Module 7: Advanced Administration of User Accounts and Groups

Contents Introduction to Administering User Using Group Policy to Configure Creating Multiple User Accounts 10 Using Group Policy to Redirect User Data Lab A: Advanced Administration

Contents

Introduction to Administering User

Using Group Policy to Configure

Creating Multiple User Accounts 10

Using Group Policy to Redirect User Data

Lab A: Advanced Administration of

Setting Up Computers for Mobile Users 34

Lab B: Setting Up Windows 2000

Module 7: Advanced Administration of User Accounts and Groups

with all applicable copyright laws is the responsibility of the user No part of this document may

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights coverin g subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

? ? 1999 Microsoft Corporation All rights reserved

Microsoft, Active Directory, PowerPoint, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries

The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted

Other product and company names mentioned herein may be the trademarks of their respective owners

Project Lead and Instructional Designer: Mark Johnson

Instructional Designers :Aneetinder Chowdhry (NIIT Inc.), Kathryn Yusi

(Independent Contractor)

Lead Program Manager: Ryan Calafato

Program Manager: Joern Wettern (Wettern Network Solutions)

Graphic Artist: Julie Stone (Independent Contractor)

Editing Manager: Tina Tsiakalis

Substantive Editor: Kelly Baker (Write Stuff)

Copy Editor: Wendy Cleary (S&T OnSite)

Online Program Manager: Nikki McCormick

Online Support: Arlo Emerson (MacTemps)

Compact Disc Testing: Data Dimensions, Inc

Production Support: Arlene Rubin (S&T OnSite)

Manufacturing Manager: Bo Galford

Manufacturing Support: Mimi Dukes (S&T OnSite)

Lead Product Manager, Development Services: Elaine Nuerenberg

Lead Product Manager: Sandy Alto

Group Product Manager: Robert Stewart

Introduction

This module provides students with the knowledge and skills that they need to administer user accounts and groups efficiently Students will learn how to perform a variety of administrative tasks, including configuring account policies, creating multiple user accounts, redirecting folders, and setting up offline folders for mobile users In addition, students will learn about using universal groups in a multiple-domain network

In the two hands-on labs in this module, students will have a chance to administer user accounts In the first lab, users will set up account policies and redirect folders to a network server In the second lab, students will configure offline files by using Group Policy

Materials and Preparation

This section provides you with the materials and preparation needed to teach this module

Materials

To teach this module, you need the following materials:

?? Microsoft® PowerPoint® file 1558A_07.ppt

Preparation

To prepare for this module, you should:

?? Read all the materials for this module

?? Complete the labs

?? Study the review questions and prepare alternative answers to discuss

?? Anticipate questions that students may ask Write out the questions and provide the answers

Presentation:

75 Minutes

Labs:

60 Minutes

Module Strategy

Use the following strategy to present this module:

?? Introduction to Administering User Accounts and Groups

In this topic, you will introduce the administrative tasks that are continually performed when administering a multiple-domain network Mention the different tasks, but do not go into detail, because they are covered in more detail in the module topics

?? Windows 2000 Logon Names

In this topic, you will describe the different types of logon names (downlevel logon name and user logon name) in a Microsoft Windows®

2000 network Emphasize that the user logon name is also known as the user principal name and is the preferred logon name for a Windows 2000 network Describe the user principal name prefix and suffix and how an administrator can change the suffix so that the user logon name matches the user’s e-mail address Have students log on with their user logon names Demonstrate adding a new suffix to Active Directory™ directory service

?? Using Group Policy to Configure Account Policies

In this topic, you will explain how to configure account policies by using Group Policy First, explain to students that the different types of account policies to configure are password and account lockout policies Emphasize that an administrator can set these account policies only at the domain level Then, explain to students how to set password policies and provide the critical Group Policy password settings to configure Demonstrate configuring the settings Finally, explain to students how to set account lockout policies Mention that students must configure all three settings Demonstrate configuring the settings

?? Creating Multiple User Accounts

In this topic, you will explain how to create multiple user accounts in Active Directory by using bulk import to import data from a file into Active Directory Define bulk import if necessary First, explain to students about the import process Emphasize the information that must be included and the information that should be included Next, explain how to format a file

so that it can be imported Use the slide to map the different parts of the

formatted file Also, map the file to the information in the Create New User dialog box Finally, explain how to import the file by using the csvde

command

?? Using Group Policy to Redirect User Data to a Network Server

In this topic, explain how to redirect four default user folders to a network server by using Group Policy First, explain what folder redirection is Emphasize that although the folder appears to be stored locally, it is actually stored on a server Mention that the information in a redirected folder is always present for the user, regardless of the computer to which the user logs on Then, present information on the four types of folders that an administrator can redirect and why an administrator would choose to redirect these folders Emphasize that an administrator should always redirect users’ My Documents folders Finally, explain how to redirect folders by using Group Policy Demonstrate the process

Prepare students for the lab in which they will set up account policies, use bulk import to create multiple user accounts in Active Directory, and redirect folders Make sure that students run the command file for the lab, and tell them they will work with their partners’ computers After students have completed the lab, ask them whether they have any questions

?? Using Universal Groups

In this topic, you will describe universal security groups and how they are used to control access to resources in a multiple-domain network First, explain how universal groups work Emphasize that they have open membership and can be nested in all three security groups Next, present information on how universal groups affect replication between global catalog servers Emphasize that the membership attribute of universal groups is in the global catalog and that if one member is added or removed, the entire group membership is replicated Finally, present guidelines for using universal groups Emphasize that membership should be kept static, and to this end, that an administrator should use the universal group strategy Present the strategy

?? Setting Up Computers for Mobile Users

In this topic, you will explain how to set up offline files for mobile users.First, explain how offline files work for mobile users Emphasize that files stored on a server are synchronized with files on the user’s hard disk when the user logs on and logs off Then, explain what happens when Group Policy enables computers for offline files Mention what must be configured

at the shared folder containing the offline files and on the portable computer Finally, explain the Group Policy settings to configure for offline files Mention that it is better to configure computer settings than user settings for offline files, because the setting to enable offline files is a computer setting Demonstrate the process in Group Policy

?? Lab B: Setting Up Windows 2000 for Mobile Users Prepare students for the lab in which they will set up offline files Make sure that students run the command file for the lab, and tell them they will work with their partners’ computers After students have completed the lab, ask them whether they have any questions

?? Best Practices Present best practices for administering user accounts and groups

Customization Information

This section identifies the lab setup requirements for a module and the configuration changes that oc cur on student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware

The labs in this module are also dependent on the classroom configuration that is specified in the Customization Information section at the

end of the Classroom Setup Guide for course 1558A, Advanced Administration

for Microsoft Windows 2000

Lab Setup

The following list describes the setup requirements for the labs in this module

Setup Requirement 1

The labs in this module require the Log on locally right on domain controllers

to be assigned to the Everyone group To prepare student computers to meet this requirement, perform one of the following actions:

?? Run C:\MOC\Win1558A\Labfiles\Lab07\Setup\Lab0701.cmd

?? Create the folder manually and share it

Important

Setup Requirement 5

The labs in this module require the C:\MOC\Win1558A\Labfiles\Lab07\Offline folder, shared as Offline, to allow students to access offline files To prepare student computers to meet this requirement, perform one of the following actions:

?? Students create user accounts in the Package Handling OU

You can run C:\MOC\Win1558A\Labfiles\Lab07\Setup\Lab07Rm.cmd to remove all configuration changes introduced during the labs in the module Make sure that students complete both labs to configure account policies back to their defaults Use Active Directory Users and Computers to move the domain controllers back into the Domain Controllers OU

Important

Overview

? Introduction to Administering User Accounts and Groups

? Windows 2000 Logon Names

? Using Group Policy to Configure Account Policies

? Creating Multiple User Accounts

? Using Group Policy to Redirect User Data to a Network Server

? Using Universal Groups

? Setting Up Computers for Mobile Users

? Best Practices

After you have set up a Microsoft® Windows® 2000 network, you must perform ongoing administrative tasks to ensure that all users have the resources that they need, that changing corporate-wide requirements are met, and that network security remains intact You can use Group Policy to perform some of these administrative tasks centrally In this way, you can perform the tasks on multiple computers without having to administer user accounts and groups individually

At the end of this module, you will be able to:

?? Identify the administrative tasks used to administer user accounts and groups

?? Identify the different types of user logon names

?? Use Group Policy to configure password restrictions and account lockout policy

?? Create multiple user accounts by importing user information from another database into Active Directory™ directory service

?? Use Group Policy to redirect folders from the local hard disks to a network server

?? Set up computers for mobile users by configuring offline files

?? Identify when and how to use universal groups

?? Apply best practices for performing administrative tasks for user accounts and groups

Slide Objective

To prov ide an overview of

the module topics and

objectives

Lead-in

In this module, you will learn

about administrative tasks

that you can perform for

user accounts and groups

Do not go into detail on this

topic, because the content

will be covered in

following topics

Introduction to Administering User Accounts and Groups

?Strengthen Network Security by Preventing Unauthorized Persons from Gaining Access to the Network

?Create Multiple User Accounts in Active Directory

?Control Where Users’ Personal Data Is Stored

?Ensure That Mobile Users Have the Files and Folders That They Need

?Ensure That Users in a Multiple-Domain Network Can Gain Access to the Resources

?Strengthen Network Security by Preventing Unauthorized Persons from Gaining Access to the Network

?Create Multiple User Accounts in Active Directory

?Control Where Users’ Personal Data Is Stored

?Ensure That Mobile Users Have the Files and Folders That They Need

?Ensure That Users in a Multiple-Domain Network Can Gain Access to the Resources

Administrative Tasks

Administrative Tasks

Networks are not static They change in response to the evolving needs of the organizations that they support You need to ensure that your network continually reflects current corporate policy and corporate needs To accomplish this, you have to perform a multitude of ongoing administrative tasks The administrative tasks that you need to perform include:

?? Strengthening network security by using Group Policy to set account policies that prevent unauthorized persons from gaining access to your network

?? Creating multiple user accounts in Active Directory for new users You can create user accounts by using bulk import to import data into Active Directory from a file containing user data

?? Controlling where users’ personal data is stored You can ensure that it is centrally stored on a network server so that users can always gain access to their data no matter where they log on and so that you can easily back up the data

?? Ensuring that mobile users can gain access to the files and folders that they need when they are working offline, and that the files that they change when working offline are copied back to network servers

?? Ensuring that users in a multiple-domain network can efficiently gain access

to resources without increasing network replication traffic

Slide Objective

To introduce the more

complex administrative

tasks that an administrator

can perform for user

accounts and groups

Lead-in

The types of administrative

tasks that you perform

depend on the needs of

your network

Use this topic as an

overview of the type of

administrative tasks that an

administrator may need

to perform

Windows 2000 Logon Names

Downlevel Logon Name

?The Name Must Be Unique

in the Domain

?A User Must Provide the Domain When Logging On

User Logon Name (User Principal Name)

?The Name Must Be Unique in the Entire Active Directory

?A Domain Controller Finds UserAccount Information in Global Catalog

?The Suffix Default Is the Root

jasmith@nwtraders.com

jasmith

Log On DomainController

+ user name domain

nwtraders

In a Windows 2000 network, a user can log on with either a downlevel logon name or a user logon name Domain controllers can use either of these logon names to authenticate the logon request

Downlevel Logon Name

A downlevel logon name is a user account name, such as jasmith When a user

logs on by using a downlevel logon name, the user must also provide the domain in which the user account exists, so that the authenticating domain controller can locate the user account The user’s downlevel logon name must

be unique within the domain

If a user connects to a network resource with a different user account than the one with which he or she logged on, then the user must provide the domain and downlevel logon name for authentication (for example, nwtraders\jasmith)

If a user logs on to the network from a client computer running a version of Windows earlier than Windows 2000, then the user must use the downlevel logon name

User Logon Name

The user logon name is the preferred logon name for a Windows 2000 network This name is also known as a user principal name A user logon name must be

unique within the domain, the domain tree, and the forest (the entire Active Directory) When logging on from a computer running Windows 2000, users should employ their user logon names so that they do not also have to provide their domains The authenticating domain controller can find the user’s domain

by searching the global catalog

Slide Objective

To describe the different

logon names that a user can

use to log on to a

Windows 2000 domain

Lead-in

In a Windows 2000 network,

there are two different types

of logon names that users

can use

Delivery Tip

Have students log off by

pressing CTRL+ALT+DEL

to display the Log On to

Windows dialog box Make

sure that the Log on to box

is displayed, and then have

students type a user logon

name in the User name box

so that they can see

what occurs

Open Active Directory

Domains and Trusts, and

demonstrate adding a new

user principal name suffix in

the Properties dialog box

Key Points

There are two parts to a

user logon name, the user

principal name prefix and

the suffix

You can select a user

principal name suffix in

Active Directory Users and

Computers only if it exists in

Active Directory

To add a new suffix in

Active Directory Domains

and Trusts, an administrator

must be a member of

the Enterprise Admin

built-in group

There are two parts to a user logon name, and they are separated by an @ sign (for example, jasmith@nwtraders.com):

?? The user principal name prefix (jasmith)

?? The user principal name suffix (nwtraders.com) By default, the suffix is the name of the root domain in the network You can configure additional user principal name suffixes for users, for example, if you want to create user logon names that match users’ e-mail addresses

Additional advantages to user logon names are that:

?? The user logon name does not change when you move a user account to a different domain, because it is unique within the entire Active Directory

?? A user logon name can be the same as a user’s e-mail address name, because it has the same format as a standard e-mail address You select a user principal name suffix when creating user account in Active Directory Users and Computers If the suffix that you need does not exist in Active Directory User and Computers, you can add it

You add a new suffix in Active Directory Domains and Trusts You add the

suffix in the Properties dialog box for Active Directory Domains and

Trusts You must be a member of the Enterprise Admins built-in group to add suffixes in Active Directory Domains and Trusts

If you create a user account through a means other than by using Active Directory Users and Computers, you are not limited by the user principal name suffixes stored in Active Directory You can define a suffix when you create the account

Note

? Using Group Policy to Configure Account Policies

?What Are Account Policies?

?Configuring Password Policy Settings

?Configuring Account Lockout Policy Settings

In Windows 2000, you can configure account policies that help to prevent unauthorized persons from logging on to the network and gaining access to network resources These enhanced network security measures include setting a password policy and a user account lockout policy to make it more difficult to guess a password and then to limit the number of attempts that someone can make to determine a password Together these help prevent unauthorized persons from gaining access to your network

unauthorized persons from

logging on to the network

What Are Account Policies?

Use Account Policies to Prevent Unauthorized Persons From

Gaining Access to the Network

Must Set Group Policy at Domain Level

Must Set Group Policy at Domain Level

Set Password Requirements to Set Password

Set Password

Requirements to

Requirements to

Domain controller does not authenticate

Domain controller does not authenticate

Domain controller locks out user account

Domain controller locks out user account

Set Failed Logon Attempts Limit to Set Failed Logon

Set Failed Logon

You can configure account policies for user accounts to reduce the possibility

of unauthorized persons gaining access to the network You use Group Policy

to set these account policies at the domain level, because account policies apply

to all users If you set these policies for a site or an organizational unit (OU), Windows 2000 ignores the settings The settings that you configure for the domain apply to the entire domain, and you cannot block them (stop them) from applying to an OU in the domain

The account policy settings that you can configure with Group Policy are:

?? Password settings Password settings establish restrictions that require users

to periodically change passwords and to use complex passwords Password complexity includes the minimum length and the characters to use,

including alphanumeric, symbols, and upper and lower case letters By forcing users to use complex passwords, it is more difficult for unauthorized

persons to gain access to your network by using brute force hacking

programs These programs try to log on repeatedly by providing different

passwords (for example, by attempting to use each word in a dictionary as the password)

?? Account lockout settings Account lockout settings lock a user account after

a predetermined number of failed logon attempts Setting a limit for failed logon attempts makes it difficult for unauthorized persons to log on by using applications to determine a password After a domain controller locks out a user account, no one can log until the account is unlocked You can determine how long the lockout will last

If students do not know what

a brute force hacking

program is, define it

Mention to students that the

most common password

used is password This is

why it is important to

implement a password

account policy so that users

have complex passwords

Key Points

Administrators must set

Group Policy for account

polices at the domain level

If an administrator sets them

at any other level,

Windows 2000 ignores

the settings

Setting up password

restrictions and a limit of

failed logon attempts makes

it almost impossible for an

unauthorized person to gain

access to the network

Configuring Password Policy Settings

?Password Settings Apply to the Domain

?The Settings to Configure Are:

Group Policy

Action View

Passwords [LONDON.NWTraders.msft Computer Configuration Software Settings Windows Settings Security Settings Account Policies Account Lockout Poli Kerberos Policy Local Policies

Allow storage of passwords under reversibl…

Enforce password uniqueness by remem…

Maximum Password Age

Minimum Password Age

Minimum Password Length Passwords must meet complexity require…

User must logon to change password

Attribute Stored Template Settin

These password settings apply to all user accounts in a domain Domain controllers start enforcing the requirements during user authentication after the GPO is applied to the domain controllers Note that when you configure password settings, they do not apply to existing passwords They apply the next time that a user changes his or her password, or when you create or reset a user account You configure the settings in Group Policy under Password Policy The following list describes the password settings to configure:

?? Enforce password uniqueness by remembering This setting determines the

number of previous passwords for a user account on which Windows 2000 keeps a record As long as there is a record of a password, a user cannot reuse it In a high security network, set this value to 24 In a medium security network, set this value to 6

?? Maximum Password Age This setting forces users to change their

passwords after a specified period of time so that they do not continually use the same passwords In a high-security network, set this value to 30 days In

a medium security network, set the value to 42 days

?? Minimum Password Length This setting determines the allowable minimum

length of users’ passwords In a high security domain, set this to at least eight characters

There are several critical

Group Policy password

settings that you

Group Policy password

settings apply to all user

accounts in the domain

When you configure

password settings, they do

not apply to existing

passwords Domain

controllers enforce the

password requirements

when an administrator

creates a user account or

resets a password, or when

a user changes a password

If there is conflict between

the minimum length of a

password setting and the

length determined by the

complex passwords setting,

the most restrictive

setting prevails

?? Passwords must meet complexity requirement This setting invokes a

Windows 2000 built-in password filter This filter requires passwords to comply with complexity rules These rules include the following:

?? The minimum password length must be six characters If there are conflicts between these settings and the password length setting, the more restrictive setting prevails

?? The password cannot contain any part of the user’s full name

?? The password must contain characters from at least three of the following four categories

English uppercase letters A, B, C, D, … Y, Z English lowercase letters a, b, c, d, … y, z Westernized Arabic numerals 0, 1, 2, … 9 Non-alphanumeric characters !, ?, (, …

?? User must logon to change password This setting forces users to log on to

their accounts before they can change their passwords This setting also disables user accounts that have exceeded the maximum password age Only

an administrator can enable the user account again This prevents unauthorized persons from attempting to log on by using unauthorized user accounts

To gain access to Password Policy settings, perform the following steps:

1 Open Active Directory User and Computers, create a GPO at the domain

level or select an existing GPO linked to the domain, and then click Edit

2 In Group Policy, expand Computer Configuration, expand Windows Settings , expand Security Settings , expand Account Policy, and then expand Password Policy

Configuring Account Lockout Policy Settings

?Account Lockout Policy Settings Apply to Domains

?You Must Configure All Account Lockout Policy Settings

Account Lockout Policy

Attribute Stored Template Settin

Account lockout control Lockout account for Reset account lockout count after

5 Invalid logon attempts Forever

As with password settings, link the GPO for account lockout policy settings

to the domain or domains in the network These polices apply to all user accounts in a domain Domain controllers start enforcing the requirements during user authentication after the GPO is applied to the domain controllers You must configure all three settings to set up an account lockout policy The following list describes the account lockout settings to configure:

?? Account lockout count This setting determines the allowed number of failed

logon attempts before Windows 2000 locks the account The number of failed logon attempts should match the security level that your network requires In a high security network, set this value to five logon attempts

?? Lockout account for This setting determines the amount of time that the

lockout is effective In a high security network, select Forever This means

that an administrator must manually unlock the user account In a medium security network, set this value to 30 minutes to prevent the effective use of automated methods to guess a password

?? Reset account lockout count after This setting determines the amount of

time after which the counter for failed attempts returns to zero In a security network, set this value to one day (1440 minutes) In a medium security network, set this value to 30 minutes

high-To gain access to Account Lockout Policy settings, perform the following steps:

1 Open Active Directory User and Computers, create a GPO at the domain

level or select an existing GPO linked to the domain, and then click Edit

2 In Group Policy, expand Computer Configuration, expand Windows Settings , expand Security Settings , expand Account Policy, and then expand Account Lockout Policy

Account lockout policy

works well with password

policy by limiting the number

of times that a person can

attempt to log on

Delivery Tip

Demonstrate configuring the

account lockout settings in

Group Policy

Key Points

An administrator can only

set Group Policy account

lockout settings at the

domain level

An administrator must

configure all three settings

or none

The number of logon

attempts allowed should

match the security required

in the network

? Creating Multiple User Accounts

?The Importing Process

?Preparing a File for Importing

?Using the csvde Command to Import Data

Windows 2000 provides you with the ability to create multiple user accounts in Active Directory by importing data from a file This process is known as bulk

import Bulk import is the importing of multiple database records into a

database The advantages of bulk importing are that you do not have to create multiple user accounts individually, and you do not have to create the file that you import You can use an existing file that contains the user information to create these accounts

Windows 2000 provides you

with the means to create

multiple user accounts in

Active Directory by

importing data from a file

Define bulk import if

students do not know what

it means

The Importing Process

? Must Include the Path to the User Account’s OU, Object Type,and Downlevel Logon Name

Account Is Enabled or Disabled

? Can Include Personal User Information

? Must Include the Path to the User Account’s OU, Object Type,and Downlevel Logon Name

? Should Include the User Logon Name and Whether the UserAccount Is Enabled or Disabled

? Can Include Personal User Information

? Cannot Include a Password

For Each User Object, the File:

For Each User Object, the File:

Active Directory

jasmith judyl

Comma-delimited Text File

Comma-delimited Text File

User Information

Using the csvde command to import user account data from a file allows you to

create multiple user accounts in Active Directory at the same time

Bulk import is designed to use an existing file Typically, an import file comes from a database application that already contains information about your users, although it can come from other sources (such as Microsoft Excel or Microsoft

Word) The file that you import must be a text file that uses a comma-delimited format, also known as a comma-separated value format Most database

applications can create export files in this format

The information in the file:

?? Must include the path to the user account in Active Directory, the object type (user account), and the downlevel logon name

?? Should include the user logon name (user principal name), because this is the logon name that Microsoft recommends when a user logs on from a computer running Windows 2000 You should also include whether the account is disabled or enabled

?? Can include personal information, for example telephone numbers or home addresses You can include information for most user account properties Include as much of this information as possible to provide more items on which users can search when conducting Active Directory searches

?? Cannot include passwords Bulk import leaves the password blank

However, by default, the first time that users log on, they must change their passwords This is not a problem if users log on immediately, but it could be

if users are not going to log on for some time An unauthorized person needs

to know only the user logon name to gain access to the network, because the password is blank If this is the case, disable the user accounts until users start logging on

Slide Objective

To describe the process and

the type of data that should

be imported into Active

Directory when using the

csvde command

Lead-in

Although you can create a

file for the bulk import, it is

faster if you use an existing

file This file can come from

a variety of sources

Mention to students that if

users are not going to use

the accounts that they

create immediately,

students should disable

them This is because these

user accounts have

blank passwords

Key Points

The file imported must

include the path to the OU

where the user account will

reside, the type of object

being imported, and the

downlevel logon name

The file being imported

should include the user

logon name and whether the

user accounts are enabled

or disabled

Preparing a File for Importing

Create New Object (User)

Create in: nwtraders.msft/Users

NWTRADERS\

< Back

< Back Next > Next > Cancel

James Smith James Smith

jasmith

DN

jasmith

displayName userPrincipalName samAccountName objectClass

Attribute line containing the names of the attributes:

DN,objectClass,samAccountName,userPrincipalName,displayName, userAccountControl

User object line containing values for attributes:

"cn=James Smith,ou=Human Recourses,dc=asia,dc=nwtraders,dc=com", user,jasmith,jasmith@nwtraders.com,James Smith,512

Attribute line containing the names of the attributes:

DN,objectClass,samAccountName,userPrincipalName,displayName, userAccountControl

User object line containing values for attributes:

"cn=James Smith,ou=Human Recourses,dc=asia,dc=nwtraders,dc=com", user,jasmith,jasmith@nwtraders.com,James Smith,512

Format Example

Format Example

You must ensure that the file that you are importing is properly formatted in order for the import to be successful The file needs to contain the information

necessary to create attributes for the user account Attributes (also referred to as

properties) are categories of information for Active Directory objects The values of these attributes define the characteristics of the object

Typically, you need to format an export file from a database application Use an application that has good editing capabilities, such as Excel or Word, to edit and format Then, when you save the file, specify a comma-delimited text file Format the file so that it contains:

?? The attribute line This is the first line of the file It specifies the name of each attribute that you want to define for the new user account The Active Directory schema defines the attribute names Note that you can put the attributes in any order, but you must separate the attributes with commas The following is an example of the attribute line:

DN,objectClass,samAccountName,userPrincipalName,displayName, userAccountControl

?? The user account line For each user account that you create, the file contains a line that specifies the value for each attribute in the first (attribute) line The following rules apply to the values in a user account line:

?? The attribute values must follow the sequence of the first line

?? If a value is missing for an attribute, leave it blank, but include all commas

?? If a value contains commas, include the value in quotation marks The following is an example of a user account line:

"cn=James Smith,ou=Human Resources,dc=asia,dc=nwtraders, dc=com",user,jasmith,jasmith@nwtraders.com,James Smith,512

Slide Objective

To describe how to edit and

format a file, and to describe

the relationship between the

attributes provided in the file

and the Create New Object

(User) dialog box

Lead-in

You need to make sure that

the file you import is

properly formatted;

otherwise, you will not be

successful in creating

user accounts

Using the slide, map the

attributes to the values

Delivery Tip

Compare the attribute line

with the boxes in the Create

New Object (User) dialog

box in Active Directory

Users and Computers to

show where information

would be added if students

were using the Create New

Object (User) dialog box

Key Points

Attributes are categories of

information for Active

Directory objects

The first line in the file is the

attribute line and includes all

attributes that an

administrator wants to

define for the user account

The remaining lines are the

user account lines that

provide the values for each

attribute

Format the file in an

application that has good

editing capabilities, and then

save the file as a

comma-delimited text file

previous example

DN (distinguished name) cn=James Smith,ou=Human Resources,

dc=asia,dc=nwtraders,dc=com (This specifies the path to the object’s container.)

userPrincipalName, jasmith@nwtraders.com,

userAccountControl 512 (The value 512 enables, and the value 514 disables,

the user account.) For more information about distinguished names, see appendix D “LDAP

Names,” on the course 1558A, Advanced Administration for Microsoft

Windows 2000, Student Materials compact disc

To get list of common attributes and their display names, see appendix E “Common User Account Attributes,” on the course 1558A,

Advanced Administration for Microsoft Windows 2000, Student Materials

compact disc

Important

Using the csvde Command to Import Data

The csvde Command

The csvde Command

?You Type at the Command Prompt:

csvde –i –f filename

?The csvde Command Provides Status of the Import

?You Should Check Some of the User Accounts to Verify That They Have the Information That You Want Them to Have

?You Type at the Command Prompt:

csvde –i –f filename

?The csvde Command Provides Status of the Import

?You Should Check Some of the User Accounts to Verify That They Have the Information That You Want Them to Have

After the file is properly formatted, you can use the csvde command to import

the file and to create multiple user accounts in Active Directory

To import the file, at the command line type:

csvde –i –f filename

In the previous syntax, -i indicates that you are importing a file into Active Directory, and -f indicates that the next parameter is the name of the file that

you are importing

The csvde command provides status information on the success or failure of the

process, and it also provides the name of the file to view for detailed error information Even if the status information indicates that the process was successful, check some of the user accounts that you created to ensure that they have all of the information that you provided

After you have correctly

formatted the file, you can

then import it by using the

csvde command

Mention to students that

after they import the file—

even if the status

information reports

success—they should do

sample checks to make sure

that the user accounts were

created correctly

? Using Group Policy to Redirect User Data to a

Network Server

?What Is Folder Redirection?

?User Folders to Redirect

?Using Group Policy to Redirect User Folders

Windows 2000 allows you to redirect user folders, which are part of the user profile, from users’ local hard disks to a network server By redirecting these folders, you can ensure that users’ data is available to them regardless of the computers to which they log on, and that users’ data is located at a central location It is easier to manage and back up centralized data The folders that you can redirect are My Documents, Application Data, Desktop, and Start Menu Windows 2000 automatically creates these folders and makes them part

of the user profile for each user account

Slide Objective

To introduce the task of

redirecting user data to a

network server

Lead-in

Windows 2000 allows you to

use Group Policy to redirect

folders that are part of each

user profile

What Is Folder Redirection?

?Network Traffic Is Generated Only When Users Gain Access

to Files

?Files Are Not Saved on the Client Computer

Redirected Personal Folders

Redirected Personal Folders

Redirected Personal Folders

Documents Are Stored on theServer But Appear to BeStored Locally

Documents Are Stored on theServer But Appear to BeStored Locally

My DocumentsMy

Documents

My Documents

My Documents

When you redirect folders, you change the storage location of folders from the local hard disk on the user’s computer to a shared folder on a network file server After you redirect a folder to a file server, it will still appear to the user

as if it were stored on the local hard disk You can redirect four folders that are part of the user profile: My Documents, Application Data, Desktop, and Start Menu

The following list describes the advantages of redirecting folders:

?? The data in the folders is available to the user regardless of the client computer to which the user logs on

?? The data in the folders is centrally stored, so that the files that they contain are easier to manage and back up

?? Network traffic is reduced When users have roaming user profiles and folders are not redirected, changes to the data in the folders are copied between the local computer and the server each time that the user logs on and logs off With folder redirection, you can ensure that users’ data is available to users from any computer to which they log on Network traffic

is only generated when a user accesses a file

?? Files in redirected folders, unlike files that are part of a roaming user profile, are not copied and saved on the computers where the user logs on This means that when a user logs on to a client computer, no storage space is used to store these files, and data that might be confidential does not remain

Folder redirection allows

you to move the storage

location for user data and

settings to a shared folder

on a server

Do not go into detail on the

four folders, as they are

covered in the next topic Be

sure to mention the

advantages of folder

redirection

Key Points

The four folders are part of

the user profile

The data stored on the

server appears local to

the user

User Folders to Redirect

Folder Folder Contains Contains Redirect to a server so that

My Documents

My Documents A user’s personal data A user’s personal data Start Menu

Start Menu Folders and shortcuts on

the Start menu

Folders and shortcuts on

the Start menu

Desktop All files and folders a userplaces on the desktopAll files and folders a userplaces on the desktopApplication

Data

Application Data User-specific data storedby applicationsUser-specific data storedby applications

Users can access their data from any computer, and so that this data can be backed up and managed centrally

Users can access their data from any computer, and so that this data can be backed up and managed centrally

Users’ Start menus are standardized

Users have the same desktop regardless of the computer to which they log on

Users have the same desktop regardless of the computer to which they log on

Applications use the same user-specific data for a user regardless of the computer to which the user logs on

Applications use the same user-specific data for a user regardless of the computer to which the user logs on

Depending on the needs of users and your network, you may direct all or only a few of the folders that can be redirected The following table describes what each folder contains and provides specific reasons for redirecting the folder

My Documents

The default location where users store their personal work data It

is the default location for the File Open and Save As commands

Windows 2000 places a My Document shortcut icon on the

desktop It also includes the My Pictures folder where users can save their graphics

User data follows users and so that you are able to back up and manage this data centrally Redirect the folder to reduce the amount of data saved in the user profile

Always redirect t he My Document folder, because it is important that users are always able to gain access to their data

Start Menu Folders and shortcuts on the

Start menu

Users’ Start menus are

standardized You redirect multiple users’ Start Menu folders

to the same network location and then only assign the NTFS file system Read permission so that

users cannot change their Start

menus content

Desktop The folder that contains all files,

folders, and shortcuts that a user places on his or her desktop

Users’ desktops are standardized Use the same strategy that you use

for the Start menu

Application Data

User-specific data stored by applications, such as configuration files and personal dictionaries for spell checking

Applications use the same specific data for a user, regardless

user-of the computer to which the user logs on

Slide Objective

To explain what the four

folders contain and why to

redirect them

Lead-in

Depending on the needs of

your network, you may

direct all or only a few of the

four folders that can be

redirected

Key Points

An administrator should

always redirect the My

Document folder for

all users

You can standardize user

Start menus by redirecting

their Start Menu folders to

the same folder and then

only assigning the NTFS

Read permission so that

users cannot change the

contents of their

Start menus

Using Group Policy to Redirect User Folders

My Documents Properties

Target Settings

You can specify the location of the My Documents folder.

Setting: Basic - Redirect everyone’s folder to the same location This folder will be redirected to the specified location.

Target folder location

\\Server\Sharedfolder\%username%

Browse

Redirect files to one location

Redirect files to one location

Use the

%username% variable

Use the

%username% variable

To store the My Documents, Application Data, Desktop, and Start Menu folders

on a network server, use the Folder Redirection extension in Group Policy When you redirect folders, you need to provide the following information:

?? A target location, which is the network server Redirect the folders to one location (a shared folder on a server) so that it is easier to manage and back

up the data To redirect user data folders to one location, select the

Basic – Redirect everyone’s folder to the same location option

You can also redirect the four folders to different locations based on security group membership, for example, if you want to distribute users’ folders across several network servers or several shared folders on a network server To redirect to different locations based on group

membership, select the Advanced –specify locations for various user groups option

?? Path to the target location When providing the path to the shared folder on the server, you can use the %username% variable in the path for the user

logon name For example provide \\Server\Sharedfolder\%username%

When you use %username%, Windows 2000 creates a unique personal folder on the server when it applies the Group Policy setting to each user When Windows 2000 creates the folder, it replaces %username% with the user’s downlevel logon name

To redirect a folder, perform the following steps:

1 Create a new GPO or select an existing GPO, and then click Edit

2 Expand User Configuration, expand Windows Settings, and then expand Folder Redirection

3 Right-click the name of the folder that you want to redirect, click

Properties, and then provide the target location and path to the location

Slide Objective

To describe how to

redirect folders

Lead-in

Group Policy allows you to

easily redirect folders to a

server location

Delivery Tip

Demonstrate, at an OU

level, configuring the Group

Policy settings to redirect

My Documents to a shared

folder on a network server

If students ask about the

Setting tab options, tell

them that in most instances,

they should not change

extension in Group Policy

If an administrator uses the

%username% variable when

redirecting a folder, then

Windows 2000 creates a

unique personal folder on

the server for each user to

which it applies the Group

Policy setting

Note