520 likes | 662 Vues
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003. Chapter Seven Creating and Managing Domain User and Group Accounts. Objectives. Explain the purpose of domain user accounts Describe the domain user authentication process
E N D
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Seven Creating and Managing Domain User and Group Accounts
Objectives • Explain the purpose of domain user accounts • Describe the domain user authentication process • Create and manage user accounts • Configure roaming and mandatory user profiles Guide to MCSE 70-270, 70-290
Objectives (continued) • Troubleshoot user account and authentication problems • Use domain group accounts to simplify administration • Use command-line utilities to work with domain accounts Guide to MCSE 70-270, 70-290
Introduction to Domain User Accounts • Domain user account: Active Directory object • Gives domain controllers access to user information • Make it possible to: • Require authentication for users • Control access to network resources • Monitor access to resources • Standards for elements of user objects: • Establishing a naming convention • Controlling password policy and ownership • Including additional required attributes Guide to MCSE 70-270, 70-290
User Account Properties • Active Directory Users and Computers: Primary tool for creating and managing user accounts • Properties that can be set for a user account: • General • Address • Account • Profile • Telephones • Organization • Member Of • Dial-in Guide to MCSE 70-270, 70-290
User Account Properties (continued) • Properties that can be set for a user account (continued): • Environment • Sessions • Remote control • Terminal Services Profile • COM+ • Activity 7-1: Reviewing User Account Properties • Objective: Review the properties of a user account Guide to MCSE 70-270, 70-290
User Account Properties (continued) Figure 7-1: Properties of a domain user account Guide to MCSE 70-270, 70-290
User Authentication • Authentication: Process of validating a user’s identity • Unique access token created for user • Users enter user names and passwords • In Active Directory environment, users generally log on to a domain • Authenticated by domain controller • In a workgroup, local computer’s SAM database handles authentication Guide to MCSE 70-270, 70-290
Authentication Methods • Two main processes: • Interactive authentication: Users enter user names and passwords • Network authentication: Network resource or service confirms user’s identity • Process differs depending on whether logging on to a domain or a local computer Guide to MCSE 70-270, 70-290
Authentication Protocols: Kerberos v5 • Kerberos v5: Primary authentication protocol used in Active Directory domain environments • Key Distribution Center (KDC): Service running on a Windows Server 2003 domain controller • Accesses user name and password information stored in Active Directory to authenticate users • Ticket-granting ticket (TGT): Data packet containing encrypted user identification information • Client presents TGT to KDC to requests service ticket for resources Guide to MCSE 70-270, 70-290
Authentication Protocols: NTLM • Challenge-and-response protocol • Used for authentication purposes with OSs running Windows NT 4.0 or earlier • Down-level operating systems • Most commonly used when: • Windows Server 2003 system attempts to authenticate to a Windows NT 4.0 domain controller • Windows NT 4.0 Workstation system attempts to authenticate to a Windows 2000 or Windows Server 2003 domain controller Guide to MCSE 70-270, 70-290
Creating and Managing Domain User Accounts • Windows Server 2003 supports many methods and tools for creating user account objects • Primary tool is Active Directory • Makes it possible for administrators to work in environment they feel most comfortable or is most appropriate for situation Guide to MCSE 70-270, 70-290
Using Active Directory Users and Computers Figure 7-2: Active Directory Users and Computers Guide to MCSE 70-270, 70-290
Using Active Directory Users and Computers (continued) Figure 7-3: The New Object − User dialog box Guide to MCSE 70-270, 70-290
Using Active Directory Users and Computers (continued) • Activity 7-2: Creating User Accounts with Active Directory Users and Computers • Objective: Use Active Directory Users and Computers to create user accounts • To increase security, default policy on server is to restrict logging on at server console to Administrators, Account Operators, Print Operators Guide to MCSE 70-270, 70-290
Using Active Directory Users and Computers (continued) Figure 7-4: Configuring an initial password for a new user object Guide to MCSE 70-270, 70-290
Using Active Directory Users and Computers (continued) • Activity 7-3: Modifying the Server Logon Policy • Description: In this activity, you use Control Panel on your Windows Server 2003 system to allow all your users to log on from the server console • Activity 7-4: Testing Your User Accounts • Objective: Test logging on for the user accounts you created • Multiple user accounts often have common property setting Guide to MCSE 70-270, 70-290
Using Active Directory Users and Computers (continued) Figure 7-5: Configuring properties for multiple user objects simultaneously Guide to MCSE 70-270, 70-290
Using User Account Templates • User account template: User account set up with common settings associated with particular type of user • Activity 7-5: Creating a User Account Template • Objective: Create a user account template and use that template to create a new user account Guide to MCSE 70-270, 70-290
Working With User Profiles Figure 7-6: The Documents and Settings folder Guide to MCSE 70-270, 70-290
Roaming Profiles • Make it possible to have profiles follow users to different computers • Store user desktop settings in single, centralized location • Configured in Profiles tab of user account’s Properties dialog box via Active Directory Users and Computers • Activity 7-6: Configuring and Testing a Roaming Profile • Objective: Configure and test a roaming user profile Guide to MCSE 70-270, 70-290
Mandatory Profiles • Allow users to change their profiles while logged on, but changes not permanently saved • Roaming and local user profiles can be configured as mandatory profiles • Renaming Ntuser.dat file stored in profile to Ntuser.man • Activity 7-7: Configuring a Mandatory Profile • Objective: Configure and test a mandatory user profile Guide to MCSE 70-270, 70-290
Troubleshooting User Account and Authentication Problems • Number of issues can affect user’s ability to log on to a Windows Server 2003 Active Directory network • Some related to configuring a user account • e.g., Account lockout • Some related to policy settings Guide to MCSE 70-270, 70-290
Solving User Logon Problems • Common logon problems: • Incorrect user name or password: Reset password • Account lockout: Unlocked manually • Account disabled: Use Active Directory Users and Computers or Dsmod User command • Logon hour restrictions: Reconfigure • Workstation restrictions: Change user’s permissions • Domain controllers: Make sure DNS settings correct • Client time settings: Synchronize with domain controller Guide to MCSE 70-270, 70-290
Solving User Logon Problems (continued) • Common logon problems (continued): • Down-level client issues: Consider installing Active Directory Client Extensions • UPN logon issues: Ensure that global catalog server configured and accessible • Users unable to log on locally: Grant rights to log on locally in policy settings on server • Remote access logon issues: Ensure account configured to allow access • Terminal Services logon issues: Ensure Allow logon to terminal server check box selected in Terminal Services Profile tab Guide to MCSE 70-270, 70-290
Solving Problems Associated with Computer Accounts • If users unable to log on from XP client, check event log to determine whether account must be reset • Event IDs of 3210 or 5722 Guide to MCSE 70-270, 70-290
Working with Domain Group Accounts • Group: Active Directory object used to organize collection of users, computers, contacts, or other groups into single security principal • Simplify administration by assigning rights and resource permissions to group rather than to individual users Guide to MCSE 70-270, 70-290
Group Types • Defines how group can be used in Active Directory domain or forest • Security groups: Usually most common group type in an Active Directory environment • Defined by SID that allows them to be assigned permissions for resources in discretionary access control lists (DACLs) • Any group that will be assigned permissions or rights must be a security group • Can be e-mail entities Guide to MCSE 70-270, 70-290
Group Types (continued) • Distribution groups: For use with e-mail applications • No SID • Don’t affect user authentication process unnecessarily Guide to MCSE 70-270, 70-290
Group Scope • Logical boundary within which a group can be assigned permissions to a specific resource in an Active Directory domain or forest • Domain functional levels: • Windows 2000 mixed • Windows 2000 native • Windows Server 2003 Guide to MCSE 70-270, 70-290
Group Scope (continued) Table 7-1: Windows Server 2003 group summary Guide to MCSE 70-270, 70-290
Built-in Groups Table 7-2: Domain local groups in the Builtin container Guide to MCSE 70-270, 70-290
Built-in Groups (continued) Table 7-2 (continued): Domain local groups in the Builtin container Guide to MCSE 70-270, 70-290
Built-in Groups (continued) Table 7-3: Domain local and global groups in the Users container Guide to MCSE 70-270, 70-290
Planning and Implementing Security Groups • Mnemonic: A-G-U-DL-P • Creating Group Objects: New group accounts can be created in any of the built-in containers in Active Directory Users and Computers • Also in root of domain object • Often created with custom OU objects • Created in Active Directory Users and Computers by right-clicking container or OU • Properties for group accounts: General, Members, Member of, and Managed By Guide to MCSE 70-270, 70-290
Planning and Implementing Security Groups (continued) • Activity 7-8: Creating and Adding Members to Global Groups • Objective: Use Active Directory Users and Computers to create global groups • Activity 7-9: Creating and Adding Members to Domain Local Groups • Objective: Use Active Directory Users and Computers to create domain local groups Guide to MCSE 70-270, 70-290
Planning and Implementing Security Groups (continued) Figure 7-7: The New Object − Group dialog box Guide to MCSE 70-270, 70-290
Planning and Implementing Security Groups (continued) Figure 7-9: The Members tab in the Properties dialog box of a global group Guide to MCSE 70-270, 70-290
Planning and Implementing Security Groups (continued) • Activity 7-10: Changing a Domain’s Functional Level and Creating and Adding Members to Universal Groups • Objective: Change the functional level of a domain to Windows Server 2003 and use Active Directory Users and Computers to create universal groups • Converting Group Types: Domain must be configured at least Windows 2000 native • Activity 7-11: Converting Group Types • Objective: Use Active Directory Users and Computers to change group types Guide to MCSE 70-270, 70-290
Planning and Implementing Security Groups (continued) Figure 7-12: Creating a universal group Guide to MCSE 70-270, 70-290
Planning and Implementing Security Groups (continued) • Converting Group Scopes: Domain functional level must be at least Windows 2000 native • Global to universal:If not a member of other global groups • Domain local to universal: If does not have other domain local groups as members • Universal to global: If does no universal groups are members • Universal to domain local: No restrictions • Activity 7-12: Converting Group Scopes • Objective: Use Active Directory Users and Computers to change group scopes Guide to MCSE 70-270, 70-290
Planning and Implementing Security Groups (continued) • Determining Group Membership: Any Windows Server 2003 network administrator must ensure that users are members of correct groups • Incorrect groups can lead to problems with: • User access to required resources • Ability to access resources at all • Easiest method: Via Member Of tab Properties dialog box Guide to MCSE 70-270, 70-290
Using Command-line Utilities • Dsadd command: Allows object types to be added to the directory • Computer accounts, contacts, quotas, groups, OUs, and users • Activity 7-13: Creating Groups with Dsadd Group • Objective: Use the Dsadd Group command to add groups of different types and scopes • Dsget command: Determine a user’s group memberships Guide to MCSE 70-270, 70-290
Using Command-line Utilities (continued) • Dsmod command: Allows object types to be modified from command line • Activity 7-14: Modifying User Accounts with Dsmod • Objective: Modify existing user account properties with the Dsmod User command • Activity 7-15: Modifying a Group Description with Dsmod • Objective: Use the Dsmod Group command to modify group accounts Guide to MCSE 70-270, 70-290
Using Command-line Utilities (continued) • Dsquery command: Query for object types • Computer accounts, contacts, quotas, groups, OUs, servers, partitions, and users • Supports wildcard characters Figure 7-14: Piping the output of Dsquery User to the Dsmod User command Guide to MCSE 70-270, 70-290
Using Command-line Utilities (continued) • Dsmove command: Allows object types to be moved from current location to new location • Or renamed the object • Can be used only to move objects within same domain • Dsrm command: Delete objects from directory • Supports deleting entire subtrees • Can delete an existing object and its contents Guide to MCSE 70-270, 70-290
Using Command-line Utilities (continued) • Bulk Import and Export: Give administrators flexibility to import and export data to or from Active Directory • CSVDE Utility: Supports bulk export and import of Active Directory data to and from comma-separated value (CSV) files • LDIFDE utility: Same purpose as CSVDE utility, but uses LDIF file format • Industry-standard method for formatting information imported to or exported from LDAP directories Guide to MCSE 70-270, 70-290
Using Command-line Utilities (continued) • Activity 7-16: Exporting Active Directory Users with LDIFDE • Objective: Export Active Directory data with the LDIFDE utility Figure 7-15: Data exported with CSVDE Guide to MCSE 70-270, 70-290
Using Command-line Utilities (continued) Figure 7-16: User data exported with LDIFDE Guide to MCSE 70-270, 70-290
Summary • The two primary authentication protocols used in Windows Server 2003 Active Directory environments are Kerberos v5 and NTLM • Windows Server 2003 supports three different types of user profiles: local, roaming, and mandatory • The primary tool for creating and managing user and groups accounts in a Windows Active Directory environment is Active Directory Users and Computers Guide to MCSE 70-270, 70-290