Chapter 3 – Creating and Managing User Accounts MIS 431 – Created Spring 2006.
-
date post
22-Dec-2015 -
Category
Documents
-
view
225 -
download
0
Transcript of Chapter 3 – Creating and Managing User Accounts MIS 431 – Created Spring 2006.
MIS 431 2
Introduction
User account – object in Active Directory Requires authentication to connect Control access to network resources Monitor access by auditing resources (logs)
Create account Use standard naming structures Control password policy and ownership Include additional attributes such as phone
number, email address as required elements
MIS 431 4
AD Added Properties
The default Users and Groups dialog box in offers standard choices.
AD Users and Computers adds Directory information Special login restrictions Domain information Much more
MIS 431 5
User Authentication
Users must first be authenticated by a domain controller before gaining access to the network (e.g., they log in as we do Novell)
Process has two parts Interactive authentication (to the client PC)
User can choose full network log in or just log in to the local workstation
Network authentication User’s credentials are passed on to the network
resource or service and checked
MIS 431 6
Authentication Protocols
Kerberos 5 (primary AD method) Supported by Windows 2000, XP; WS03 Method is transparent to the user
NTLM – Used for OS that don’t support Kerberos Ex: NT Server
MIS 431 7
User Profiles
Where user’s unique settings are stored Customized desktop Favorites Start button Cookies My Documents My Recent Documents NetHood PrintHood
More items… Send to list Templates Application data Local settings
Stored in the Documents and Settings folder for each user
Types – local and roaming
MIS 431 8
Local Profiles
Created when a new user logs in first time Settings are copied from a standard folder called
Default User in Documents & Settings THUS changing the settings in Default User will cause
those settings to be created for each subsequent new user
Change this in System Properties Advanced tab Whenever a user makes a change to settings, they
are stored in their local profile Subsequent logins will use just those settings for that
user
MIS 431 9
Roaming Profiles
Stored on the server, these are used by the client when the user authenticates to the network Replaces the local profile with the one used on that
particular client workstation Helpful when users move between computers
Can convert a local profile to a roaming profile
Universal Naming Convention (UNC) format:\\serverXX\profile\username
MIS 431 10
Creating AD Users and Computers
Active Directory Users and Computers tool In Administrative Tools menu Can also be added to a custom MMC
Select an object, right click, New, click User Shortcut: click on the User icon in the toolbar Shortcut: click on the Group icon in toolbar
User can be moved to another object by dragging (new since WS00) Or using rt-click and Move command
MIS 431 11
New User Parameters
For nearly every user, will specify User logon name Full name (F, M, L) Password Password properties (cannot change, change
at first login, password never expires, etc) Account expires (Never, End of xxx)
MIS 431 12
More User Parameters
General tab – directory type information Address tab – more directory information Account – user name, logon hours, account
options (password, expiration) Member Of – which groups, set primary group Dial-In – allow remote access or VPN Other tabs: Environment, Sessions, Profile,
Telephones, Profile, Remote control, etc.
MIS 431 13
User Account Templates
Create a template and all users configured through it will have same settings! (time saver)
Can modify the profile for user specific settings
To create, in the first name box start it with underscore, as _MIS431 Template
Do all of the settings you want To use it, copy this template and then modify
as desired
MIS 431 14
Command Line Utilities
Can create user accounts from command line Quicker But, fewer choices can be set easily here
Commands DSADD – adds objects DSMOD – modify object settings DSQUERY – queries for objects DSMOVE – moves objects to a different
location DSRM – remove an object from directory
MIS 431 15
Command Line contd.
Parameters for commands -pwd – password -memberof – groups user is member of -email – email address for new user -profile – profiel path for the user -disabled – whether acct is enable or disabled
EX: dsadd user “cn=Paul Kohut,cn=Users,dc=dovercorp,dc=net” –pwd Password01 –memberof “cn=domain guests,cn=users,dc=domain01,dc=dovercorp,dc=net” –email paul@dovercorp –profile \\server01\profiles\paul kohut - disabled no
MIS 431 16
Bulk Import/Export
Used when transitioning from one directory service to another for large companies
Can also populate a secondary database such as an HRM application
Two utilities CSVDE – supports import/export to CSV file LDIFDE – same but in LDAP interchange
format (LDIF)
MIS 431 17
Account Policies
A node in Group Policy (more in Ch. 11) These can cause trouble with a user logging
in Find Group Policy object at domain level
called Default Domain Policy Rt click the domain object (domain controller)
in AD Users and Computers and choose Properties
Click on Group Policy tab
MIS 431 18
Password Policy settings
Enforce password history - # of passwords to remember before a user can reuse an old password
Maximum password age – # days when it must be changed
Minimum password age - # days before it can be changed
Minimum password length - # characters (1-14) Password complexity requirement – cannot include
account name, at least 6 characters long, include 3 of 4 elements: uppercase, lowercase, numbers, symbol
Store password using reversible encryption – clear text
MIS 431 19
Account Lockout settings
When the user fails to enter proper user name and password within X times
Account lockout duration – how long before can log in again
Account lockout threshold - # of incorrect login attempts before lock out occurs
Reset account lockout counter after - # of minutes before the lockout counter is reset to zero.
MIS 431 20
Auditing Authentication
Auditing appears in more detail in Ch 14 Be default, WS03 DC audits success logon
events only – appears in security log Can turn on “failure” logon events to track
attempts to log in – shown in Security log Access Audit Policy node which is available in
Computer Configuration – Windows Settings – Security Settings – Local Policies (Fig 3-33. p. 134)
MIS 431 21
Authentication Troubleshooting
If a user cannot log in, check the list on p. 135 Incorrect user name or
password Account lockout Account disabled Logon hour restriction Workstation restriction Domain controller
(cannot locate one)
Client time settings Down-level client
issues UPN logon issues Users unable to log on
locally to specific server
Remote access logon issues (dial up/VPN)
Terminal Services logon issues