Transcript Chapter 3 – Creating and Managing User Accounts
Chapter 3 – Creating and Managing User Accounts
MIS 431 – Created Spring 2006
Introduction
User account – object in Active Directory Requires authentication to connect Control access to network resources Monitor access by auditing resources (logs) Create account Use standard naming structures Control password policy and ownership Include additional attributes such as phone number, email address as required elements MIS 431 2
User Account Properties
MIS 431 3
AD Added Properties
The
default
Users and Groups dialog box in offers standard choices. AD Users and Computers adds Directory information Special login restrictions Domain information Much more MIS 431 4
User Authentication
Users must first be
authenticated
by a domain controller before gaining access to the network (e.g., they log in as we do Novell) Process has two parts Interactive authentication (to the client PC) User can choose full network log in or just log in to the local workstation Network authentication User’s credentials are passed on to the network resource or service and checked MIS 431 5
Authentication Protocols
Kerberos 5 (
primary
AD method) Supported by Windows 2000, XP; WS03 Method is transparent to the user NTLM – Used for OS that don’t support Kerberos Ex: NT Server MIS 431 6
User Profiles
Where user’s unique settings are stored Customized desktop Favorites Start button Cookies My Documents My Recent Documents NetHood PrintHood MIS 431 More items… Send to list Templates Application data Local settings Stored in the Documents and Settings folder for each user Types – local and roaming 7
Local Profiles
Created when a new user logs in first time Settings are copied from a standard folder called Default User in Documents & Settings THUS changing the settings in Default User will cause those settings to be created for each subsequent new user Change this in System Properties Advanced tab Whenever a user makes a change to settings, they are stored in their local profile Subsequent logins will use just those settings for that user MIS 431 8
Roaming Profiles
Stored on the server, these are used by the client when the user authenticates to the network Replaces the local profile with the one used on that particular client workstation Helpful when users move between computers Can convert a local profile to a roaming profile Universal Naming Convention (UNC) format: \\serverXX\profile\username MIS 431 9
Creating AD Users and Computers
Active Directory Users and Computers tool In Administrative Tools menu Can also be added to a custom MMC Select an object, right click, New, click User Shortcut: click on the User icon in the toolbar Shortcut: click on the Group icon in toolbar User can be moved to another object by dragging (new since WS00) Or using rt-click and Move command MIS 431 10
New User Parameters
For nearly every user, will specify User logon name Full name (F, M, L) Password Password properties (cannot change, change at first login, password never expires, etc) Account expires (Never, End of xxx) MIS 431 11
More User Parameters
General tab – directory type information Address tab – more directory information Account – user name, logon hours, account options (password, expiration) Member Of – which groups, set primary group Dial-In – allow remote access or VPN Other tabs: Environment, Sessions, Profile, Telephones, Profile, Remote control, etc.
MIS 431 12
User Account Templates
Create a template and all users configured through it will have same settings! (time saver) Can modify the profile for user specific settings To create, in the first name box start it with underscore, as _MIS431 Template Do all of the settings you want To use it, copy this template and then modify as desired MIS 431 13
Command Line Utilities
Can create user accounts from command line Quicker But, fewer choices can be set
easily
here Commands DSADD – adds objects DSMOD – modify object settings DSQUERY – queries for objects DSMOVE – moves objects to a different location DSRM – remove an object from directory MIS 431 14
Command Line contd.
Parameters for commands -pwd – password -memberof – groups user is member of -email – email address for new user -profile – profiel path for the user -disabled – whether acct is enable or disabled EX: dsadd user “cn=Paul Kohut,cn=Users,dc=dovercorp,dc=net” –pwd Password01 –memberof “cn=domain guests,cn=users,dc=domain01,dc=dovercorp,dc=net ” –email paul@dovercorp –profile \\server01\profiles\paul kohut - disabled no MIS 431 15
Bulk Import/Export
Used when transitioning from one directory service to another for large companies Can also populate a secondary database such as an HRM application Two utilities CSVDE – supports import/export to CSV file LDIFDE – same but in LDAP interchange format (LDIF) MIS 431 16
Account Policies
A node in Group Policy (more in Ch. 11) These can cause trouble with a user logging in Find Group Policy object at domain level called Default Domain Policy Rt click the domain object (domain controller) in AD Users and Computers and choose Properties Click on Group Policy tab MIS 431 17
Password Policy settings
Enforce password history - # of passwords to remember before a user can reuse an old password Maximum password age – # days when it must be changed Minimum password age - # days before it can be changed Minimum password length - # characters (1-14) Password complexity requirement – cannot include account name, at least 6 characters long, include 3 of 4 elements: uppercase, lowercase, numbers, symbol Store password using reversible encryption – clear text MIS 431 18
Account Lockout settings
When the user fails to enter proper user name and password within
X
times Account lockout duration – how long before can log in again Account lockout threshold - # of incorrect login attempts before lock out occurs Reset account lockout counter after - # of minutes before the lockout counter is reset to zero. MIS 431 19
Auditing Authentication
Auditing appears in more detail in Ch 14 Be default, WS03 DC audits success logon events only – appears in security log Can turn on “failure” logon events to track attempts to log in – shown in Security log Access Audit Policy node which is available in Computer Configuration – Windows Settings – Security Settings – Local Policies (Fig 3-33. p. 134) MIS 431 20
Authentication Troubleshooting
If a user cannot log in, check the list on p. 135 Incorrect user name or password Account lockout Account disabled Logon hour restriction Workstation restriction Domain controller (cannot locate one) Client time settings Down-level client issues UPN logon issues Users unable to log on locally to specific server Remote access logon issues (dial up/VPN) Terminal Services logon issues MIS 431 21