creating and managing users n.
Skip this Video
Loading SlideShow in 5 Seconds..
Creating and Managing Users PowerPoint Presentation
Download Presentation
Creating and Managing Users

Creating and Managing Users

339 Views Download Presentation
Download Presentation

Creating and Managing Users

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. CreatingandManaging Users

  2. Server 2003 User Accounts • Domain user accounts • Local user accounts • Built-in user accounts

  3. Introduction to User Accounts • A user account is an Active Directory object • Used for user authentication • Information that defines a user (first name, last name, password, etc.) • Various configuration settings • Required for anyone using resources on network • Assists in administration and security • Must follow organizational standards

  4. User Account Templates • A user account that is pre-configured with common settings • Can be copied to create new user accounts with pre-defined settings • New account is then configured with detailed individual settings

  5. Local User Accounts • Allow users to log on to and gain access to resources on the computer where they log in • Created in the computer’s security database • Not replicated to domain controllers

  6. Built-In User Accounts • Administrator • Rename • Create new account with administrator privleges • runas /user:<domain name>\<username> prog • Guest • Disabled by default

  7. Naming Conventions • The naming convention establishes how users are identified in the domain. • Several considerations • User account Naming • Password requirements • Length • Complexity • History • Expiration • Account options • Logon hours • Computer restrictions • Etc – additional attributes require replication

  8. Must be uniques within the OU 20 characters max / \ [ ] : ; | = + * < > invalid Not case sensitive How will you deal with duplicates Services may require an account name to run Logon Name

  9. Password Requirements • Always assign a password for the Administrator account. • Determine whether the administrator or the users will control passwords. • Use passwords that are hard to guess. • Passwords can be up to 128 characters; a minimum length of eight characters is recommended. • Use both uppercase and lowercase letters, numerals, and valid non-alphanumeric characters.

  10. Creating and Managing User Accounts • Standard tool is AD Users and Computers • Can be run from command line (dsa.msc) • Can add, modify, move, delete, search for user accounts • Can configure multiple objects simultaneously • Also a number of command line tools and utilities

  11. Domain User Accounts • Allow users to log on to the domain and gain access to resources anywhere on the network • Created in an OU in the Active Directory store • Replicated to all domain controllers

  12. Creating Domain User Accounts

  13. Overview of Modifying Properties • A set of default properties is associated with each user account. • Properties defined for a domain user account can be used to search for users in the Active Directory store. • Several properties should be configured for each domain user account. • You can use the Active Directory Users And Computers snap-in to modify a domain user account. • You can use the Local Users And Groups snap-in to modify a local user account.

  14. Administering User Accounts • Managing user profiles • Modifying user accounts • Creating home folders

  15. User Account Properties • Primary tool for creating and managing accounts is Active Directory Users and Computers • Active Directory is extensible so additional tabs may be added to property pages • Major account properties that can be set include: • General – generic info about user • Address – address info • Account – logon name, password options, Logon hours • Profile – Home dir, Profile path, Logon script • Sessions – Terminal services config

  16. The Account Tab of Properties

  17. Creating Home Folders

  18. User Authentication • The process by which a user’s identity is validated • Used to grant or deny access to network resources • From a client operating system • Name, password, resource required (domain or local computer) • In Active Directory environment • Domain controller authenticates • In a workgroup • Local SAM database authenticates

  19. Authentication Methods • Two main processes • Interactive authentication • User account information is supplied in Logon To • Smart Card support • Network authentication • User’s credentials are confirmed for network access • When browsing for a resource

  20. Authentication Protocols • Windows Server 2003 supports two main authentication protocols: • Kerberos version 5 (Kerberos v5) • NT LAN Manager (NTLM) • Kerberos v5 is primary protocol for Active Directory environments but is not supported on all client systems • NTLM is primary protocol for older Microsoft operating systems

  21. Kerberos

  22. Kerberos Protocol • Kerberos is the default authentication provider in Windows Server 2003 • the primary security protocol. • Kerberos verifies the identity of the user and the integrity of the session data. • Kerberos operates • as a trusted third party • generate session keys • grants tickets for specific client/server sessions. • A ticket, it contains • Session key • Name • Expiration etc

  23. Features of the Kerberos Protocol • Mature open standard • Faster connection authentication • No pass through required • Mutual authentication • Authenticates both client and server • NTLM only authenticates client • Delegation of authentication • Transitive trust

  24. Kerberos Terminology • Principal – user, client or server • Realm – security boundary • Secret key • used to encrypt info between KDC and Client • Usually a hash of user password • Session key • Temporary encryption key used between principals • Authenticator • Key distribution center (KDC) – Every Domain Contrller • Privilege attribute certificate (PAC) • Contains the user’s SID • Ticket • Allows the client to authenticate to a server • Ticket granting ticket (TGT) • Contains a random session key

  25. Domain Authentication and Resource Access 1. Request a ticket for TGS Authentication Service (AS) 2. Return TGT to client 3. Send TGT and request for ticket to \\AppServ Ticket Granting Service (TGS) 4. Return ticket for \\AppServ Kerberos client 5. Send session ticket to \\AppServ 6. (Optional) Send confirmation of identity to client Windows 2003 domain controller (KDC) \\AppServ

  26. Kerberos v5 - Recap • Log on request passed to Key Distribution Center (KDC), a Windows Server 2003 domain controller • KDC authenticates user and, if valid, issues a ticket-granting ticket (TGT) to client system • When client requests a network resource, it presents the TGT to KDC • KDC issues a service ticket to client • Client presents service ticket to host server for network resource

  27. Kerberos Policy • Kerberos Policy SettingsOn a domain controller in your domain in Administrative Tools, click Domain Security Policy, click Windows Settings, click Security Settings, click Account Policies, and then click Kerberos Policy. • Enforce logon restrictions: Yes • Maximum lifetime that a user ticket can be renewed:7 days • Maximum service ticket lifetime: 60 minutes • Maximum tolerance for synchronization of computer clocks: 5 minutes • Maximum TGT lifetime: 10 hours

  28. NTLM • A challenge-response protocol • Used with operating systems running Windows NT 4.0 or earlier or with Windows 2000 or Server 2003 when necessary • Protocol followed: • User logs in, client calculates cryptographic hash of password • Client sends user name to domain controller

  29. NTLM (continued) • Domain controller generates random challenge and sends it to client • Client encrypts challenge with hash of password and sends to domain controller • Domain controller calculates expected value to be returned from client and compares to actual value • After successful authentication, domain controller generates a token for user for network access

  30. Challenge/Response sequence Request to connect Respond with a challenge code Send an encrypted password Reply with the result of authentication

  31. NTLM - Logon

  32. Local Interactive Logon

  33. User Profiles • A collection of settings specific to a particular user • Stored locally by default • Do not follow user logging on to different computers • Can create a roaming profile • Does follow user logging on to different computers • Administrator can create a mandatory profile • User cannot alter it

  34. Managing User Profiles • A user profile is a collection of folders and data that stores your current desktop environment and application settings as well as personal data. • Microsoft Windows 2000+ creates a local user profile the first time you log on at a computer. • User profiles operate in a specific manner. • Stored in • %systemdrive%\Documents and Settings\<logon name> • <%systemdrive>\profiles

  35. Profiles • Customizable • ntuser.dat • Mandatory • • Local • Stored on the local machine • In folder Documents and Settings • Roaming • Stored in a shared folder on a server

  36. Assigning a Customized Roaming User Profile

  37. User Profile Folders and Contents

  38. Local Profiles • New profiles are created from Default User profile folder • User can change local profile and changes are stored uniquely to that user • Administrator can manage various elements of profile • Change Type • Delete • Copy To

  39. Roaming Profiles • Roaming profiles • Allow a profile to be stored on a central server and follow the user • Provide advantage of a single centralized location (helpful for backup) • Assigned from Profiles Tab of Account properties • Changing a profile from local to roaming requires care – should copy first

  40. Mandatory Profiles • Local and roaming profiles allow users to make permanent changes • Mandatory profiles allow changes only for a single session • Local and roaming profiles can both be configured as mandatory • ntuser.dat 

  41. Command Line Utilities • Some administrators prefer working from command line • Can be used to automate creation or management of accounts more flexibly

  42. DSADD • Allows object types to be added to directory • Computer accounts, contacts, quotas, OUs, users, etc. • Syntax for user account is • DSADD USER distinguished-name switches • Switches include • -pwd (password), -memberof, -email, -profile, -disabled

  43. DSMOD • Allows object types to be modified from the command line • Computer accounts, users, quotas, OUs, servers, etc. • Syntax for modifying user account is • DSMOD USER distinguished-name+ switches+ • Can modify multiple accounts simultaneously

  44. DSQUERY • Allows various object types to be queried from command line • Supports wildcard (*) • Output can be redirected to another command (piped) • Example: return all user accounts that have not changed passwords in 14 days • dsquery user domainroot –name * -stalepwd 14

  45. DSMOVE • Allows various object types to be moved from current location to a new location • Allows various object types to be renamed • Only moves within the same domain (otherwise use MOVETREE) • Example: to move a user account into a marketing OU • dsmove "cn=Paul Kohut,cn=users,dc=domain01, dc=dovercorp,dc=net" –newparent "ou=marketing, dc=domain01,dc=dovercorp,dc=net"

  46. DSRM • Allows objects to be deleted from directory • Can delete single object or entire subtree • Has a confirm option that can be overridden • Example: to delete the Marketing OU and all its contained objects without a confirm prompt: • dsrm –subtree –noprompt –c "ou=marketing, dc=domain01,dc=dovercorp,dc=net "

  47. Bulk Import and Export • Allows an organization to import existing stores of data rather than recreating from scratch • Allows an organization to export data that is already structured in Active Directory to secondary databases • Two command line utilities for import and export • CSVDE • LDIFDE

  48. CSVDE • Command-line tool to bulk export and import Active Directory data to and from comma-separated value (CSV) files • CSV files can be created/edited using text-based editors • Example: • csvde –f output.csv --- export • Csvde –i –f input.c

  49. LDIFDE • Command-line tool to bulk export and import Active Directory data to and from LDIF files • LDAP Interchange Format • Industry standard for information in LDAP directories • Each attribute/value on a separate line with blank lines between objects • Can be read in text-based editors • Common uses: extending AD schemas, importing bulk data to populate AD, manipulating user and group objects

  50. Troubleshooting User Account and Authentication Issues • Normally creating and configuring user accounts is straightforward • Issues do arise related to • Configuration of account • Policy settings