1. 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 3: Creating and Managing User Accounts

2. Guide to MCSE 70-290, Enhanced 2 Objectives Understand the purpose of user accounts Understand the user authentication process Understand and configure local, roaming, and mandatory user profiles Configure and modify user accounts using different methods Troubleshoot user account and authentication problems

3. Guide to MCSE 70-290, Enhanced 3 Introduction to User Accounts A user account is an Active Directory object Represents information that defines a user with access to network (first name, last name, password, etc.) Required for anyone using resources on network Assists in administration and security Must follow organizational standards

4. Guide to MCSE 70-290, Enhanced 4 User Account Properties Primary tool for creating and managing accounts is Active Directory Users and Computers Active Directory is extensible so additional tabs may be added to property pages Major account properties that can be set include: General Address Account Profile Sessions

5. Guide to MCSE 70-290, Enhanced 5 The Account Tab of Properties

6. Guide to MCSE 70-290, Enhanced 6 User Authentication The process by which a user’s identity is validated Used to grant or deny access to network resources From a client operating system Name, password, resource required In Active Directory environment Domain controller authenticates In a workgroup Local SAM database authenticates

7. Guide to MCSE 70-290, Enhanced 7 Authentication Methods Two main processes Interactive authentication User account information is supplied at log on Network authentication User’s credentials are confirmed for network access

8. Guide to MCSE 70-290, Enhanced 8 Interactive Authentication The process by which a user provides a user name and password for authentication For domain logon, credentials compared to centralized Active Directory database For local logon, credentials compared to local SAM database In domain environments, users normally don’t have local accounts

9. Guide to MCSE 70-290, Enhanced 9 Network Authentication The process by which a network service confirms the identify of a user For a user who logs on to domain, network authentication is transparent Credentials from interactive authentication valid for network resources A user who logs on to local computer will be prompted to log on to network resource separately

10. Guide to MCSE 70-290, Enhanced 10 Authentication Protocols Windows Server 2003 supports two main authentication protocols: Kerberos version 5 (Kerberos v5) NT LAN Manager (NTLM) Kerberos v5 is primary protocol for Active Directory environments but is not supported on all client systems NTLM is primary protocol for older Microsoft operating systems

11. Guide to MCSE 70-290, Enhanced 11 Kerberos v5 Primary authentication protocol used in Active Directory domain environments Supported by Windows 2000, Windows XP, Windows Server 2003 Protocol followed: Log on request passed to Key Distribution Center (KDC), a Windows Server 2003 domain controller KDC authenticates user and, if valid, issues a ticket- granting ticket (TGT) to client system

12. Guide to MCSE 70-290, Enhanced 12 Kerberos v5 (continued) When client requests a network resource, it presents the TGT to KDC KDC issues a service ticket to client Client presents service ticket to host server for network resource Every domain controller in Active Directory environment holds role of KDC Not all clients follow this protocol

13. Guide to MCSE 70-290, Enhanced 13 NTLM A challenge-response protocol Used with operating systems running Windows NT 4.0 or earlier or with Windows 2000 or Server 2003 when necessary Protocol followed: User logs in, client calculates cryptographic hash of password Client sends user name to domain controller

14. Guide to MCSE 70-290, Enhanced 14 NTLM (continued) Domain controller generates random challenge and sends it to client Client encrypts challenge with hash of password and sends to domain controller Domain controller calculates expected value to be returned from client and compares to actual value After successful authentication, domain controller generates a token for user for network access

15. Guide to MCSE 70-290, Enhanced 15 User Profiles A collection of settings specific to a particular user Stored locally by default Do not follow user logging on to different computers Can create a roaming profile Does follow user logging on to different computers Administrator can create a mandatory profile User cannot alter it

16. Guide to MCSE 70-290, Enhanced 16 User Profile Folders and Contents

17. Guide to MCSE 70-290, Enhanced 17 Local Profiles New profiles are created from Default User profile folder User can change local profile and changes are stored uniquely to that user Administrator can manage various elements of profile Change Type Delete Copy To

18. Guide to MCSE 70-290, Enhanced 18 Roaming Profiles Roaming profiles Allow a profile to be stored on a central server and follow the user Provide advantage of a single centralized location (helpful for backup) Configured from Profiles page of Active Directory Users and Computers Changing a profile from local to roaming requires care – should copy first

19. Guide to MCSE 70-290, Enhanced 19 Mandatory Profiles Local and roaming profiles allow users to make permanent changes Mandatory profiles allow changes only for a single session Local and roaming profiles can both be configured as mandatory ntuser.dat  ntuser.man

20. Guide to MCSE 70-290, Enhanced 20 Creating and Managing User Accounts Standard tool is Active Directory Users and Computers Also a number of command line tools and utilities

21. Guide to MCSE 70-290, Enhanced 21 Active Directory Users and Computers Available from Administrative Tools menu Can be added to a Microsoft Management Console Can be run from command line (dsa.msc) Graphical tool Can add, modify, move, delete, search for user accounts Can configure multiple objects simultaneously

22. Guide to MCSE 70-290, Enhanced 22 User Account Templates A user account that is pre-configured with common settings Can be copied to create new user accounts with pre-defined settings New account is then configured with detailed individual settings

23. Guide to MCSE 70-290, Enhanced 23 Command Line Utilities Some administrators prefer working from command line Can be used to automate creation or management of accounts more flexibly

24. Guide to MCSE 70-290, Enhanced 24 DSADD Allows object types to be added to directory Computer accounts, contacts, quotas, OUs, users, etc. Syntax for user account is DSADD USER distinguished-name switches Switches include -pwd (password), -memberof, -email, -profile, -disabled

25. Guide to MCSE 70-290, Enhanced 25 DSMOD Allows object types to be modified from the command line Computer accounts, users, quotas, OUs, servers, etc. Syntax for modifying user account is DSMOD USER distinguished-name + switches + Can modify multiple accounts simultaneously

26. Guide to MCSE 70-290, Enhanced 26 DSQUERY Allows various object types to be queried from command line Supports wildcard (*) Output can be redirected to another command (piped) Example: return all user accounts that have not changed passwords in 14 days dsquery user domainroot –name * -stalepwd 14

27. Guide to MCSE 70-290, Enhanced 27 DSMOVE Allows various object types to be moved from current location to a new location Allows various object types to be renamed Only moves within the same domain (otherwise use MOVETREE) Example: to move a user account into a marketing OU dsmove "cn=Paul Kohut,cn=users,dc=domain01, dc=dovercorp,dc=net" –newparent "ou=marketing, dc=domain01,dc=dovercorp,dc=net"

28. Guide to MCSE 70-290, Enhanced 28 DSRM Allows objects to be deleted from directory Can delete single object or entire subtree Has a confirm option that can be overridden Example: to delete the Marketing OU and all its contained objects without a confirm prompt: dsrm –subtree –noprompt –c "ou=marketing, dc=domain01,dc=dovercorp,dc=net "

29. Guide to MCSE 70-290, Enhanced 29 Bulk Import and Export Allows an organization to import existing stores of data rather than recreating from scratch Allows an organization to export data that is already structured in Active Directory to secondary databases Two command line utilities for import and export CSVDE LDIFDE

30. Guide to MCSE 70-290, Enhanced 30 CSVDE Command-line tool to bulk export and import Active Directory data to and from comma- separated value (CSV) files CSV files can be created/edited using text-based editors Example: csvde –f output.csv

31. Guide to MCSE 70-290, Enhanced 31 LDIFDE Command-line tool to bulk export and import Active Directory data to and from LDIF files LDAP Interchange Format Industry standard for information in LDAP directories Each attribute/value on a separate line with blank lines between objects Can be read in text-based editors Common uses: extending AD schemas, importing bulk data to populate AD, manipulating user and group objects

32. Guide to MCSE 70-290, Enhanced 32 Troubleshooting User Account and Authentication Issues Normally creating and configuring user accounts is straightforward Issues do arise related to Configuration of account Policy settings

33. Guide to MCSE 70-290, Enhanced 33 Account Policies Authentication-related policy settings Configured in Account Policies node of Group Policy objects at domain level Account lockout, passwords, Kerberos Default Domain Policy Accessed from Active Directory Computers and Users Configures policies for all domain users

34. Guide to MCSE 70-290, Enhanced 34 Password Policy Configuration settings Password history and reuse Maximum password age Minimum password age Minimum password length Complexity requirements Encryption policy

35. Guide to MCSE 70-290, Enhanced 35 Account Lockout Settings Configuration settings Account lockout duration Account lockout threshold Reset account lockout counter after

36. Guide to MCSE 70-290, Enhanced 36 Kerberos Policy Configuration settings Enforce user logon restrictions Maximum lifetime for service ticket Maximum lifetime for user ticket Maximum lifetime for user ticket renewal Maximum tolerance for computer clock synchronization

37. Guide to MCSE 70-290, Enhanced 37 Auditing Authentication Audit account logon event Configured in Group Policy object linked to Domain Controllers OU (Default Domain Controllers Policy) Default is to log only successful logons Event viewable in Security log (use Event Viewer) Can choose to edit failed logons May be helpful for troubleshooting Codes provide information about type of failure

38. Guide to MCSE 70-290, Enhanced 38 Resolving Logon Issues Some common logon issues (and fixes) Incorrect user name or password (administrative reset) Account lockout (manual unlock) Account disabled (administrative enable) Logon hour restrictions (check account restrictions) Workstation restrictions (check account restrictions) Domain controllers (check configured DNS settings) Client time settings (check client clock synchronization)

39. Guide to MCSE 70-290, Enhanced 39 Resolving Logon Issues (continued) Down-level client issues (install Active Directory Client Extensions) UPN logon issues (check Global Catalog server) Unable to log on locally (set policy on local server) Remote access logon issues (check access on Dial- up properties) Terminal services logon issues (check allow logon to terminal server permission)

40. Guide to MCSE 70-290, Enhanced 40 Summary A user account is an object stored in Active Directory Information that defines user and access to network Primary tools to create and manage user accounts Active Directory Users and Computers Command line utilities (DSADD, DSMOD, DSQUERY, DSMOVE, DSRM) Two main authentication processes Interactive authentication Network authentication

41. Guide to MCSE 70-290, Enhanced 41 Summary (continued) Two main authentication protocols Kerberos v5, NTLM User profiles used to configure and customize desktop environment Local, roaming, mandatory Utilities for bulk importing and exporting user data to and from Active Directory LDIFDE and CSVDE