Chapter 3 – Creating and Managing User Accounts

MIS 431 – Created Spring 2006

MIS 431 2

Introduction

User account – object in Active Directory Requires authentication to connect Control access to network resources Monitor access by auditing resources (logs)

Create account Use standard naming structures Control password policy and ownership Include additional attributes such as phone

number, email address as required elements

MIS 431 3

User Account Properties

MIS 431 4

AD Added Properties

The default Users and Groups dialog box in offers standard choices.

AD Users and Computers adds Directory information Special login restrictions Domain information Much more

MIS 431 5

User Authentication

Users must first be authenticated by a domain controller before gaining access to the network (e.g., they log in as we do Novell)

Process has two parts Interactive authentication (to the client PC)

User can choose full network log in or just log in to the local workstation

Network authentication User’s credentials are passed on to the network

resource or service and checked

MIS 431 6

Authentication Protocols

Kerberos 5 (primary AD method) Supported by Windows 2000, XP; WS03 Method is transparent to the user

NTLM – Used for OS that don’t support Kerberos Ex: NT Server

MIS 431 7

User Profiles

Where user’s unique settings are stored Customized desktop Favorites Start button Cookies My Documents My Recent Documents NetHood PrintHood

More items… Send to list Templates Application data Local settings

Stored in the Documents and Settings folder for each user

Types – local and roaming

MIS 431 8

Local Profiles

Created when a new user logs in first time Settings are copied from a standard folder called

Default User in Documents & Settings THUS changing the settings in Default User will cause

those settings to be created for each subsequent new user

Change this in System Properties Advanced tab Whenever a user makes a change to settings, they

are stored in their local profile Subsequent logins will use just those settings for that

user

MIS 431 9

Roaming Profiles

Stored on the server, these are used by the client when the user authenticates to the network Replaces the local profile with the one used on that

particular client workstation Helpful when users move between computers

Can convert a local profile to a roaming profile

Universal Naming Convention (UNC) format:\\serverXX\profile\username

MIS 431 10

Creating AD Users and Computers

Active Directory Users and Computers tool In Administrative Tools menu Can also be added to a custom MMC

Select an object, right click, New, click User Shortcut: click on the User icon in the toolbar Shortcut: click on the Group icon in toolbar

User can be moved to another object by dragging (new since WS00) Or using rt-click and Move command

MIS 431 11

New User Parameters

For nearly every user, will specify User logon name Full name (F, M, L) Password Password properties (cannot change, change

at first login, password never expires, etc) Account expires (Never, End of xxx)

MIS 431 12

More User Parameters

General tab – directory type information Address tab – more directory information Account – user name, logon hours, account

options (password, expiration) Member Of – which groups, set primary group Dial-In – allow remote access or VPN Other tabs: Environment, Sessions, Profile,

Telephones, Profile, Remote control, etc.

MIS 431 13

User Account Templates

Create a template and all users configured through it will have same settings! (time saver)

Can modify the profile for user specific settings

To create, in the first name box start it with underscore, as _MIS431 Template

Do all of the settings you want To use it, copy this template and then modify

as desired

MIS 431 14

Command Line Utilities

Can create user accounts from command line Quicker But, fewer choices can be set easily here

Commands DSADD – adds objects DSMOD – modify object settings DSQUERY – queries for objects DSMOVE – moves objects to a different

location DSRM – remove an object from directory

MIS 431 15

Command Line contd.

Parameters for commands -pwd – password -memberof – groups user is member of -email – email address for new user -profile – profiel path for the user -disabled – whether acct is enable or disabled

EX: dsadd user “cn=Paul Kohut,cn=Users,dc=dovercorp,dc=net” –pwd Password01 –memberof “cn=domain guests,cn=users,dc=domain01,dc=dovercorp,dc=net” –email paul@dovercorp –profile \\server01\profiles\paul kohut - disabled no

MIS 431 16

Bulk Import/Export

Used when transitioning from one directory service to another for large companies

Can also populate a secondary database such as an HRM application

Two utilities CSVDE – supports import/export to CSV file LDIFDE – same but in LDAP interchange

format (LDIF)

MIS 431 17

Account Policies

A node in Group Policy (more in Ch. 11) These can cause trouble with a user logging

in Find Group Policy object at domain level

called Default Domain Policy Rt click the domain object (domain controller)

in AD Users and Computers and choose Properties

Click on Group Policy tab

MIS 431 18

Password Policy settings

Enforce password history - # of passwords to remember before a user can reuse an old password

Maximum password age – # days when it must be changed

Minimum password age - # days before it can be changed

Minimum password length - # characters (1-14) Password complexity requirement – cannot include

account name, at least 6 characters long, include 3 of 4 elements: uppercase, lowercase, numbers, symbol

Store password using reversible encryption – clear text

MIS 431 19

Account Lockout settings

When the user fails to enter proper user name and password within X times

Account lockout duration – how long before can log in again

Account lockout threshold - # of incorrect login attempts before lock out occurs

Reset account lockout counter after - # of minutes before the lockout counter is reset to zero.

MIS 431 20

Auditing Authentication

Auditing appears in more detail in Ch 14 Be default, WS03 DC audits success logon

events only – appears in security log Can turn on “failure” logon events to track

attempts to log in – shown in Security log Access Audit Policy node which is available in

Computer Configuration – Windows Settings – Security Settings – Local Policies (Fig 3-33. p. 134)

MIS 431 21

Authentication Troubleshooting

If a user cannot log in, check the list on p. 135 Incorrect user name or

password Account lockout Account disabled Logon hour restriction Workstation restriction Domain controller

(cannot locate one)

Client time settings Down-level client

issues UPN logon issues Users unable to log on

locally to specific server

Remote access logon issues (dial up/VPN)

Terminal Services logon issues