Docstoc

MCSE account

Document Sample
MCSE account Powered By Docstoc
					70 - 290




           Slide 1
               Course Outline

Module 1: Introduction to Administering Accounts and
Resources
Module 2: Managing User and Computer Accounts
Module 3: Managing Groups
Module 4: Managing Access to Resources
Module 5: Implementing Printing




                  MCSE 2003
                                                       Slide 2
       Course Outline (continued)

Module 6: Managing Printing
Module 7: Managing Access to Objects in Organizational
Units
Module 8: Implementing Group Policy
Module 9: Managing the User Environment by Using Group
Policy
Module 10: Introduction to Security in
Windows Server 2003




                 MCSE 2003
                                                    Slide 3
   Module 2: Managing User and
       Computer Accounts

Lesson 01   :   Creating User Accounts
Lesson 02   :   Creating Computer Accounts
Lesson 03   :   Modifying User and Computer Account Properties
Lesson 04   :   Creating a User Account Template
Lesson 05   :   Enabling and Unlocking User and Computer Accounts
Lesson 06   :   Resetting User and Computer Accounts
Lesson 07   :   Locating User and Computer Accounts in Active
Directory
Lesson 08   : Saving Queries




                         MCSE 2003
                                                                Slide 4
Overview




MCSE 2003
            Slide 5
                     Overview

Objectives After completing this module, you will be able to:
  Create user accounts.
  Create computer accounts.
  Modify user and computer account properties.
  Create a user account template.
  Enable and unlock user and computer accounts.
  Reset user and computer accounts.
  Locate user and computer accounts in the Active Directory®
  directory service.
  Save queries.



                    MCSE 2003
                                                                Slide 6
Lesson 01: Creating User Accounts




           MCSE 2003
                                    Slide 7
       What Is a User Account?

Local user accounts
(stored on local computer)




Domain user accounts
(stored in Active Directory)

                                Windows Server 2003 Domain



Multimedia: Types of User Accounts
                    MCSE 2003
                                                             Slide 8
User accounts logon




    MCSE 2003
                      Slide 9
        What Is a User Account?

A user account is an object that consists of all the information that
defines a user in Windows Server 2003.
The account can be either a local or domain account. A user
account includes the user name and password with which the user
logs on, the groups that the user account is a member of, and the
user rights and permissions the user has for gaining access to
computer and network resources.
You can use a user account to:
    Enable someone to log on to a computer based on a user
    account.s identity.
    Enable processes and services to run under a specific security
    context.
    Manage a user’s access to resources such as Active Directory
    objects and their properties, shared folders, files, directories,
    and printer queues.
                        MCSE 2003
                                                                  Slide 10
Multimedia: Types of User Accounts




           MCSE 2003
                                     Slide 11
Names Associated with Domain User
            Accounts

       Name                          Example

 User logon name                    khanglnx


Pre-Windows 2000
                             NewHorizonsHN\khanglnx
   logon name


User principal logon
                           khanglnx@newhorizonshn.com
       name


   LDAP relative       CN=khanglnx,CN=users,dc=newhorizons
distinguished name                  hn,dc=com
                         MCSE 2003
                                                        Slide 12
                User logon name
User logon names can:
   Contain up to 20 uppercase and lowercase characters (the
   field accepts more than 20 characters, but Windows Server
   2003 recognizes only 20).
   Include a combination of special and alphanumeric characters,
   except the following: " / \ [ ] : ; | = , + * ? < > .




                     MCSE 2003
                                                              Slide 13
     Pre-Windows 2000 logon name
You can use the pre-Windows 2000 network basic input/output
system (NetBIOS) user account to log on to a Windows domain
from computers running pre-Windows 2000 operating systems by
using a name with the DomainName\UserName format.
Ex : NewHorizonsHN\khanglnx




                    MCSE 2003
                                                          Slide 14
User principal logon name




       MCSE 2003
                            Slide 15
LDAP relative distinguished name




          MCSE 2003
                                   Slide 16
LDAP relative distinguished name




          MCSE 2003
                                   Slide 17
   Guidelines for Creating a User
    Account Naming Convention


A convention for naming user accounts should
accommodate:
   Employees with duplicate names

   Different types of employees, such as temporary or
   contract employees




                      MCSE 2003
                                                        Slide 18
 Consider the following guidelines for
    creating a naming convention
If you have a large number of users, your naming convention for
user logon names should accommodate employees with duplicate
names. A method to accomplish this is to use the first name and
the last initial, and then add additional letters from the last name
to accommodate duplicate names.
     For example, for two users named Judy Lew, one user logon
    name can be Judyl and the other can be Judyle.
In some organizations, it is useful to identify temporary
employees by their user accounts. To do so, you can add a prefix
to the user logon name, such as a T and a hyphen. An example is
T-Judyl.




                      MCSE 2003
                                                                  Slide 19
User Account Placement in a Hierarchy

  Geopolitical Design              Business Design

       North America                  Accounting
             Users                            Users




       South America                  Sales
             Users                            Users




                       MCSE 2003
                                                      Slide 20
      User Account Password Options

 Account options                 Description
User must change
                 Users must change their passwords the
password at next
                 next time they log on to the network
logon

User cannot        A user does not have the permissions to
change password    change their own password

Password never     A user password is prevented from
expires            expiring

Account is         A user cannot log on by using the
disabled           selected account

                      MCSE 2003
                                                             Slide 21
     When to Require or Restrict
        Password Changes


 Option            Use this option when you:

Require    Create new domain accounts
password
changes    Reset passwords


Restrict   Create local and domain service accounts
password   Create new local accounts that will not log
changes    on locally




                   MCSE 2003
                                                         Slide 22
    How to Create User Accounts


Your instructor will demonstrate how to:

   Create a domain user account
   Create a local user account




                      MCSE 2003
                                           Slide 23
Create a local user account




        MCSE 2003
                              Slide 24
Create a domain user account




        MCSE 2003
                               Slide 25
           Using a command line
dsadd user UserDomainName [-samid SAMName] [-upn UPN]
[-fn FirstName] [-ln LastName] [-display DisplayName] [-pwd
{Password|*}]
Example of dsadd user:
dsadd user "cn=khanglnx,cn=users,dc=newhorizonshn,dc=com“
-samid khanglnx -upn khanglnx@newhorizonshn.com -fn “Nguyen
Minh” -ln Khang -display “Nguyen Khang" -pwd P@ssw0rd
=>(khanglnx@newhorizonshn.com)




                   MCSE 2003
                                                         Slide 26
Practice: Creating User Accounts

     In this practice, you will:
            Create a local user account by using
            Computer Management
            Create a domain account by using
            Active Directory Users and Computers
            Create a domain user account by using Run
            as
            Create a domain user account by using dsadd




            MCSE 2003
                                                    Slide 27
Best Practices for Creating User Accounts

Best practices for creating local user accounts

   Do not enable the Guest account

   Limit the number of people who can log on locally


Best practices for creating domain user accounts

   Disable an account that will not be used immediately

   Require users to change their passwords the first time
   that they log on
                      MCSE 2003
                                                            Slide 28
               Local user accounts
Consider the following best practices when creating local user
accounts:
   Do not enable the Guest account.
   Rename the Administrator account.
   Limit the number of people who can log on locally.
   Use strong passwords




                      MCSE 2003
                                                                 Slide 29
             Domain user accounts
Consider the following best practices when creating domain user
accounts:
   Disable any account that will not be used immediately.
   Require users to change their passwords the first time that
   they log on.
   As a security best practice, it is recommended that you do not
   log on to your computer with administrative credentials.
   When you are logged on to your computer without
   administrative credentials, it is recommended that you use the
   Run as command to accomplish administrative tasks.
   Rename or disable the Administrator and Guest accounts in
   each domain to reduce the attacks on your domain.
   By default, all traffic on Active Directory administrative tools is
   signed and encrypted while in transit on the network. Do not
   disable this feature.
                        MCSE 2003
                                                                   Slide 30
                   Lesson Review

1. You are responsible for managing accounts and access to
    resources for members of your group. A user in your group leaves
    the company, and you are expecting their replacement in a few
    days. What should you do with the previous user's account?
a. Delete the old user account, and create a new account for the
    new user.
b. Change the password for the account, and give the new password
    to the new user.
c. Disable the old user account, rename the user account by using
    the replacement's name, and configure the account to require a
    new password the next time the user logs on. Then, enable the
    account when the replacement arrives.
d. Lock the old user account, rename the user account by using the
    replacement's name, and configure the account to require a new
    password the next time the user logs on. Then, enable the
    account when the replacement arrives.
                         MCSE 2003
                                                                 Slide 31
Lesson 02:Creating Computer Accounts




             MCSE 2003
                                       Slide 32
    What Is a Computer Account?
Identifies a computer in a domain
Provides a means for authenticating and auditing computer access
to the network and to domain resources
Is required for every computer running:
    Windows Server 2003
    Windows XP Professional
    Windows 2000
    Windows NT




                      MCSE 2003
                                                              Slide 33
Why Create a Computer Account?

Security
   Authentication
   IPSec
   Auditing
Management
   Active Directory features:
       Software deployment
       Desktop management
   Hardware and software inventory through Microsoft Systems
   Management Server(SMS)



                    MCSE 2003
                                                           Slide 34
Where Computer Accounts Are
    Created in a Domain




      Computers that join a domain are
      created in the Computers container

      Computer accounts can be moved to
      or created in other organizational units




             MCSE 2003
                                                 Slide 35
Designate the location of computer accounts

If a computer joins a domain, the computer account is created in
the Computers container, and the administrator can move the
account to its proper organizational unit as necessary.
By default, Active Directory users can add up to 10 computers to
the domain with their user account credentials.
This default configuration can be changed. If the systems
administrator adds a computer account directly to Active
Directory, a user can join a computer to the domain without using
any of the 10 allocated computer accounts.




                     MCSE 2003
                                                              Slide 36
Computer Account Options




       MCSE 2003
                           Slide 37
How to Create a Computer Account
Your instructor will demonstrate how to:

   Create a computer account by using Active Directory
   Users and Computers
   Create a computer account by using dsadd



    Note : you must be a member of the Account
    Operators group, Domain Admins group, or the
     Enterprise Admins group in Active Directory



                     MCSE 2003
                                                         Slide 38
Create a Computer Account




       MCSE 2003
                            Slide 39
Using a command line(Computer Account)
  Type dsadd computer ComputerDomainName

  Ex : dsadd computer "cn=Computer001,ou=new,
  dc=newhorizonshn,dc=com"
(DN : computer001.newhorizonshn.com/new)

  dsadd computer /?




                      MCSE 2003
                                                Slide 40
Practice: Creating a Computer Account
        In this practice, you will
               Create a computer account by using Active
               Directory Users and Computers
               Create a computer account by using dsadd




               MCSE 2003
                                                           Slide 41
                    Lesson Review

1. A user in your group must create a test lab with 24 computers that
    will be joined to the domain. What is the best way to do this and
    maintain the computer accounts separately in Active Directory?
a. Let the user create the computer accounts in Active Directory
    during the installation process.
b. Let the user create the computer accounts in Active Directory
    before the installation process.
c. Give the user the logon name and password of an administrator
    and have the user use that account to create the computer
    accounts in Active Directory.
d. Have the systems administrator create the computer accounts in
    Active Directory before the installation process.


                        MCSE 2003
                                                                  Slide 42
Lesson 03 : Modifying User and
 Computer Account Properties




         MCSE 2003
                                 Slide 43
When to Modify User and Computer
       Account Properties

Modify user account properties to:
   Make it easier to use search capabilities to
   find users
   Match a company’s organizational hierarchy
   Determine the group membership of a user account


Modify computer account properties to:
   Assist in asset tracking (Location property)
   Document who manages a computer (Managed By
   property)
                      MCSE 2003
                                                      Slide 44
 Properties Associated with User Accounts
The Properties dialog box for a user account contains:




                       MCSE 2003
                                                         Slide 45
User account properties




      MCSE 2003
                          Slide 46
Properties Associated with Computer
              Accounts
The Properties dialog box for a computer account contains:




                       MCSE 2003
                                                             Slide 47
Computer account properties




        MCSE 2003
                              Slide 48
   How to Modify User and Computer
          Account Properties

Your instructor will demonstrate how to modify user
and computer accounts




                    MCSE 2003
                                                      Slide 49
  How to Modify User and Computer
         Account Properties
You must be a member of the Account Operators, Domain
Admins, or Enterprise Admins group in Active Directory




                    MCSE 2003
                                                         Slide 50
Using a command line(Modify User and
    Computer Account Properties)
For a user account :
    Type dsmod user UserDN ... [-upn UPN] [-fn FirstName] [-mi
    Initial] [-ln LastName] [-display DisplayName] [-empid
    EmployeeID] [-pwd (Password | *)] [-desc Description] [-office
    Office] [-tel PhoneNumber] [-email E-mailAddress] [-hometel
    HomePhoneNumber] [-pager PagerNumber] [-mobile
    CellPhoneNumber] [-fax FaxNumber] [-iptel IPPhoneNumber] [-
    webpg WebPage] [-title Title] [-dept Department] [-company
    Company] [-mgr Manager] [-hmdir HomeDirectory] [-hmdrv
    DriveLetter:] [-profile ProfilePath] [-loscr ScriptPath] [-
    mustchpwd {yes | no}] [-canchpwd {yes | no}] [-
    reversiblepwd {yes | no}] [-pwdneverexpires {yes | no}] [-
    acctexpires NumberOfDays] [-disabled {yes | no}] [{-s Server | -
    d Domain}] [-u UserName] [-p {Password | *}] [-c] [-q] [{-uc | -
    uco | -uci}]
For a computer account:
    Type dsmod computer ComputerDN ... [-desc Description] [-loc
    Location] [-disabled {yes | no}] [-reset] [{-s Server | -d Domain}]
    [-u UserName] [-p {Password | *}] [-c] [-q] [{-uc | -uco | -uci}]
                       MCSE 2003
                                                                    Slide 51
Practice: Modifying User and Computer
          Account Properties
        In this practice, you will modify user and computer
        account properties




               MCSE 2003
                                                         Slide 52
                 Lesson Review

1. You are responsible for maintaining the servers in your
    organization. You want to enable other administrators in the
    organization to determine the physical location of each server
    without adding any additional administrative tasks or creating any
    additional documents. How can you do this?
a. Modify the Managed by property for the computer account of
    each server to display you as the manager.
b. Modify the Location property for the computer account of each
    server to display the server's location.
c. Modify the Managed by property for the computer account of
    each server to display the server's address information.
d. Modify the Location property for the computer account of each
    server to display the server's asset information.

                         MCSE 2003
                                                                   Slide 53
Lesson 04: Creating a User Account
            Template




            MCSE 2003
                                     Slide 54
What Is a User Account Template?
A user account template is a user account that contains the
properties that apply to users with common requirements
User account templates make creating user accounts with
standardized configurations more efficient




User Account
  Template


                      MCSE 2003
                                                              Slide 55
What Properties Are in a Template?

      Tab                       Properties copied
Address        All properties except Street Address

Account        All properties except Logon Name

               All properties, except Profile path and Home
Profile
               folder, reflect new user’s logon name
Organization   All properties except Title
Member Of      All properties




                       MCSE 2003
                                                              Slide 56
Guidelines for Creating User Account
             Templates

   Create a separate classification for each department

   Create a separate group for short-term and temporary
   employees

   Set user account expiration dates for short-term and
   temporary employees

   Disable the account template


   Identify the account template
                     MCSE 2003
                                                          Slide 57
How to Create a User Account Template
Your instructor will demonstrate how to create a user
account template




                     MCSE 2003
                                                        Slide 58
Practice: Creating a User Account
            Template
     In this practice, you will create a user account
     template




             MCSE 2003
                                                        Slide 59
                   Lesson Review

1. To accelerate the process of creating new accounts when new
    employees enter your group, you create a series of account
    templates that you use to create new user accounts and groups.
    You are notified that a user with an account that was created by
    using one of the non-manager account templates has been
    accessing files that are restricted to the Managers group. What
    should you do?
a. Ensure that you set a strong password on each account created
    from your template.
b. Ensure that you gave the correct group membership to each
    account created from your template.
c. Ensure that you disabled all accounts created from your template.
d. Ensure that each manager account created from your template
    has a unique logon name.
                           MCSE 2003
                                                                 Slide 60
Lesson 05: Enabling and Unlocking
   User and Computer Accounts




           MCSE 2003
                                    Slide 61
Why Enable or Disable User and
    Computer Accounts?




         If the user takes a two-month leave of absence
        from work, you disable the account when the user
        leaves and then enable the account when the user
        returns.
        When you add accounts in the network that will
        be used in the future or for security purposes, you
        disable the accounts until they are needed.
        Disable an account when you do not want users
        to be authenticated from a shared computer.


           MCSE 2003
                                                          Slide 62
 How to Enable and Disable User and
        Computer Accounts

Your instructor will demonstrate how to enable and
disable user and computer accounts




                    MCSE 2003
                                                     Slide 63
Enable and Disable User and Computer
              Accounts
To enable and disable user and computer accounts, you must be a
member of the Account Operators group, Domain Admins
group,or the Enterprise Admins group in Active Directory




                    MCSE 2003
                                                            Slide 64
What Are Locked-out User Accounts?
 The account lockout threshold:
     Defines the number of
     failed logon attempts
     Prevents hackers from
     guessing user passwords
 An account can exceed the
 account lockout threshold by
 too many failed logon
 attempts:
     At the logon screen
     At a screen saver protected
     by a password
     When accessing network
     resources



                         MCSE 2003
                                     Slide 65
    How to Unlock User Accounts
Your instructor will demonstrate how to unlock user
accounts




                     MCSE 2003
                                                      Slide 66
Practice: Enabling and Disabling User and
           Computer Accounts
          In this practice, you will enable and disable a user
          account and computer account




                  MCSE 2003
                                                             Slide 67
                    Lesson Review

1. You are the systems administrator responsible for creating and
    managing user accounts. Which of the following user accounts
    should you always disable after you create it?
    Choose all that apply.
     a. An account that you create for a future employee
     b. An account that you will use as a user account template
     c. An account that you need to rename




                        MCSE 2003
                                                                    Slide 68
Lesson 06: Resetting User and
     Computer Accounts




         MCSE 2003
                                Slide 69
  When to Reset User Passwords

Reset a password when a user forgets his or her password
After resetting a password, a user can no longer access some
types of information, including:
    E-mail that is encrypted with the user’s public key
    Internet passwords that are saved on the computer
    Files that the user has encrypted




                     MCSE 2003
                                                               Slide 70
   How to Reset User Passwords
Your instructor will demonstrate how to reset user
passwords




                     MCSE 2003
                                                     Slide 71
  When to Reset Computer Accounts

Reset computer accounts when:
      Computers fail to authenticate to the domain
      Passwords need to be synchronized
  You must be a member of the Account Operators group, Domain
  Admins group, or the Enterprise Admins group in Active Directory,
  When you reset a computer account, you break the computer.s
  connection to the domain, and you must rejoin it to the domain.




                        MCSE 2003
                                                                 Slide 72
How to Reset Computer Accounts


Your instructor will demonstrate how to reset computer
accounts




                    MCSE 2003
                                                         Slide 73
Practice: Resetting a User Account
             Password
      In this practice, you will reset the password
      for a user account




              MCSE 2003
                                                      Slide 74
                   Lesson Review

1. You are responsible for managing computer accounts for your
    group. Which of the following computer accounts do you need to
    reset?
a. An account that can no longer authenticate with the domain
b. An account that you will use as a computer account template
c. An account for a computer that an employee on temporary leave
    uses
d. An account for which the user has forgotten the password




                        MCSE 2003
                                                                Slide 75
Lesson 07: Locating User and
   Computer Accounts in
      Active Directory




         MCSE 2003
                               Slide 76
Multimedia: Introduction to Locating User
    and Computer Accounts in Active
                Directory
          This presentation will explain how to locate
          objects in Active Directory




                  MCSE 2003
                                                         Slide 77
                        Search Types
Basic query criteria include:
      Object type
      Location
      General values associated
      with the object, such as
      name and description




                           MCSE 2003
                                       Slide 78
How to Search for Active Directory
            Objects

Your instructor will demonstrate how to search for
Active Directory objects




                     MCSE 2003
                                                     Slide 79
           Using a command line
To search for a user by using dsquery:
   dsquery user [{StartNode | forestroot | domainroot}] [-o
   {dn | rdn | upn |samid}] [-scope {subtree | onelevel |
   base}] [-name Name] [-desc Description] [-upn UPN] [-
   samid SAMName] [-inactive NumberOfWeeks] [-stalepwd
   NumberOfDays] [-disabled] [{-s Server | -d Domain}] [-u
   UserName] [-p {Password | *}] [-q] [-r] [-gc] [-limit
   NumberOfObjects] [{-uc | -uco | -uci}]
To search for a computer by using dsquery:
   dsquery computer [{StartNode | forestroot |
   domainroot}] [-o {dn | rdn | samid}] [-scope {subtree |
   onelevel | base}] [-name Name] [-desc Description] [-
   samid SAMName] [-inactive NumberOfWeeks] [-stalepwd
   NumberOfDays] [-disabled] [{-s Server | -d Domain}] [-u
   UserName] [-p {Password | *}] [-q] [-r] [-gc] [-limit
   NumberOfObjects] [{-uc | -uco | -uci}]
                      MCSE 2003
                                                         Slide 80
How to Search Using Common Queries

Your instructor will demonstrate how to search for
Active Directory objects by using common queries




                    MCSE 2003
                                                     Slide 81
           Using a Custom Query




(&(&(objectCategory=user)(l=Denver)(&(objectCategory=person)
(objectClass=user)(userAccountControl=1.2.840.113556.1.4.803:=2))))




                         MCSE 2003
                                                                      Slide 82
Practice: Locating User and Computer
               Accounts
        In this practice, you will locate user and computer
        accounts that meet specific criteria




               MCSE 2003
                                                          Slide 83
                    Lesson Review

1. You are the administrator responsible for creating, managing, and
    organizing user and computer accounts for your organization. You
    create a document outlining the best way to search Active
    Directory for computer accounts in a specific organizational unit.
    From the following choices, which do you include in your
    document?
a. Search for the organizational unit by using computers as the
    criteria.
b. Search for the organizational unit, and then search the results for
    computers.
c. Search for computers by using the organizational unit as the
    criteria.
d. Search for all computers, and then search the results for the
    correct organizational unit.
                          MCSE 2003
                                                                   Slide 84
Lesson 08: Saving Queries




       MCSE 2003
                            Slide 85
  What Is a Saved Query?




All queries are located in the Saved Queries folder called dsa.msc,
which is stored in Active Directory Users and Computers.
After you successfully create your customized set of queries, you can
copy the .msc file to other Windows Server 2003 domain controllers
that are in the same domain and reuse the same set of saved queries.
You can also export saved queries to an Extensible Markup Language
(XML) file. You can then import them into other
Active Directory Users and Computers consoles located on Windows
Server 2003 domain controllers that are in the same domain.


                  MCSE 2003
                                                                         Slide 86
    How to Create a Saved Query
Your instructor will demonstrate how to create a saved
query




                     MCSE 2003
                                                         Slide 87
How to Create a Saved Query




        MCSE 2003
                              Slide 88
How to Create a Saved Query




        MCSE 2003
                              Slide 89
Practice: Creating Saved Queries

      In this practice, you will create a saved
      query for a user account




            MCSE 2003
                                                  Slide 90
Lab A: Managing User and Computer
            Accounts
      In this lab, you will:
         Create user and computer accounts
         Move user and computer accounts
         Enable user accounts




              MCSE 2003
                                             Slide 91
                    Lesson Review

1. You have determined the best ways to search for Active Directory
    objects and documented your recommended search criteria.
    However, the administrators tell you that it is taking too long to
    create and then run the search. After further research, you
    determine that most of the systems administrators are searching
    for the same information. What can you do to accelerate the
    search process?
a. Specify multiple criteria in a custom search.
b. Standardize search procedures.
c. Create saved queries for common searches performed by the
    systems administrators.
d. Create saved queries for every search that you or the systems
    administrators perform

                         MCSE 2003
                                                                    Slide 92
Lesson Review




  MCSE 2003
                Slide 93

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:4
posted:10/26/2012
language:English
pages:93