Chapter 8 Chapter 8: Managing Accounts and Client Connectivity Learning Objectives Chapter 8 Establish account naming conventions Configure account security policies Create and manage accounts, including setting up.
Download ReportTranscript Chapter 8 Chapter 8: Managing Accounts and Client Connectivity Learning Objectives Chapter 8 Establish account naming conventions Configure account security policies Create and manage accounts, including setting up.
Chapter 8 Chapter 8: Managing Accounts and Client Connectivity Learning Objectives Chapter 8 Establish account naming conventions Configure account security policies Create and manage accounts, including setting up a new account, configuring account properties, delegating account management, and renaming, disabling, and deleting an account Learning Objectives (continued) Chapter 8 Create local user profiles, roaming profiles, and mandatory profiles Configure client network operating systems to access Windows 2000 Server, and install client operating systems through Remote Installation Services Sample Naming Conventions Chapter 8 Last name followed by the initial of the first name First name initial followed by the last name Username based on the position in the organization Username based on the function in the organization Naming Tip Chapter 8 For accounts that handle money, payroll, budgeting, or accounting transactions, financial auditors typically prefer that accounts are named for individuals Account Policies Chapter 8 Account policies: security measures set up in a group policy, such as for a domain or local computer Account policies particularly focus on: Password security Account lockout Kerberos security Configuring Account Policies Chapter 8 Use the Group Policy MMC snap-in to set up account policies Setting Account Policies Chapter 8 Figure 8-1 Account policies Password Policy Options Chapter 8 Enforce password history: Enables you to require users to choose new passwords when they make a password change, because the system can remember the previously used passwords Maximum password age: Permits you to set the maximum time allowed until a password expires Minimum password age: Permits you to specify that a password must be used a minimum amount of time before it can be changed Password Policy Options (continued) Chapter 8 Minimum password length: Enables you to require that passwords are a minimum length Passwords must meet complexity requirements: Enables you to create a filter of customized password requirements that each account password must follow Store password using reversible encryption for all users in the domain: Enables passwords to be stored in reversible encrypted format Account Lockout Policy Options Chapter 8 Account lockout duration: Permits you to specify in minutes how long the system will keep an account locked out after reaching the specified number of unsuccessful log on attempts Account lockout threshold: Enables you to set a limit to the number of unsuccessful tries to log onto an account Account Lockout Policy Options (continued) Chapter 8 Reset account lockout count after : Enables you to specify the number of minutes between two consecutive unsuccessful logon attempts to make sure that the account will not be locked out too soon Kerberos Policy Options Chapter 8 Enforce user logon restrictions: Turns on Kerberos security, which is the default Maximum lifetime for a service ticket: Determines the maximum amount of time in minutes that a service ticket can be used to continually access a particular service in one service session Maximum lifetime for a user ticket: Determines the maximum amount of time in hours that a ticket can be used in one continuous session for access to a computer or domain Kerberos Policy Options (continued) Chapter 8 Maximum lifetime for user ticket renewal: Determines the maximum number of days that the same Kerberos ticket can be renewed each time a user logs on Maximum tolerance for computer clock synchronization: Determines how long in minutes a client will wait until synchronizing its clock with that of the server or Active Directory it is accessing Creating Accounts Chapter 8 For a server that does not have the Active Directory implemented, use the Local Users and Groups MMC snap-in to create accounts For a server that employs the Active Directory, use the Active Directory Users and Computers MMC snap-in to create accounts Active Directory Users and Computers Tool Chapter 8 Figure 8-2 Creating a new user in a domain Entering New User Information Chapter 8 Figure 8-3 New user information Entering Account Parameters Chapter 8 Figure 8-4 New user account parameters Configuring Account Properties Chapter 8 Figure 8-5 Account properties in the Active Directory Account Properties Tabs Chapter 8 General tab: Modify personal information about the user Address tab: Provide street and city address information Account tab: Provide account information, such as logon name, plus configure access restrictions, such as for certain days of the week and times of day Setting Access Restrictions Chapter 8 Figure 8-6 Control account access by the day of the week and time Account Properties Tabs (continued) Chapter 8 Profile tab: Ability to associate a specific profile with an account, associate a home folder and drive, and associate a logon script Logon script: A file that contains a series of commands to run each time a user logs onto his or her account, such as a command to map a home drive Windows 2000 Server Logon Script Commands Chapter 8 Script Command Function %Homepath% Establishes the path to the user’s home directory %Homedrive% Sets a drive letter for the system hard disk drive %Username% Specifies the user’s logon name %Userdomain% Specifies the domain to which the user belongs %OS% Specifies the operating system being used %Processor% Specifies the type of processor %Homeshare% Specifies home directory on a shared drive Account Properties Tabs (continued) Chapter 8 Telephones: Ability to associate telephone contact numbers Organization: Provide account holder’s title, department, and other information Member Of: Ability to join this account to one or more groups of users for easier management Adding an Account to a Group via the Member Of Tab Chapter 8 Figure 8-7 Adding an account to the Managers and Print Operators groups Account Properties Tabs (continued) Chapter 8 Dial-in: Controls remote access such as through a modem Environment: Ability to configure the startup environment for clients using terminal services Sessions: Configures session parameters, such as timeout limits, for clients using terminal services Dial-in Access Parameters Chapter 8 Figure 8-8 Configuring remote access Account Properties Tabs (continued) Chapter 8 Remote Control: Configures remote control parameters for the Administrator to view and manage terminal service client sessions Terminal Services Profile: Ability to set up a user profile for a terminal services client Creating an OU Chapter 8 To create an OU: Click the container in which to create the OU, such as the domain or another OU Click the Create a new organizational unit in the current container button Enter the name of the OU Click OK Delegating Authority in an OU Chapter 8 To delegate authority: Right-click the OU and click Delegate control Click Next after the wizard starts Click the Add button and specify the accounts, groups, or computers to have the control Click OK and click Next Select the tasks to delegate and click Next Click Finish Delegation of Control Options Chapter 8 Task Description Create, delete, and manage user accounts Ability to fully set up and manage accounts Reset passwords on user accounts Ability to reset a member user’s account password, should that user forget his or her password Read all user information Ability to access any information owned by the selected user accounts Create, delete, and manage groups Ability to set up and delete groups and modify group properties Modify the membership of a group Ability to add and delete members in a group Manage Group Policy links Ability to change the specified group policies or elements of a group policy Using Find to Locate an Account Chapter 8 To locate a particular account in order to maintain it: Right-click Click the domain Find Enter the username or the account holder’s name Click Find Now Account Maintenance Activities Chapter 8 Typical account maintenance activities include: Disabling an account, such as when a user takes a leave of absence Enabling an account, such as when a user returns Renaming an account, such as when one user leaves and another user is hired into the same position Moving an account, such as into a different OU Account Maintenance Activities (continued) Chapter 8 Typical account maintenance activities include (continued): Deleting an account, such as when a user leaves the organization and there will be no replacement person Resetting a password for users who do not remember theirs Account auditing to track certain kinds of activity performed by an account holder Sample Events that Can be Audited for an Account Chapter 8 Logon and logoff activity Account modifications through account management tools Accesses to files and other objects (for files, folders, and objects that are set up to be audited) Troubleshooting Tip Chapter 8 Use account auditing sparingly because every audited event is written to the Security log – you don’t want to overload a server by devoting too much of its resources to auditing (consult your organization’s management and financial auditors for advice on what to audit) Local User Profile Chapter 8 Local user profile: A desktop setup that is associated with one or more accounts to determine what startup programs are used, additional desktop icons, and other customizations. A user profile is local to the computer on which it is stored. Roaming Profile Chapter 8 Roaming profile: Desktop settings that are associated with an account so that the same settings are employed no matter what computer is used to access the account (the profile is downloaded to the client) Mandatory User Profile Chapter 8 Mandatory User Profile: A user profile set up by the server administrator that is loaded from the server to the client each time the user logs on; and changes that the user makes to the profile are not saved Hardware Profile Chapter 8 Hardware Profile: A consistent setup of hardware components associated with one or more user accounts Associating a Profile with an Account Chapter 8 Figure 8-9 Setting a roaming profile in an account’s properties Active Directory Support for Non-Windows 2000 Clients Chapter 8 Plan to install Directory Service Client (DSClient) in Windows 95 and Windows 98 clients DSClient enables non-Windows 2000 Clients for: Kerberos authentication Ability to view objects published in the Windows 2000 Active Directory DSClient Program Location Chapter 8 Obtain the DSClient program, Dsclient.exe from the Windows 2000 Server CD-ROM Run this program on Windows 95 and Windows 98 clients Troubleshooting Tip Chapter 8 If the Distributed File System (Dfs) cannot be accessed from a Windows 95 client, run DSClient to install Dfs capability (Dfs client) as well as the capability to access the Active Directory (DSClient) Setting Up Client Desktops Using Group Policy and Security Policy Chapter 8 Use the Group Policy snap-in to set up group policies that govern clients Use the System Policy Editor (Poledit.exe) to configure system policies when running a mixture of Windows NT and Windows 2000 servers Group Policy and System Policy Templates Chapter 8 Windows 2000 Server comes with several templates already set up for using group policies or system policies System.adm is the default group policy for managing Windows 2000 Professional clients Administrative Templates Included with Windows 2000 Chapter 8 Template Purpose Common.adm Available to use for managing Tool Used to Configure Poledit.exe desktop settings that are common to all of Windows 95, 98, and NT Ientres.adm Default for managing Internet Group Policy snap-in or edit group policy Explorer in Windows 2000 by using the Active Directory Users and Professional clients Computers tool Templates Included with Windows 2000 (continued) Chapter 8 Template Purpose Tool Used to Configure System.adm Default for managing Windows Group Policy snap-in or edit group policy 2000 Professional clients by using the Active Directory Users and Computers tool Windows.adm Available to use for managing Poledit.exe Windows 95 and 98 clients Winnt.adm Available to use for managing Windows NT 4.0 clients Poledit.exe Group Policy Options Chapter 8 A wide range of group policies can be set up to manage clients Group Policy Components for Windows 2000 Clients Chapter 8 COMPONENT DESCRIPTION Windows Controls access to installed software such as NetMeeting, Internet Components Explorer, MMC, Task Scheduler, and Windows Installer Start Menu & Controls the ability to configure the Start menu and Taskbar, the Taskbar ability to access program groups from the Start menu, and the ability to use Start menu options including Run, Search, Settings, and Documents Desktop Controls access to desktop functions including the icons for My Network Places, Internet Explorer, and the ability to configure the Active Desktop Group Policy Components for Windows 2000 Clients (continued) Chapter 8 COMPONENT DESCRIPTION Control Panel Controls access to Control Panel functions such as Add/Remove programs, Display, Printers, and Regional Settings – plus the ability to disable the Control Panel altogether Network Controls access to offline files and the ability to configure network access via Network and Dial-up Connections System Controls access to Logon/Logoff capabilities, scripts, Task Manager functions, Change Password, and other system functions Remote Installation Services Chapter 8 Remote Installation Services (RIS): Services installed on a Windows 2000 Server that enable you to remotely install Windows 2000 Professional on one or more client computers RIS Pre-Installation Steps Chapter 8 Purchase the appropriate number of Windows 2000 Professional licenses Make sure the Active Directory is implemented and that there are DHCP and DNS servers on the network Create a Windows 2000 Professional operating system image Create user accounts for the Windows 2000 Professional clients RIS Installation Steps Chapter 8 Installing RIS is a two stage process: First install RIS using the Control Panel Add/Remove Programs tool Configure RIS from the Add/Remove Programs tool Security Tip Chapter 8 Configure an existing DHCP server to authorize only specific servers to provide RIS installations Installing RIS on the Client Chapter 8 Install in one of two ways: Using a computer that has a boot-enabled ROM Creating a remote boot disk Both methods use the Preboot eXecution Environment (PXE):Services that enable a prospective client to obtain an IP address and to connect to a RIS server in order to install Windows 2000 Professional Troubleshooting Tip Chapter 8 When installing a client via RIS, first make sure that the client computer has a NIC that is supported by RIS and that is on the HCL Client Installation Wizard Options Chapter 8 Option Description Automatic Setup Uses the unattended answer file to perform a complete Windows 2000 Professional installation without interactive input from the user Custom Setup Uses the unattended answer file to perform a Windows 2000 Professional installation, but enables the users to specify the computer name and location in the Active Directory Restart Enables the user to restart an installation that was previously interrupted, such as due to a power outage or that did not complete because of an installation problem Maintenance and Enables the user to troubleshoot an installation by using tools Troubleshooting available through the Client Installation Wizard RIS Group Policy Chapter 8 Use group policies to create different installation options for different groups or containers Setting Installation Options for a Particular Container or Group Chapter 8 Figure 8-10 Setting RIS installation options through group policy RIS Installation Choices Chapter 8 Allow: means that the designated capability can be used by the client accounts Don’t care: means that if a policy applies to a parent container, it also applies to the child containers Deny: means that the capability cannot be used by the client accounts Chapter Summary Chapter 8 Preparing a server and domain entail configuring accounts and configuring client computers Before configuring accounts, consult with members of your organization about naming standards Set up account policies before configuring accounts Chapter Summary Chapter 8 After accounts are created, use the account properties capability to supplement or modify parameters for the accounts, such as time of day access restrictions Configure client computers to access Windows 2000 Server, such as installing DSClient Chapter Summary Chapter 8 Manage clients by setting up group policies or system policies Use RIS to install multiple Windows 2000 Professional clients in order to reduce your TCO