Windows Server 2003 使用者及電腦帳號管理 林寶森

Introduction to User Accounts Domain User Accounts Enable users to log on to the domain to gain access to network resources Reside in Active Directory Enable users to log on to the domain to gain access to network resources Reside in Active Directory Local User Accounts Enable users to log on and access resources on a specific computer Reside in SAM Enable users to log on and access resources on a specific computer Reside in SAM Built-in User Accounts Enable users to perform administrative tasks or gain temporary access to network resources Reside in SAM (local built-in user accounts) Reside in Active Directory (domain built-in user accounts) Enable users to perform administrative tasks or gain temporary access to network resources Reside in SAM (local built-in user accounts) Reside in Active Directory (domain built-in user accounts) Administrator and Guest

Creating Local User Accounts New User User name: JYoung Full name: Description: Jonathan Young Password: ********** Confirm: ********** User must change password at next logon User cannot change password Password never expires Account is disabled Close Create

Creating Domain User Accounts New Object - (User) Create in: samerica1.nwtraders.msft/Ohio First name: Last name: Full name: User logon samerica1.nwtraders.msft User logon name (pre-Windows 2000): SAMER\ Cancel <Back Next> New Object - User Create in: nwtraders.msft/Users Password: Confirm Password: < BackNext >Cancel User must change password at next logon User cannot change password Password never expires Account is disabled ********

Introduction to User Logon Names User Principal Name – The suffix defaults to the name of the root domain, but it can be changed and others added User Logon Name (Pre-Windows 2000) – A user selects the domain when logging on User Logon Name Uniqueness Rules – Full name must be unique within the container – User principal name is unique within the forest – User logon name (pre-Windows 2000) is unique within the domain + + user name domain Suffix Prefix

Creating a User Principal Name Suffix Active Directory Domains and Trusts Action View Tree NameType Active Directory Domains and Trusts contoso.msft nwtraders.msft domain.DNS contoso.msft nwtraders.msft Opens property sheet for the current selection. Connect to Domain Controller… Operations Master… View Refresh Export List… Help Properties Active Directory Domains and Trusts Properties UPN Suffixes The names of the current domain and the root domain are the default user principal name (UPN) suffixes. Adding alternative domain names provides additional logon security and simplifies user logon names. If you want alternative UPN suffixes to appear during user creation, add them to the following list. Alternative UPN suffixes: contoso.msft AddAdd Remove OKCancelApply Add New Suffixes

Names Associated with Domain User Accounts Name Example User logon nameJayadams Pre-Windows 2000 logon name Nwtraders\jayadams User principal logon name LDAP relative distinguished name CN=jayadams,CN=users, dc=nwtraders,dc=msft

Setting Personal Properties Active Directory Add Personal Information About Users As Stored in Active Directory Use Personal Properties to Search Active Directory Student 01 Properties Remote control User01 Terminal Services Profile Member OfDial-inEnvironmentSessions General AddressAccountProfile Telephones Organization

When to Reset User Passwords Reset a password when a user forgets his or her password After resetting a password, a user can no longer access some types of information, including: – that is encrypted with the user ’ s public key –Internet passwords that are saved on the computer –Files that the user has encrypted

What Is a User Account Template? A user account template is a user account that contains the properties that apply to users with common requirements User account templates make creating user accounts with standardized configurations more efficient User Account Template

Creating User Account Templates Console Active Directory Users and Computers WindowHelp ActionView Tree NameTypeDescription Users 28 objects Active Directory Users and Compu nwtraders.msft Builtin Casablanca Computers Denver OU Domain Controllers ForeignSecurityPrincipals Administrator Cert Publishers DHCP Administrators DHCP Users DnsAdmins DnsUpdateProxy Domain Admins Domain Computers ount f certifi o hav strato who Users Portland Seattle StudentOU Tunis Vancouver OU Domain Controllers Domain Guests Domain Users Enterprise Admins Group 01 _Sales TemplateUser Copy… Add members to a group… Enable Account Reset Password… Move… Open home page Send mail All Tasks Delete Rename Refresh Properties Help Creates a new user, copying information from the selected user. admi ions ontro uest aser admi Copy Object - User Create in: nwtraders.msft/Users First name: Last name: Full name: sales user1 sales user1 Initials: User logon name: User logon name (pre-Windows 2000): NWTRADERS\ salesuser1 < Back Next >Cancel Set Up a User Account as a Template Account Create a User Account by Coping the Template Account

Guidelines for Creating User Account Templates Create a separate classification for each department Create a separate group for short-term and temporary employees Set user account expiration dates for short-term and temporary employees Disable the account template Identify the account template

Customizing User Settings with User Profiles Default User Profile – Serves as the bases for all user profiles Local User Profile – Created the First Time a User Logs on to a Computer – Stored on a Computer's Local Hard Disk Default User Profile – Serves as the bases for all user profiles Local User Profile – Created the First Time a User Logs on to a Computer – Stored on a Computer's Local Hard Disk User Profile User Profile Display Regional Settings Regional Settings Mouse Sounds Modify Save Roaming User Profile Created by the System Administrator Stored on a server Mandatory User Profile Created by the System Administrator Stored on a server Roaming User Profile Created by the System Administrator Stored on a server Mandatory User Profile Created by the System Administrator Stored on a server Profile Windows 2000 Professional Windows 2000 Professional Windows XP Professional Windows XP Professional Windows Server 2003 Windows Server 2003 Profile Server Display Regional Settings Regional Settings Mouse Sounds

Best Practices Rename the Administrator Account Create a User Account with Administrative Rights Create a User Account for Non-Administrative Tasks Enable the Guest Account Only in Low Security Networks Create Random Initial Passwords Require New Users to Change Their Passwords Set Account Expiration Dates for Temporary Employees

What Is a Computer Account? Identifies a computer in a domain Provides a means for authenticating and auditing computer access to the network and to domain resources Is required for every computer running: –Windows Server 2003 –Windows XP Professional –Windows 2000 –Windows NT

Where Computer Accounts Are Created in a Domain Computers that join a domain are created in the Computers container Computer accounts can be moved to or created in other organizational units Computer accounts can be moved to or created in other organizational units

Creating Computer Accounts

When to Reset Computer Accounts Reset computer accounts when: –Computers fail to authenticate to the domain –Passwords need to be synchronized

Tools for Creating and Managing Accounts Active Directory Users and Computers Directory Service Tools Dsadd Dsmod Dsrm Dsadd Dsmod Dsrm Csvde and Ldifde Tools Windows Script Host

Locating Accounts Find Users, Contacts, and Groups File Edit View Help Find: Entire DirectoryUsers, Contacts, and Groups In: Find Now Stop Clear All Browse... Add Remove NameDescriptionType Joe Pak Don Hall Anne Paper User Entire Directory contoso Accounting Field Users, Contacts, and Groups Advanced 31 item(s) found Select attributes for searching Select attributes for searching Specify value of the attribute Set condition Administer user accounts in the results box Search entire Active Directory, a specific domain, or an OU

What Is a Saved Query?