Tài liệu Module 2: Setting Up User Accounts ppt

Contents Overview 1 Requirements for New User Accounts 6 Creating a Domain User Account 10 Setting Password Requirements 11 Lab A: Setting Up User Accounts 12 Setting Properties for

Contents

Overview 1

Requirements for New User Accounts 6

Creating a Domain User Account 10

Setting Password Requirements 11

Lab A: Setting Up User Accounts 12

Setting Properties for User Accounts 16

Lab B: Setting Personal Properties 18

Lab C: Modifying User Accounts 24

Review 27

This course is a prerelease course and is based on

Microsoft Windows 2000 Beta 3 software Content in the

final release of the course may be different than the content

included in this prerelease version All labs in the course

are to be completed using the Beta 3 version of

Microsoft Windows 2000 Advanced Server

Module 2: Setting Up User Accounts

with all applicable copyright laws is the responsibility of the user No part of this document may

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 1999 Microsoft Corporation All rights reserved

Microsoft, MS-DOS, MS, Windows, Active Directory, PowerPoint, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries

The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted

Other product and company names mentioned herein may be the trademarks of their respective owners

Project Lead/Senior Instructional Designer: Red Johnston

Instructional Designers: Tom de Rose (S&T OnSite), Meera Krishna (NIIT (USA) Inc.) Program Manager: Jim Cochran (Volt Computer)

Lab Simulations Developers: David Carlile (ArtSource), Tammy Stockton (Write Stuff) Technical Contributor: Kim Ralls

Graphic Artist: Julie Stone (Independent Contractor)

Editing Manager: Tina Tsiakalis

Editors: Wendy Cleary (S&T OnSite), Diana George (S&T OnSite)

Online Program Manager: Nikki McCormick

Online Support: Tammy Stockton (Write Stuff)

Compact Disc Testing: ST Labs

Production Support: Rob Heiret, Ismael Marrero, Mary Gutierrez (Wasser)

Manufacturing Manager: Bo Galford

Manufacturing Support: Mimi Dukes (S&T OnSite)

Lead Project Manager, Development Services: Elaine Nuerenberg

Lead Product Manager: Sandy Alto

Group Product Manager: Robert Stewart

Introduction

This module provides students with the knowledge and skills that are necessary

to set up new user accounts in an existing network Students learn about the different types of user accounts that they can create Then, the module introduces the requirements for creating new user accounts and the procedure to create new user accounts Finally, the module discusses the various properties that students can set for user accounts.There are three labs in this module In the first lab, students create new user accounts and set passwords for them In the second lab, students set the personal properties for user accounts, and in the third lab, students modify account properties for user accounts

Materials and Preparation

This section provides you with the materials and preparation needed to teach this module

Materials

To teach this module, you need the following materials:

!"Microsoft® PowerPoint® file 1556A_02.ppt

!"Module 2, “Setting Up User Accounts”

Preparation

To prepare for this module, you should:

!"Read all the materials for this module

!"Review the Delivery Tips and Key Points for each section and topic

!"Complete the three labs

!"Study the review questions and prepare alternative answers for discussion

!"Anticipate questions that students may ask Write out the questions and provide answers to them

Presentation:

60 Minutes

Labs:

45 Minutes

Module Strategy

Use the following strategy to present this module:

!"Introduction to User Accounts Provide an overview of the purpose of a user account and how it authenticates a user Then, introduce the different types of user accounts and explain the differences between them

!"Requirements for New User Accounts Emphasize the importance of understanding the practices that are in place in the existing network in regard to creating user accounts Explain to students that they must follow the established guidelines to ensure the smooth running of the network To achieve this, they must familiarize themselves with the naming conventions, password requirements, and default account options for user accounts that are in use on the network

!"Creating a Domain User Account Demonstrate the procedure to invoke Active Directory Users and Computers

to create user accounts Explain the requirements of the various fields in the

Create New Object (User) dialog box

!"Setting Password Requirements Demonstrate how to set a password and explain the different options in the

Create New Object (User) dialog box

The labs associated with this module are in a proposed new format Remind students to complete the lab survey on the Student Materials Web page when they have completed the course

!"Setting Properties for User Accounts Explain the purpose of specifying personal properties, and instruct the students to work through the exercises in Lab B, “Setting Personal Properties,” where they will set personal properties for some of the user accounts that they created in Lab A After students complete the lab, introduce the account options that they can set to ensure the security of the network Explain the procedure to set account properties, the logon hours for users, the computers from which they can log on, and how to control access to the network from a remote location

!"Best Practices Read the Best Practices section before you start the module, and then refer

to the appropriate practice as you teach the corresponding module section Then, at the end of the module, summarize all of the best practices for the module

Customization Information

This section identifies the lab setup requirements for a module and the configuration changes that occur on the student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware

The labs in this module are also dependent on the classroom configuration that is specified in the Customization Information section at

the end of the Classroom Setup Guide for course 1556A, Administering Microsoft Windows 2000

Lab Setup

The labs in this module require that the Users group have the Log on locally right To prepare the student computers to meet this requirement, from the Trainer Materials compact disc, run the LRights.cmd script on each domain controller in each child domain

Lab Results

Performing the labs in this module introduces the following configuration changes:

!"The assignment of the Log on locally right to the Users group

!"The addition of x-user1 in the Users organizational unit (OU) (where x is the

first letter of the student’s computer name)

!"The addition of x-user2 in the Users OU (where x is the first letter of the

student’s computer name)

!"The addition of x-user3 in the Users OU (where x is the first letter of the

student’s computer name)

!"The addition of x-user4 in the Users OU (where x is the first letter of the

student’s computer name)

!"The addition of x-user5 in the Users OU (where x is the first letter of the

student’s computer name)

Important

This page intentionally left blank.

Overview

! Introduction to User Accounts

! Requirements for New User Accounts

! Creating a Domain User Account

! Setting Password Requirements

! Setting Properties for User Accounts

! Best Practices

As an administrator, you need to provide all users with access to various network resources For this purpose, you will create user accounts to identify and authenticate the users so that they can access the network In this module, you will learn about creating user accounts and setting properties for them

At the end of this module, you will be able to:

!"Describe the role and purpose of user accounts

!"Determine the requirements for a new user account

!"Create domain user accounts

!"Set properties for user accounts

!"Apply best practices for setting up user accounts

In this module, you will learn

about Windows 2000 user

accounts, which include

domain user accounts, local

user accounts, and built-in

user accounts

# Introduction to User Accounts

! Domain User Accounts

! Local User Accounts

! Built-in User Accounts

A user account provides a user with the ability to log on to the domain to gain access to network resources, or to log on to a local computer to gain access to resources on that computer You will create a user account for each person who uses the network regularly

Microsoft® Windows® 2000 provides two types of user accounts: domain user accounts and local user accounts With a domain user account, a user can log

on to the domain to gain access to network resources With a local user account,

a user can log on to a specific computer to gain access to resources on that computer

Windows 2000 also provides built-in user accounts, which you use to perform administrative tasks or to gain access to network resources

Slide Objective

To introduce the role and

purpose of user accounts

Lead-in

The types of user accounts

that you can create are

domain user accounts and

local user accounts

Windows 2000 provides

built-in user accounts to aid

in performing administrative

tasks or to allow users to

gain access to resources

Delivery Tip

This section provides an

introduction to different

types of user accounts

Prepare students for the

topics by providing the

following key point

information

Key Points

Domain user accounts allow

users to log on to a domain

to gain access to network

resources

Local user accounts allow

users to log on only to the

local computer and access

resources on it

Built-in user accounts are

provided to perform

administrative tasks and

gain temporary access to

the network

Domain User Accounts

! Provides Access to Network Resources

! Created on a Domain Controller

Domain Access

Network Resources

Domain Controller Active Directory

DomainUser Account

Domain User

Domain user accounts allow users to log on to a domain and gain access to resources anywhere on the network You create a domain user account on a domain controller During the logon process, the user provides the user name and password The first available domain controller uses this information to validate the user and then replicates the new user account information to all domain controllers in the domain

After Windows 2000 replicates the new user account information, any of the domain controllers in the domain tree can authenticate the user during the logon process Also, when the user tries to gain access to a resource on the network, the first available domain controller can revalidate the user

Each user account that you create has a unique, non-reusable identifier, called the security identifier (SID) Windows 2000 uses the SID internally to identify the user to the system

It may take a few minutes to replicate the domain user account information to all of the domain controllers This delay may prevent a user from logging on immediately by using the newly created domain user account By default, replication of Active Directory™ directory service information occurs automatically, every five minutes

Slide Objective

To describe domain user

accounts

Lead-in

Domain user accounts

provide users with access to

network resources in a

domain

Delivery Tip

The time that it takes for

replication to occur may

prevent a user from logging

on immediately by using a

newly created user account

Key Point

Domain user accounts allow

users to log on to the

domain and gain access to

resources anywhere on the

network

Important

Local User Accounts

! Provides Access to Resources on the Local Computer

! Create Only on Computers That Are Not in a Domain

! Created in the Local Security Database

Local User

Local Security Database

Local User Account

Local user accounts allow users to log on and gain access to resources only on the computer where you create the local user account You can create local user accounts on member servers and computers running Windows 2000 Professional, but not on computers that are domain controllers A local user account is used only in a smaller environment such as a workgroup or on stand-alone computers that are not networked When you create a local user account, Windows 2000 does not replicate the local user account information to domain controllers This is why you cannot use local user accounts to gain access to resources on other computers

After the local user account is created, the computer uses its local security database to authenticate the local user account, which allows the user to log on

to that computer Using the local user account, the user can access resources that are available only on the local computer

Slide Objective

To describe local user

accounts

Lead-in

Local user accounts provide

users with access to

resources on the local

computer where you create

the user account

Key Point

Local user accounts allow

users to log on at and gain

access to resources only on

the computer where you

create the local user

account

Built-in User Accounts

! Used for Occasional Access

! Limited Access to Resources

! Disabled by Default

! Used for Occasional Access

! Limited Access to Resources

Administrator

Guest

Windows 2000 automatically creates two user accounts called built-in accounts

These are Administrator and Guest

Administrator

Use the built-in Administrator account to manage the overall computer and domain configuration, such as creating and modifying user accounts and groups, managing security, administering printers, and assigning permissions and rights to user accounts to gain access to resources You can rename the Administrator account, but you cannot delete it Renaming the Administrator account is a recommended practice

Guest

Use the built-in Guest account to give occasional users the ability to log on and gain access to resources For example, in a low security environment, an employee who needs access to resources for a short time can use the Guest account The Guest account is disabled by default You can rename the Guest account, but you cannot delete it

Slide Objective

To describe built-in user

accounts

Lead-in

Windows 2000 provides two

built-in user accounts

Key Point

The Guest account is

disabled by default

# Requirements for New User Accounts

! Naming Conventions

! Secure Password

! Account Options to Set

To make the process of creating user accounts more efficient, you need to familiarize yourself with the conventions and guidelines already in use on the network These include naming conventions, requirements for passwords, and the account options that you can set

Slide Objective

To describe the

requirements for creating

new user accounts

Lead-in

Before you create new user

accounts, you need to

determine the conventions

that have been defined for

the network

Delivery Tip

This section explains the

requirements to create new

user accounts Prepare

students for the topics by

providing the following key

point information

Key Points

Before creating a new user

account in an existing

network, you must

familiarize yourself with the

naming convention followed

for the user accounts that

are already in use on the

network

You must also understand

the requirements to set

passwords and options for

the new user account

Naming Conventions

! User Logon Names and Full Names Must Be Unique

$ Domain user accounts must be unique to Active Directory

$ Local user accounts must be unique on the computer

! User Logon Names Can Contain up to 20 Characters

! Consider a Naming Convention That:

$ Accommodates duplicate employee names

$ Identifies temporary employees

The naming convention establishes how user accounts are identified in the domain A consistent naming convention will help you and your users remember user logon names and locate them in lists In an existing network that supports a large number of users, it is a good practice to adhere to the naming convention already in use

Consider the following guidelines for naming conventions:

!"User logon names for domain user accounts must be unique to Active Directory Domain user account full names must be unique within the domain in which you create the user account Local user account names must be unique on the computer on which you create the local user account

!"User logon names can contain up to 20 uppercase or lowercase characters (the field accepts more than 20 characters, but Windows 2000 recognizes only 20), except for the following:

• Use the first name and the last initial, and then add additional letters from the last name to accommodate duplicate names For example, for two users named Judy Lew, one user account logon name could be Judyl and the other Judyle

• In some organizations, it is useful to identify temporary employees by their user accounts To do so, you can prefix the user account name with

a T and a dash—for example, T-Judyl

Slide Objective

To describe the guidelines

for naming user accounts

Lead-in

One of the important

requirements for creating a

new user account is to

follow an established

naming convention

Key Point

The User logon name

option for creating a domain

user account allows you to

enter more than 20

characters, but Windows

2000 recognizes only the

first 20 characters

Secure Password

! Assign a Password for the Administrator Account

! Determine Who Has Control Over Passwords

! Educate Users on How to Use Passwords

$ Avoid obvious associations, such as a family name

$ Use long passwords

$ Use a combination of uppercase and lowercase characters

To protect access to the domain or a computer, every user account should have

a password Consider the following guidelines for passwords:

!"Always assign a password for the Administrator account to prevent unauthorized access to the account

!"Determine whether you or the users will control passwords You can assign unique passwords for the user accounts and prevent users from changing them, or you can allow users to enter their own passwords the first time that they log on In most cases, users should control their own passwords

!"Educate users about the importance of using passwords that are hard to guess:

• Avoid using passwords with an obvious association, such as a family member’s name

• Use long passwords because they are harder to guess Passwords can be

up to 128 characters A minimum length of eight characters is recommended

• Use both uppercase and lowercase letters and non-alphanumeric characters

Slide Objective

To describe the

requirements for assigning

passwords to user accounts

Lead-in

To protect a user account

from unauthorized access,

you must secure it by

Account Options to Set

! Set Logon Hours to Users’ Work Hours

! Specify the Computers from Which a User Can Log On

$ Domain users can log on at any computer in the domain,

by default

$ Restrict domain users to specific computers to increase security

! Determine Whether a User Account Should Expire

To maintain the security required by your network, you can control the hours of the day during which a user account can be accessed, the computer from which

it can be accessed, and the date after which it can no longer be accessed To determine account options, consider the following information

Logon Hours

Set logon hours for users who require access only at specific times For example, allow night shift workers to log on only during their working hours

Computers from Which Users Can Log On

Determine the computers from which users can log on By default, users can log on to the domain by using any computer in the domain For security reasons, require users such as temporary employees who will use only specific computers to log on to the domain from their computers only This prevents these users from gaining access to sensitive information that is stored on other computers

Account Expiration

Determine whether a user account should expire If so, set an expiration date on the user account to ensure that the account is disabled when the user no longer warrants access to the network As a good security practice, set user accounts for temporary employees to expire when their contracts end

Slide Objective

To describe the

requirements for setting new

user account options

Lead-in

Before you activate a new

user account, you can set

restrictions on its usage

Creating a Domain User Account

dsa - [Active Directory Users and Computers]

Console Window Help Active View

Active Directory nwtraders

Users

Accounts Builtin Computers Information

Delegate control…

Find….

New All Tasks View New Window from Here Refresh

Export List…

Properties Help

Delegate control…

Find….

New All Tasks View New Window from Here

Refresh Export List…

Properties

Help

New

Create New Object (User)

Create in: nwtraders.msft/Users

NWTRADERS\

< Back Next > Cancel

Judy Lew Judy Lew

judy1

A domain user account is always created on a domain controller and then replicated to all other domain controllers automatically When you create the domain user account, you must select the folder in which to create the new account You can create the domain user account in the default Users folder

or in a separate folder that has been created to hold domain user accounts

To create a domain user account:

1 Click the Start button, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers

2 Click the domain, right-click the Users folder or the folder that will contain

the user account, point to New, and then click User

The following table describes the domain user account options that you can configure

Option Description First name The user’s first name An entry is required either for the first name

or the last name

Last name The user’s last name An entry is required either for the last name

or the first name

Name The user’s complete name This name must be unique within the

folder where you create the user account Windows 2000 completes

this option if you enter information in First name or Last name

Windows 2000 displays this name in the folder where the user account is located in Active Directory

User logon name

The user’s unique logon name, based on the naming conventions This is required and must be unique within Active Directory

Downlevel logon name

The user’s unique logon name that is used to log on from versions

of Windows other than Windows 2000 This is required and must

be unique within the domain

Slide Objective

To describe the procedure

for creating domain user

accounts

Lead-in

When you create a domain

user account, all attributes

in the first dialog box are

required

Delivery Tip

Point out the various objects

in Active Directory, such as

users, computers and so on

Demonstrate how to create

a domain user account by

using Active Directory Users

and Computers

Key Point

User logon name defaults

to the domain in which you

are creating the domain

user account You can

select any domain in which

you have permissions to

create domain user

accounts

Setting Password Requirements

Create New Object (User)

Create in: nwtraders.msft/Users

Password:

Confirm Password:

< Back Next > Cancel

User must change password at next logon User cannot change password

Password never expires Account disabled

greater security, you should always assign a password

Notice that you do not see the password It is represented as a series of asterisks (*) when typed, regardless of the length of the password

Confirm password Confirm the password by typing it a second time to

make sure that you typed the password correctly This is required if you assign a password

User must change password at next logon

Select this check box if you want the user to change his

or her password the first time that he or she logs on This ensures that the user is the only person who knows the password

User cannot change password

Select this check box if you have more than one person using the same domain user account (such as Guest) or

to maintain control over user account passwords This allows only administrators to control passwords

Password never expires Select this check box if you never want the password to

change—for example, for a domain user account that will be used by an application or a Windows 2000 service

User must change password at next logon overrides Password never expires

Account disabled Select this check box to prevent use of this user

account—for example, for a new employee who has not yet started

Slide Objective

To explain how to set

password requirements for a

domain user account

Lead-in

After entering the account

name information, click Next

to open the next dialog box,

which contains password

settings In this dialog box,

you set the password

requirements for the domain

user account

Delivery Tip

Demonstrate how to set the

password requirements for a

domain user account

Key Point

Always assign passwords to

user accounts and require

users to change them the

first time that they log on