticate the user. Because the password the

computer is using to authenticate the user is incorrect, the user account iseventually locked out.

A security setting in Active Directory specifies the number of failed logonattempts that causes a user to be locked out. A user cannot use a locked-outaccount until an administrator resets the account or until the lockout durationfor the account expires. When a user account is locked out, an error messageappears, and the user is not allowed any further logon attempts.

Introduction

Account lockoutthreshold

7/27/2019 5202002

51/68


A user can be locked out of an account if there are too many failed passwordattempts. Failed password attempts happen when:

! A user logs on at the logon screen and supplies a bad password.

! A user logs on with a local account and supplies a domain user account anda bad password while accessing network resources.

! A user logs on with a local account and supplies a domain user account anda bad password while accessing resources by using the runascommand.

By default, domain account lockout attempts are not recorded when a userunlocks a workstation (by using a password-protected screen saver). You canchange this behavior by modifying the Interactive logon: Require Domaincontroller authentication to unlock workstation Group Policy setting.

The built-in administrator cannot be locked out from the console of a domaincontroller or local machine.

What is a failed logonattempt?

7/27/2019 5202002

52/68


When to Reset User Passwords


People occasionally forget their passwords. Without their passwords, thesepeople cannot access their user accounts. Administrators can reset userspasswords so that users can access their accounts again.

When you need to reset a user password, you must remember that authorizationto reset passwords is restricted.

! Only local administrators are authorized to reset local user passwords.

! Only domain administrators, enterprise administrators, account operators,and other users or groups that have the delegated authority to reset

passwords are authorized to reset domain user passwords.

After a local computer users account password is reset, some types ofencrypted information are no longer accessible. This is because the algorithmthat generates a local users encryption key incorporates the users current

password in the calculation. Some examples of information that might not beaccessible are:

! E-mail that is encrypted by using the users public key.

! Internet passwords that are saved on the computer.

! Files that the user has encrypted.

Introduction

Who can reset useraccount passwords

Consequences ofresetting local useraccount passwords

7/27/2019 5202002

53/68


When to Reset Computer Accounts


As a systems administrator, you occasionally need to reset computer accounts.For example, suppose that your network went through a full backup seven daysago. The computer relayed information to the domain controller that changedthe password on the computer account. However, the computers hard drivecrashed, and the computer was restored from tape backup. The computer nowhas an outdated password, and the user cannot log on because the computercannot authenticate to the domain. You now need to reset the computer account.Resetting a computers account allows it to keep the same SID and GUID andthe same group memberships.

You must consider two issues before resetting the computer account:

! To perform this procedure, you must be a member of the Account Operatorsgroup, the Domain Admins group, or the Enterprise Admins group in ActiveDirectory, or you must be delegated the appropriate authority. As a security

best practice, consider using runasto perform this procedure.

! When you reset a computer account, you break the computers connectionto the domain, and you must rejoin the computer to the domain.

For more information about resetting a domain controller account and resettinga computer account with a script, see article 325850, HOW TO: Use

Netdom.exe to Reset Machine Account Passwords of a Windows Server 2003Domain Controller, on the Microsoft Help and Support Web site.

For more information about how the data protection API in Windows handlesstored passwords, see the article Windows Data Protection, on the MicrosoftMSDN Web site.

Introduction

Considerations

Additional reading

7/27/2019 5202002

54/68


Practice: Resetting and Disabling a User Account


In this practice, you will

! Reset a user account password.

! Disable user accounts.

Ensure that the DEN-DC1 and DEN-CL1 virtual machines are running.

!Reset a user account password1. Log on to DEN-DC1 as Administrator, with a password of Pa$$w0rd.

2. Open Active Directory Users and Computersand then click the ITAdminorganizational unit.

3. Right-click the Kerim Hanif user account, and then click Reset Password.

4. In the Reset Passworddialog box, type Pa$$w0rd1in the New passwordand Confirm passwordfields, and then select the User must changepassword at next logon check box.

5. Click OK.

6. Click OKto confirm that the password has been changed.

7. Switch to DEN-CL1, and then log on as [email protected], with apassword of Pa$$w0rd1.

8. When prompted to change the password, enter Pa$$w0rd2 (where 0 is zero)in the New Passwordand Confirm New Passwordfields, and then clickOK.

9. Click OKto confirm that the password has been changed. The logon shouldbe successful.

10.Log off of DEN-CL1.

Objective

Instructions

Practice

7/27/2019 5202002

55/68


!Disable user accounts1. On DEN-DC1, in Active Directory Users and Computers, click the IT

Admin OU.

2. Right-click the Luis Bonifazuser account, and then click Disable Account.

3. Click OKto confirm that the account has been disabled.

4. Disable the Kerim Hanif user account.

5. Close Active Directory Users and Computersand then log off of DEN-DC1.

6. Attempt to log on to DEN-CL1 as [email protected],with a password ofPa$$w0rd.The logon should fail, displaying a message that the account has

been disabled.

7. Attempt to log on to DEN-CL1 as [email protected], with a passwordof Pa$$w0rd2.The logon attempt will succeed, but any subsequent logonattempt will fail, displaying an account disabled message.

If a user has successfully logged on to the computer and thecomputer has not been rebooted, the first logon after disabling the accountmight succeed due to the fast logon features of Windows XP Professional.Subsequent logons will fail.

Important

7/27/2019 5202002

56/68


Lesson:Using Queries toLocate User and ComputerAccounts in Active Directory


The information in this lesson presents the skills and knowledge that you needto use common and custom queries.


! Explain the criteria for locating a user or computer account.

! Describe the types of common queries.

! Describe what a saved query is.

! Import and export queries.

! Locate user and computer accounts in Active Directory by using savedqueries.

Introduction

Lesson objectives

7/27/2019 5202002

57/68


Multimedia: Introduction to Locating User and Computer Accounts

in Active Directory


To view theIntroduction to Locating User and Computer Accounts in ActiveDirectorypresentation, open the Web page on the Student Materials compactdisc, click Multimedia, and then click the title of the presentation. Do not openthis presentation unless the instructor tells you to.

File location

7/27/2019 5202002

58/68


Search Types


Because all user accounts reside in Active Directory, administrators can searchfor the user accounts that they administer. By searching Active Directory foruser accounts, you do not need to browse through hundreds or thousands of useraccounts in Active Directory Users and Computers.

In addition to searching for user accounts, you can also search for otherActive Directory objects, such as computers, printers, and shared folders. Afterlocating these objects, you can administer them in the Search Resultsbox.

After a successful search, the results are displayed, and you can then perform

administrative functions on the found objects. The administrative functions thatare available depend on the type of object you find. For example, if you searchfor user accounts, you can rename or delete the user account, disable the useraccount, reset the password, move the user account to another organizationalunit, or modify the user accounts properties.

To administer an object in the Search Resultsbox, right-click the object, andthen click an action on the menu.

Active Directory provides information about all objects on a network, includingpeople, groups, computers, printers, shared folders, and organizational units. Itis easy to search for users, contacts, and groups by using the Find Users,Contacts, and Groupsdialog box.

Use Find Computers to search for computers in Active Directory by usingcriteria such as the name assigned to the computer or the operating system onwhich the computer runs. After you find the computer you want, you canmanage it by right-clicking the computer in the Search Resultsbox and thenclicking Manage.

Introduction

Administering objects

by using Search Results

Find Users, Contacts,and Groups

Find Computers

7/27/2019 5202002

59/68


When a shared printer is published in Active Directory, you can use FindPrintersto search for the printer by using criteria such as its asset number, the

printer language that it uses, or whether it supports double-sided printing. Afteryou find the printer that you want, you can easily connect to it by right-clickingthe printer name in the Search Resultsbox and then clicking Connect, or bydouble-clicking the printer to connect to the printer.

When a shared folder is published in Active Directory, you can use FindShared Foldersto search for the folder by using criteria such as keywordsassigned to it, the name of the folder, or the name of the person managing thefolder. After you find the folder that you want, open Windows Explorer anddisplay the files located in the folder by right-clicking the folder in the SearchResultsbox and then clicking Explore.

In Active Directory, you can search for familiar objects such as computers,printers, and users. You can also search for other objects, such as a specificorganizational unit or certificate template. Use Find Custom Searchto buildcustom search queries by using advanced search options or build advancedsearch queries by using LDAP, which is the primary access protocol forActive Directory.

You can use Find Common Queriesto perform common administrativequeries in Active Directory. For example, you can quickly search for user orcomputer accounts that have been disabled.

For each search option except Find Common Queries, you can use theAdvancedtab to define a more detailed search. For example, you can search forall users in a city or postal code on the Advancedtab.

You can use the dsquerycommand to find users and computers inActive Directory that match the specified search criteria.

For example, to display the user principal names of all users in the Salesorganizational unit, at a command prompt, type the following:

dsquery user OU=Sales,DC=contoso,DC=msft -o upn

For the complete syntax of the dsquerycommand, at a commandprompt, type dsquery user /? or dsquery computer /?.

For more information about searching Active Directory, see SearchCompanion overview, on the Microsoft Windows Server 2003 Web Site.

Find Printers

Find Shared Folders

Find Custom Search

Find Common Queries

Advanced query options


Note

Additional reading

7/27/2019 5202002

60/68


What Is a Saved Query?


Active Directory Users and Computers has a Saved Queries folder in which youcan create, edit, save, and organize saved queries. Before saved queries,administrators were required to create custom Active Directory ServicesInterfaces (ADSI) scripts that performed a query on common objects. This wasan often lengthy process that required knowledge of how ADSI uses LDAPsearch filters to resolve a query.

Saved queries use predefined LDAP strings to search only the specified domainpartition. You can narrow searches to a single container object. You can alsocreate a customized saved query that contains an LDAP search filter.

All queries are located in the Saved Queries folder named dsa.msc, which isstored in Active Directory Users and Computers. You can create subfolders inthe Saved Queries folder to allow you to organize queries. Queries are specificto the domain controller that they were created on. After you successfully createyour customized set of queries, you can copy the .msc file to otherWindows Server 2003 domain controllers that are in the same domain and reusethe same set of saved queries. You can also export saved queries to anExtensible Markup Language (XML) file. You can then import the queries intoother Active Directory Users and Computers consoles located on WindowsServer 2003 domain controllers that are in the same domain.

For more information about saved queries, see the article Using saved

queries, on the Microsoft Windows Server 2003 Web site.

Introduction

Definition

Additional reading

7/27/2019 5202002

61/68


Importing and Exporting Saved Queries


Queries are valuable tools that assist in finding objects in Active Directorybased on many different criteria. But queries are specific to the domaincontroller that they were created on. Queries can be shared throughout thedomain by exporting them to XML files and then importing those files to otherdomain controllers. In that way, one administrator can write scripts foradministrators in other locations to use.

If you write a complex query that would be useful to other administrators, youcan export that query by right-clicking on the query and then clicking ExportQuery Definition. You will be prompted to Save As an .XML file. Save the

file to a shared folder on the network that only authorized administrators haveaccess to.

You can import a query by right-clicking the Saved Queries folder and thenclicking Import Query Definition. Navigate to the location of the XML file,and then select it.

Introduction

Exporting queries

Importing queries

7/27/2019 5202002

62/68


Practice: Using Queries to Locate Users and Computers in Active

Directory


In this practice, you will:

! Create a query to find computer accounts in the sales department.

! Export the query as an XML file in the Admin_tools shared folder.

Ensure that the DEN-DC1 and the DEN-CL1 virtual machines are running.

!Create a query to find computer accounts in the sales department.1. Log on to DEN-DC1 as Administrator using a password ofPa$$w0rd.

2. Open Active Directory Users and Computers, right-click the SavedQueriesfolder, point to New and then click Query.

3. In the New Querydialog box, type Find Sales Department Computers inthe Namefield.

4. Click Define Query.

5. In the Find Common Queriesdialog box, click the Computerstab. In theNamefield, click Starts with.

6. Type Salesin the Starts withfield.

7. Click OK twice.8. Click the Find Sales Department Computersquery.

9. The query should find Sales1, Sales2, and Sales3.

Objectives

Instructions

Practice

7/27/2019 5202002

63/68


!Export the query as an XML file in the Admin_tools shared folder1. Right-click the Find Sales Department Computersquery in the Saved

Queriesfolder, and then click Export Query Definition.

2. In the Save Asdialog box, navigate to the D:\2274\Labfiles\Admin_toolsfolder, name the query Find_Sales_Computers.xml and then click Save.

3. Close Active Directory Users and Computersand then Log off of DEN-DC1.

Do not shut down the virtual machines.Important

7/27/2019 5202002

64/68


Lab: Managing User and Computer Accounts


After completing this lab, you will be able to:

! Create user accounts.

! Create computer accounts.

! Use queries to locate objects.

! Modify user and computer properties.

To complete this lab, you must have the following virtual machines:

! DEN-DC1

! DEN-SRV1

Shut down the DEN-CL1 virtual machine without saving changes. Start theDEN-SRV1 virtual machine.

Objectives

Prerequisites

Lab setup

Estimated time tocomplete this lab:20 minutes

7/27/2019 5202002

65/68


Exercise 1Creating User AccountsIn this exercise, you will use a custom MMC to create two new user accounts based on the salestemplate.

ScenarioTwo new salespeople have been hired by Contoso Ltd. You need to create accounts for the newusers in the Sales organizational unit in Active Directory.

Tasks Specific Instructions

1. Create a custom MMC. a. Log on to DEN-SRV1 as [email protected] with the password of

Pa$$w0rd.

b. Create a custom MMC, and then add the Active Directory Users and

Computerssnap-in.c. Close the console, and save it as AD_Adminin the default location.

d. Click Start, point to All Programs, point to Administrative Tools,

and then launch AD_Adminby using the Run ascommand. Provide

the domain administrators credentials, contoso\administrator,with a

password of Pa$$w0rd.

2. Create user accounts in the

Sales organizational unit.

a. In Active Directory Users and Computers, click the Sales OU.

b. Right-click the Sales Templateuser, and then click Copy.

c. In the Copy Object Userdialog box, enter the following:

# First Name: Sunil

#

Last Name: Koduri# User Logon Name: Sunil

# Password: Pa$$w0rd

d. Repeat the preceding steps to create another account with the following

information:

# First Name: Jon

# Last Name: Morris

# User Logon Name: Jon

# Password: Pa$$w0rd

e. Enable the accounts.

3. Verify that the template

properties were transferred

successfully.

a. Open the Propertiesdialog box for one of the accounts that you just

created, and verify that the group membership, logon hours, and profile

mappings are correct. Review the settings on the Generaltab and the

Organizationtab.

b. What values di

Date post:	13-Apr-2018
Category:	Documents
Upload:	martinrr
View:	216 times
Download:	0 times

5202002

Documents