MCP Chapter3 by yaohongm


									Any Questions?
      Chapter 3-User Accounts
■ Create and manage user accounts
■ Create and modify user accounts by using the Active
   Directory Users And Computers
Microsoft Management Console (MMC) snap-in
■ Create and modify user accounts by using automation
■ Import user accounts
■ Manage local, roaming, and mandatory user profiles
■ Troubleshoot user accounts
■ Diagnose and resolve account lockouts
■ Diagnose and resolve issues related to user account
■ Troubleshoot user authentication issues
                                                  Pg 3-1
    Chapter 3-User Accounts
■ Lesson 1: Creating and Managing User
■ Lesson 2: Creating Multiple User Objects
■ Lesson 3: Managing User Profiles
■ Lesson 4: Securing and Troubleshooting

                                       Pg 3-2
Any Questions?
         Chapter 3 Lesson 1
 Creating and managing User Objects
■ Create user objects in Active Directory
  using the Active Directory Users And
  Computers snap-in
■ Configure user object properties
■ Understand important account options that
  are not self-explanatory based on their
■ Modify properties of multiple users
                                       Pg 3-3
 Creating Objects with Active Directory

• User the Users and Computers Snap-in
  – Best to create users inside an Organization
    Unit, not at root of domain
• Select the OU or container, click Action
  then choose New and choose User
  – Enterprise Admin
  – Domain Admin
  – Account Operators
  – Delegated Admin Permissions
                                             Pg 3-3
             New User Object

• Very Basic Fields
• Then Set password
  – NOTE-Default Domain Policy is for Complex
• The selections here take precedence over
  conflicting GPO
  – Reversible encryption
  – Password age
                                          Pg 3-4-6
Any Questions?
        Managing Users Objects

• User Creation requires minimal properties
  to be set for the user object
• After creation, view the properties

                                       Pg 3-7
            User Object Properties
■ Account properties: the Account tab These properties
  include those that are configured when you create a user
  object, including logon names, password, and account
■ Personal information: the General, Address, Telephones,
  and Organization tabs The General tab exposes the
  name properties that are configured when you create a
  user object.
■ User configuration management: the Profile tab Here you
  can configure the user’s profile path, logon script, and
  home folder locations.
■ Group membership: the Member Of tab You can add and
  remove user groups and set the user’s primary group.
                                                    Pg 3-7-8
          User Object Properties
■ Terminal services: the Terminal Services Profile,
  Environment, Remote Control, and Sessions
  tabs These four tabs allow you to configure and
  manage the users’ experience when they are
  connected to a Terminal Services session.
■ Remote access: the Dial-in tab Allows you to
  enable and configure remote access permission
  for a user.
■ Applications: the COM+ tab Assigns Active
  Directory COM+ partition sets to the user. This
  feature, new to Windows Server 2003, facilitates
  the management of distributed applications.
                                              Pg 3-7-8
            Account Properties

• Logon Hours
  – Can limit hours they can sign on
• Log On To
  – Can limit which workstations they can log on
  – Same as Computer Restrictions
• Account is trusted for Delegation
• Account Expires
                                             Pg 3-8-9
Any Questions?
    Managing Properties on Multiple
• Can CTRL or SHIFT click multiple users on list
• Will have a subset of properties
  – General tab: Description, Office, Telephone Number,
    Fax, Web Page, E-mail
  – Account tab: UPN Suffix, Logon Hours, Computer
    Restrictions (logon workstations), all Account Options,
    Account Expires
  – Address: Street, PO Box, City, State/Province,
    ZIP/Postal Code, Country/Region
  – Profile:Profile Path, Logon Script, and Home Folder
  – Organization: Title, Department, Company, Manager
                                                     Pg 3-10
 Saved Queries and Moving Users
• You can query the list of users and save
  the query
  – Virtual OU
• User Objects can be moved between OUs
  – Select Move from Action
  – Drag and Drop
Any Questions?
        Chapter 3 Lesson 2
   Creating Multiple User Objects
■ Create and utilize user object templates
■ Import user objects from comma-delimited
■ Leverage new command-line tools to
  create and manage user objects

                                      Pg 3-15
  Creating and Using Templates
• Create a generic User
   – Then copy that object to create new users
   – Make sure the template is disabled
• Copied information:
   ■ General No properties are copied.
   ■ Address All properties except Street address are copied.
   ■ Account All properties are copied except for logon names, which you
      are prompted to enter when copying the template.
   ■ Profile All properties are copied, and the profile and home-folder paths
      are modified to reflect the new user’s logon name.
   ■ Telephones No properties are copied.
   ■ Organization All properties are copied, except for Title.
   ■ Member Of All properties are copied.
   ■ Dial-in, Environment, Sessions, Remote Control, Terminal Services
      Profile, COM+ No properties are copied.

                                                                      Pg 3-15-16
Any Questions?
               Importing Object
• Command line-Csvde
   – Import from comma delimited text file
• csvde [-i] [-f FileName] [-k]
   – -i : Specifies import mode. If not specified, the default
     mode is export.
   – -f FileName : Identifies the import file name.
   – -k : Ignores errors including “object already exists,”
     “constraint violation,” and “attribute or value already
     exists” during the import operation and continues
• Passwords are not imported
                                                        Pg 3-16
     Importing Object-Example
• DN,objectClass,sAMAccountName,sn,givenName,userP
  rincipalName "CN=Scott Bishop,OU=Employees,
• Above entry would create
   – User object in the Employees OU called Scott Bishop.
     The logon, first, and last names are configured by the
   – The object will be disabled initially. After you have
     reset the password, you can enable the object.

                                                     Pg 3-17
            Importing Object
• Must have
  – DN
  – Object Class

                               Pg 3-17
Any Questions?
      Other Command line tools
■ Dsadd Adds objects to the directory.
■ Dsget Displays (“gets”) properties of objects in the
■ Dsmod Modifies select attributes of an existing object in
  the directory.
■ Dsmove Moves an object from its current container to a
  new location. Can also be used to rename an object
  without moving it.
■ Dsrm Removes an object, the complete subtree under
  an object, or both.
■ Dsquery Queries Active Directory for objects that match
  a specified search criterion. This command is often used
  to create a list of objects, which are then piped to the
  other command-line tools for management or
                                                         Pg 3-18-26
     Other Command line tools
• Query the object class
   – User
   – Group
   – Etc
• Specify the Distinguished name attributes
   – OU-Organizational Unit
   – DC-Domain
• Properties to search
   – Stalepwd 60
      • Passwords not changed for 60 days

                                              Pg 3-18-26
        Command line hints
• Be familiar with general ideas of
  – What they are used for
  – General format
• Be able to figure it out on exam

                                      Pg 3-18-26
          Utilizing VBScript
• Not a ton on the test
• Useful ideas
• Check out CD
Any Questions?
        Chapter 3 Lesson 3
       Managing User Profiles
• Understand the application of local and
  roaming user profiles
• Configure a roaming user profile
• Create a preconfigured roaming user or
  group profile
• Configure a mandatory profile

                                       Pg 3-32
                      User Profile
• Includes:
   ■ Shortcuts in your Start menu, on your desktop, and in your Quick
      Launch bar
   ■ Documents on your desktop and, unless redirection is configured,
      in your My Documents folder
   ■ Internet Explorer favorites and cookies
   ■ Certificates (if implemented)
   ■ Application-specific files such as the Microsoft Office custom user
      dictionary, user templates, and autocomplete list
   ■ My Network Places
   ■ Desktop display settings such as appearance, wallpaper, and

                                                                Pg 3-33
                  Local Profile
• Usually details of the profile are stored on each
  machine that you have logged into
   – %Systemdrive% \Documents and
• Created at first login
   – From default user profile
• Changes stored locally
• All Users profile is combined with specific user
• Local means that machine ONLY
                                               Pg 3-33
           Roaming Profile
• Lets users have same profile on every
• Stored on a server
• Backed up with server

                                          Pg 3-33
   Setting up Roaming Profiles
• Create a shared folder on the server
  – Must be set to everyone having Full Control
• Modify User Account so that the profile
  path has:
  – \\<server >\<share>\%Username%.
• Not a property of the computer object
  – Except that they can be disabled by
    specifying the Only Allow Local User Profiles
                                             Pg 3-33-34
Any Questions?
 Creating a Preconfigured User Profile

• Can create a preconfigured environment
  for users
  ■ Provide a productive work environment with
    easy access to needed network resources
    and applications
  ■ Remove access to unnecessary resources
    and applications
  ■ Simplify help desk troubleshooting by
    enforcing a more straightforward and
    consistent desktop
                                           Pg 3-35
        Preconfigured Profile
• Done Locally on an individual machine
  – Set up the profile the way you want
    • Don’t use your own
  – Log in as an admin, go to system, advanced,
    user profiles
  – Select the profile and choose Copy to
  – Put in the path the to server
  – Change who is permitted to use the profile

                                           Pg 3-33
 Preconfigured Default User Profile
• Default profile used when no user or roaming
  profile exists when user logs in
• Either for the local system
  – Create the profile and then copy the details to default
    profile location
     • C:\Documents and Settings\Default User.
• Domain Wide
  – Create profile and copy to the NETLOGON folder on
    domain controller
     • \\servername\NETLOGON\Default User
  – Watch out because this takes effect for ALL systems,
    servers included.
                                                      Pg 3-37
   Preconfigured Group Profile
• Create a profile you want to have used by
• Copy the profile to a directory with the
  group profile name
  – \\<server>\<share>\<group profile name>.
• Grant Access to the profile to the group or
  the Built-in\Users group
• Assign the path in the users profiles
  – Can use the multiple select trick
                                           Pg 3-38
          Mandatory Profile
• Restrict the user ability to modify settings
  in the profile
  – Does not maintain changes
• Used to lock down a system
• Rename the ntuser.dat to
• Must be done on the actual systems

                                           Pg 3-39
Any Questions?
              Chapter 3 Lesson 4
  Securing and Troubleshooting Authentication

■ Identify domain account policies and their
  impact on password requirements and
■ Configure auditing for logon events
■ Modify authentication-related attributes of
  user objects

                                           Pg 3-44
Securing Authentication with Policy
• Can set policy for Local Accounts
  – Specific to that machine
• For Domain objects
  – Use the domain security policy MMC

                                         Pg 3-44
            Password Policy
•   History
•   Age
•   Length
•   Complexity

                              Pg 3-45
              Lockout Policy
• Threshold
  – How Many Times
• Duration
  – How long before auto reset
• Counter
  – How long before threshold counter resets

                                               Pg 3-46-47
            Cross Platform
• Other versions of windows will not support
  all Active Directory features

                                        Pg 3-47-48
          Auditing Authentication
• Choose what kind of entries will appear on security log
• Account Management
    – Creation or modification of user objects
• Account Logon
    – Events that include the domain controller
• Logon
    – Wherever the logon occurs
• Note:
• Keep track of the distinction between Account Logon and Logon
  events. When a user logs on to his or her workstation using a
  domain account, the workstation registers a Logon event and the
  domain controller registers an Account Logon event. When the user
  connects to a network server’s shared folder, the server registers a
  Logon event and the domain controller registers an Account Logon

                                                                Pg 3-49
    Administering and troubleshooting
•   Unlocking
•   Resetting Passwords
•   Disabling, renaming, Deleting
•   Account Expiration
•   Computer Restrictions
•   Local Logon
•   Logon Hours
•   Cached Credentials
                                    Pg 3-50
Any Questions?
Pg 3-44

To top