Chapter 8: Managing Accounts and Client Connectivity 5/5/2019

Learning Objectives Establish account naming conventions Configure account security policies Create and manage accounts, including setting up a new account, configuring account properties, delegating account management, and renaming, disabling, and deleting an account 5/5/2019

Learning Objectives (continued) Create local user profiles, roaming profiles, and mandatory profiles Configure client network operating systems to access Windows 2000 Server, and install client operating systems through Remote Installation Services 5/5/2019

Sample Naming Conventions 20 Character includes numbers, letters, some symbols (not [ ];:<>=,+ / \ | ) Last name followed by the initial of the first name First name initial followed by the last name Username based on the position in the organization Username based on the function in the organization Why important? Satisfy security, auditors, easy to remember and identify What does DeVry do? 5/5/2019

Naming Tip For accounts that handle money, payroll, budgeting, or accounting transactions, financial auditors typically prefer that accounts are named for individuals 5/5/2019

Account Policies Account policies: security measures set up in a group policy, such as for a domain or local computer Account policies particularly focus on: Password security Account lockout Kerberos security Clients must be able to support Kerberos 5/5/2019

Configuring Account Policies Use the Group Policy MMC snap-in to set up account policies 5/5/2019

Setting Account Policies 5/5/2019 Figure 8-1 Account policies

Password Policy Options Enforce password history: Enables you to require users to choose new passwords when they make a password change, because the system can remember the previously used passwords Maximum password age: Permits you to set the maximum time allowed until a password expires Minimum password age: Permits you to specify that a password must be used a minimum amount of time before it can be changed 5/5/2019

Password Policy Options (continued) Minimum password length: Enables you to require that passwords are a minimum length Passwords must meet complexity requirements: Enables you to create a filter of customized password requirements that each account password must follow Store password using reversible encryption for all users in the domain: Enables passwords to be stored in reversible encrypted format This policy provides support for applications that use protocols that require knowledge of the user's password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information 5/5/2019

Account Lockout Policy Options Account lockout duration: Permits you to specify in minutes how long the system will keep an account locked out after reaching the specified number of unsuccessful log on attempts Account lockout threshold: Enables you to set a limit to the number of unsuccessful tries to log onto an account 5/5/2019

Account Lockout Policy Options (continued) Reset account lockout count after : Enables you to specify the number of minutes between two consecutive unsuccessful logon attempts to make sure that the account will not be locked out too soon 5/5/2019

Kerberos Policy Options Enforce user logon restrictions: Turns on Kerberos security, which is the default Maximum lifetime for a service ticket: Determines the maximum amount of time in minutes that a service ticket can be used to continually access a particular service in one service session Service Ticket A Kereros security key that gives a client access to specific services on a server or in a domain for a designated period of time Maximum lifetime for a user ticket: Determines the maximum amount of time in hours that a ticket can be used in one continuous session for access to a computer or domain E.g. limit lifetime to 10 hours will logoff user automatically after 10 hour 5/5/2019

Kerberos Policy Options (continued) Maximum lifetime for user ticket renewal: Determines the maximum number of days that the same Kerberos ticket can be renewed each time a user logs on Maximum tolerance for computer clock synchronization: Determines how long in minutes a client will wait until synchronizing its clock with that of the server or Active Directory it is accessing 5/5/2019

Use the Local Users and groups snap MMC snap-in to create accounts Creating Accounts Use the Local Users and groups snap MMC snap-in to create accounts Generally setup with default parameters 5/5/2019

Creating Accounts For a server that does not have the Active Directory implemented, use the Local Users and Groups MMC snap-in to create accounts For a server that employs the Active Directory, use the Active Directory Users and Computers MMC snap-in to create accounts 5/5/2019

Active Directory Users and Computers Tool 5/5/2019 Figure 8-2 Creating a new user in a domain

Entering New User Information 5/5/2019 Figure 8-3 New user information

Entering Account Parameters 5/5/2019 Figure 8-4 New user account parameters

Configuring Account Properties 5/5/2019 Figure 8-5 Account properties in the Active Directory

Account Properties Tabs General tab: Modify personal information about the user Address tab: Provide street and city address information Account tab: Provide account information, such as logon name, plus configure access restrictions, such as for certain days of the week and times of day 5/5/2019

Setting Access Restrictions 5/5/2019 Figure 8-6 Control account access by the day of the week and time

Account Properties Tabs (continued) Profile tab: Ability to associate a specific profile with an account, associate a home folder and drive, and associate a logon script Logon script: A file that contains a series of commands to run each time a user logs onto his or her account, such as a command to map a home drive 5/5/2019

Windows 2000 Server Logon Script Commands 5/5/2019

Account Properties Tabs (continued) Telephones: Ability to associate telephone contact numbers Organization: Provide account holder’s title, department, and other information Member Of: Ability to join this account to one or more groups of users for easier management 5/5/2019

Adding an Account to a Group via the Member Of Tab Figure 8-7 Adding an account to the Managers and Print Operators groups 5/5/2019

Account Properties Tabs (continued) Dial-in: Controls remote access such as through a modem Environment: Ability to configure the startup environment for clients using terminal services Sessions: Configures session parameters, such as timeout limits, for clients using terminal services 5/5/2019

Dial-in Access Parameters 5/5/2019 Figure 8-8 Configuring remote access

Account Properties Tabs (continued) Remote Control: Configures remote control parameters for the Administrator to view and manage terminal service client sessions Terminal Services Profile: Ability to set up a user profile for a terminal services client 5/5/2019

Using Find to Locate an Account To locate a particular account in order to maintain it: Right-click the domain Click Find Enter the username or the account holder’s name Click Find Now 5/5/2019

Account Maintenance Activities Typical account maintenance activities include: Disabling an account, such as when a user takes a leave of absence Enabling an account, such as when a user returns Renaming an account, such as when one user leaves and another user is hired into the same position Moving an account, such as into a different OU 5/5/2019

Account Maintenance Activities (continued) Typical account maintenance activities include (continued): Deleting an account, such as when a user leaves the organization and there will be no replacement person Resetting a password for users who do not remember theirs Account auditing to track certain kinds of activity performed by an account holder 5/5/2019

Sample Events that Can be Audited for an Account Logon and logoff activity Account modifications through account management tools Accesses to files and other objects (for files, folders, and objects that are set up to be audited) 5/5/2019

Troubleshooting Tip Use account auditing sparingly because every audited event is written to the Security log – you don’t want to overload a server by devoting too much of its resources to auditing (consult your organization’s management and financial auditors for advice on what to audit) 5/5/2019

Local User Profile Local user profile: A desktop setup that is associated with one or more accounts to determine what startup programs are used, additional desktop icons, and other customizations. A user profile is local to the computer on which it is stored. 5/5/2019

Roaming Profile Roaming profile: Desktop settings that are associated with an account so that the same settings are employed no matter what computer is used to access the account (the profile is downloaded to the client) 5/5/2019

Mandatory User Profile Mandatory User Profile: A user profile set up by the server administrator that is loaded from the server to the client each time the user logs on; and changes that the user makes to the profile are not saved 5/5/2019

Hardware Profile Hardware Profile: A consistent setup of hardware components associated with one or more user accounts 5/5/2019

Associating a Profile with an Account 5/5/2019 Figure 8-9 Setting a roaming profile in an account’s properties

Active Directory Support for Non-Windows 2000 Clients Plan to install Directory Service Client (DSClient) in Windows 95 and Windows 98 clients DSClient enables non-Windows 2000 Clients for: Kerberos authentication Ability to view objects published in the Windows 2000 Active Directory 5/5/2019

DSClient Program Location Obtain the DSClient program, Dsclient.exe from the Windows 2000 Server CD-ROM Run this program on Windows 95 and Windows 98 clients Wizard Starts 5/5/2019

Troubleshooting Tip If the Distributed File System (Dfs) cannot be accessed from a Windows 95 client, run DSClient to install Dfs capability (Dfs client) as well as the capability to access the Active Directory (DSClient) 5/5/2019

Setting Up Client Desktops Using Group Policy and Security Policy Use the Group Policy snap-in to set up group policies that govern clients Use the System Policy Editor (Poledit.exe) to configure system policies when running a mixture of Windows NT and Windows 2000 servers 5/5/2019

Group Policy and System Policy Templates Windows 2000 Server comes with several templates already set up for using group policies or system policies System.adm is the default group policy for managing Windows 2000 Professional clients 5/5/2019

Administrative Templates Included with Windows 2000 5/5/2019

Templates Included with Windows 2000 (continued) 5/5/2019

Group Policy Options A wide range of group policies can be set up to manage clients 5/5/2019

Group Policy Components for Windows 2000 Clients 5/5/2019

Group Policy Components for Windows 2000 Clients (continued) 5/5/2019

Remote Installation Services Remote Installation Services (RIS): Services installed on a Windows 2000 Server that enable you to remotely install Windows 2000 Professional on one or more client computers 5/5/2019

RIS Pre-Installation Steps Purchase the appropriate number of Windows 2000 Professional licenses Make sure the Active Directory is implemented and that there are DHCP and DNS servers on the network Create a Windows 2000 Professional operating system image Create user accounts for the Windows 2000 Professional clients 5/5/2019

RIS Installation Steps Installing RIS is a two stage process: First install RIS using the Control Panel Add/Remove Programs tool Configure RIS from the Add/Remove Programs tool 5/5/2019

Security Tip Configure an existing DHCP server to authorize only specific servers to provide RIS installations 5/5/2019

Installing RIS on the Client Install in one of two ways: Using a computer that has a boot-enabled ROM Creating a remote boot disk Both methods use the Preboot eXecution Environment (PXE):Services that enable a prospective client to obtain an IP address and to connect to a RIS server in order to install Windows 2000 Professional 5/5/2019

Troubleshooting Tip When installing a client via RIS, first make sure that the client computer has a NIC that is supported by RIS and that is on the HCL 5/5/2019

Client Installation Wizard Options 5/5/2019

RIS Group Policy Use group policies to create different installation options for different groups or containers 5/5/2019

Setting Installation Options for a Particular Container or Group 5/5/2019 Figure 8-10 Setting RIS installation options through group policy

RIS Installation Choices Allow: means that the designated capability can be used by the client accounts Don’t care: means that if a policy applies to a parent container, it also applies to the child containers Deny: means that the capability cannot be used by the client accounts 5/5/2019

Chapter Summary Preparing a server and domain entail configuring accounts and configuring client computers Before configuring accounts, consult with members of your organization about naming standards Set up account policies before configuring accounts 5/5/2019

Chapter Summary After accounts are created, use the account properties capability to supplement or modify parameters for the accounts, such as time of day access restrictions Configure client computers to access Windows 2000 Server, such as installing DSClient 5/5/2019

Chapter Summary Manage clients by setting up group policies or system policies Use RIS to install multiple Windows 2000 Professional clients in order to reduce your TCO 5/5/2019