• Create and manage user accounts by using templates, importation, and command-line tools.. UNDERSTANDING USER ACCOUNTS• Local user accounts stored in the Security Accounts Manager SAM
Trang 1WORKING WITH USER ACCOUNTS
Chapter 6
Trang 2• Create and manage user accounts by using
templates, importation, and command-line tools
• Manage user profiles.
• Understand the purpose and function of profiles.
• Troubleshoot user authentication issues.
Trang 3UNDERSTANDING USER ACCOUNTS
• Local user accounts stored in the Security
Accounts Manager (SAM) database on that
system
• Can be used only on that system
• Domain user accounts
• Stored in Active Directory on domain controllers
• Can be used on any system in Active Directory
Trang 4• No centralized database of user accounts
• User account must exist in the SAM of each system the user accesses
• Impractical in environments with more than 10 users
Trang 5DOMAINS
Trang 6PLANNING USER ACCOUNTS OVERVIEW
• Account naming
• Choosing passwords
• Designing an Active Directory hierarchy
Trang 7ACCOUNT NAMING
• Account names can be up to 256 characters
• Account names authentication credential can be
between 1 and 20 characters (letters and/or
numbers)
• For names longer than 20 characters the first 20
must be unique.
• Account names are not case sensitive.
• The following characters cannot be used in the account name:
• " / \ [ ] : ; | , + = * ? < > @
Trang 8STRONG PASSWORDS
• Cannot be easily guessed or broken by a
password cracking program
• Use password policy:
• Enforce strong password (PASSFILT.DLL)
• Must be six characters long
• At least three (3) of the following four (4) classes:
Trang 9ACCOUNT PASSWORD POLICY
Trang 10• Create an organizational unit (OU) structure
• Place users in appropriate OU
• Provides for features such as group policy
Trang 11ACCOUNTS
Trang 12CREATING A LOCAL USER ACCOUNT
Trang 13MANAGING LOCAL USER ACCOUNTS
Trang 14ACCOUNTS
Trang 15CREATING A DOMAIN USER ACCOUNT
Trang 16MANAGING DOMAIN USER ACCOUNTS
• From the Action menu, you can:
• Reset a user account password.
• Rename, disable, and delete an account.
• Modify group membership.
• Send e-mail and open a user’s homepage.
Trang 17THE GENERAL TAB
Trang 18THE ADDRESS TAB
Trang 19THE TELEPHONES TAB
Trang 20THE ORGANIZATION TAB
Trang 21THE ACCOUNT TAB
Trang 22THE PROFILE TAB
Trang 23THE MEMBER OF TAB
Trang 24THE TERMINAL SERVICES PROFILE TAB
Trang 25THE ENVIRONMENT TAB
Trang 26THE REMOTE CONTROL TAB
Trang 27THE SESSIONS TAB
Trang 28THE DIAL-IN TAB
Trang 29THE COM+ TAB
Trang 30MANAGING MULTIPLE USERS
Trang 31MOVING USER OBJECTS
Trang 32CREATING MULTIPLE USER OBJECTS
• Using object templates
• Using Csvde.exe
• Using Dsadd.exe
Trang 33USING OBJECT TEMPLATES
• Can be an existing user account or an account
created specifically for copying
• Not all properties are copied.
• A new SID is generated for the new object
• Generic user object templates should be assigned
a password and disabled to prevent use of the
account
Trang 34• Use Csvde.exe to import the user information from
the CSV file into Active Directory.
Trang 35• Command-line utility
• Can be used in batch files or scripts
• Can be used to add other objects as well as users
Trang 36• Command-line utility
• Can be used in batch files or scripts
• Can be used only to modify existing objects
Trang 37MANAGING USER PROFILES
• Allows each user to have a customized working
Trang 38USER PROFILE CONTENTS
• User-stored documents and files
• Application configurations and settings
• Desktop and environment settings
• Control Panel settings and configurations
Trang 39USER PROFILE DIRECTORY STRUCTURE
Trang 40USING LOCAL PROFILES
• Stored on the local system
• Available only when the user logs on to that system
• Can be modified by the user as needed
Trang 41USING ROAMING PROFILES
• Allows a user to have the same working
environment from any client computer she logs on to
• Central storage provides for easier backup.
Trang 42USING MANDATORY PROFILES
• Can be either local or roaming.
• User can make changes, but changes are not saved when user logs off
• Renaming Ntuser.dat to Ntuser.man designates profile as mandatory
Trang 43USER AUTHENTICATION
• Using password policies
• Using account lockout policies
Trang 44USING PASSWORD POLICIES
• Provides a mechanism to control password use in the organization
• Should strike a balance between usability and
security
• Creating a password policy that is too demanding increases password-related support calls
Trang 45USING ACCOUNT LOCKOUT POLICIES
• Account Lockout Threshold
• Account Lockout Duration
• Reset Account Lockout Counter After
Trang 46ACTIVE DIRECTORY CLIENTS
• Windows 2000, Windows XP, and Windows
Server 2003 include full Active Directory client
capabilities
• Windows 95, Windows 98, Windows Me, and
Windows NT 4 require additional client software to gain full Active Directory functionality
Trang 47AUDITING AUTHENTICATION
• Allows you to track failed and successful logon
attempts
• Can form part of a security policy
• Creates minimal system overhead in all but largest environments
Trang 48can provide users with access only to local resources Domain user accounts are stored on Active Directory
domain controllers and can provide users with access to resources all over the network
individuals they represent.
produce new users If the template is not a “real” user, it should be disabled Only a subset of user properties is copied from templates.
you can use to create and manage Active Directory
objects, including Csvde.exe, Dsadd.exe, and
Dsmod.exe.
Trang 49whereas a roaming user profile is stored on a
network server.
• A mandatory user profile is one that never changes, providing the same desktop configuration each time the user logs on.
• Auditing for authentication allows you to track logon activity for the network.