User Account Administration - PowerPoint PPT Presentation

1 / 56
About This Presentation
Title:

User Account Administration

Description:

Local user accounts allow users to log on and gain access to resources only on ... password expires before it can be changed, or if a user forgets the password. ... – PowerPoint PPT presentation

Number of Views:63
Avg rating:3.0/5.0
Slides: 57
Provided by: MikeS6
Category:

less

Transcript and Presenter's Notes

Title: User Account Administration


1
User Account Administration
  • Introduction to User Accounts
  • Planning New User Accounts
  • Creating User Accounts
  • Creating User Profiles
  • Creating Home Directories
  • Maintaining User Accounts

2
Introduction to User Accounts
  • Local User Accounts
  • Domain User Accounts
  • Built-In User Accounts

3
Local User Accounts
4
Local User Accounts
  • Local user accounts allow users to log on and
    gain access to resources only on the computer
    where the local user account is created.
  • Microsoft Windows 2003 creates the account only
    in that computers security database, which is
    called the local security database.
  • Windows 2003 does not replicate local user
    account information to domain controllers.
  • The domain does not recognize local user
    accounts.
  • Do not create local user accounts on computers
    that require access to domain resources.

5
Domain User Accounts
6
Domain User Accounts
  • Allow users to log on to the domain and gain
    access to resources anywhere on the network.
  • The user provides a user name and password during
    the logon process.
  • A domain user account can be created in a
    container or OU in the copy of the Active
    Directory database on a domain controller.
  • The domain controller replicates the new user
    account information to all domain controllers in
    the domain.
  • After the new user account information is
    replicated, all of the domain controllers in the
    domain tree can authenticate the user during the
    logon process.

7
Access Tokens
  • Windows 2003 authenticates the user and then
    builds an access token that contains information
    about the user and security settings.
  • The access token identifies the user trying to
    gain access to resources on computers running
    Windows 2003 and pre-Windows 2003 computers.
  • Windows 2003 provides the access token for the
    duration of the logon session.

8
Built-In User Accounts Administrator
  • Use this account to manage the overall computer
    and domain configuration.
  • Create a user account to perform
    nonadministrative tasks.
  • Use this account only when performing
    administrative tasks.
  • The account can be renamed to provide a greater
    degree of security.
  • The account cannot be deleted.

9
Built-In User Accounts Guest
  • Allows occasional users the ability to log on and
    gain access to resources
  • Disabled by default
  • Enabled only in low-security networks
  • Always assigned a password
  • Can be renamed and disabled, but not deleted

10
Planning New User Accounts
  • Naming Conventions
  • Password Requirements
  • Account Options
  • Practice Planning New User Accounts

11
Naming Conventions
  • Local user accounts Unique to the computer
  • Domain user accounts Unique to the directory
  • 20 characters maximum
  • Invalid characters / \ , ? lt gt
  • User logon names Not case-sensitive
  • Accommodate duplicate employee names
  • Identify type of employee
  • E-mail compatibility

12
Password Requirements
  • Use passwords that are hard to guess.
  • Maximum 14 characters minimum eight recommended.
  • Use uppercase and lowercase letters, numerals,
    and nonalphanumeric characters.
  • Use at least one symbol character in the second
    through sixth positions.
  • Make password significantly different from prior
    passwords.
  • Must not contain the users name or user name.
  • Must not be a common word or name.

13
Account Options
  • Logon hours
  • Computers from which users can log on
  • Account expiration

14
Creating User Accounts
  • Creating Local User Accounts
  • Creating Domain User Accounts
  • Practice Creating Domain User Accounts
  • User Account Properties
  • Setting Personal Properties
  • Setting Account Properties
  • Setting Logon Hours
  • Setting the Computers from Which Users Can Log On
  • Configuring Dial-In Settings
  • Practice Modifying User Account Properties

15
Local Users and Groups Snap-In, New User Dialog
Box
16
Local User Account Options
  • User Name A unique name based on naming
    conventions required.
  • Full Name Complete name of the user determines
    which person belongs to an account optional.
  • Description Useful for identifying users
    optional.
  • User Must Change Password At Next Logon Requires
    user to change password when logging on the first
    time.
  • User Cannot Change Password Only administrators
    are allowed to control passwords.
  • Password Never Expires Password will never
    change.
  • Account Is Disabled Prevents use of the users
    account.

17
Creating Domain User Accounts
  • Use the Active Directory Users and Computers
    console to create, delete, or disable domain user
    accounts on the domain controller, or local user
    accounts on any computer in the domain.
  • The user logon name defaults to the domain in
    which the domain user account is being created.
  • With proper permissions, any domain can be
    selected to create domain user accounts.
  • The container must be selected to create the new
    account.
  • Create the account in the default Users container
    or in a container that is created to hold domain
    user accounts.

18
Active Directory Users and Computers Console
19
User Name Options
  • First Name The users first name.
  • Initials The users initials.
  • Last Name The users last name.
  • Full Name The users complete name.
  • User Logon Uniquely identifies the user
    throughout the entire network.
  • User Logon Name (Pre-Windows 2003) Users unique
    logon name that is used to log on from earlier
    versions of Windows entry is required and must
    be unique within the domain.

20
New Object-User Dialog Box
21
Password Options
  • Password Used to authenticate the user.
  • Confirm Password Confirmation that the password
    was typed correctly.
  • User Must Change Password At Next Logon Requires
    user to change password when logging on the first
    time.
  • User Cannot Change Password Only administrators
    are allowed to control passwords.
  • Password Never Expires Password will never
    change.
  • Account Is Disabled Prevents use of the users
    account.

22
User Account Properties
  • A default set of properties is associated with
    each user account created.
  • Personal and account properties, logon options,
    and dial-in settings can be configured after
    creating a user account.
  • Account properties equate to object attributes
    for domain users.
  • Properties defined for a domain user account can
    be used to search the directory or for use in
    other applications as objects attributes.
  • Detailed definitions should be provided for each
    domain user account created.

23
Properties Dialog Box Tabs
  • General Users first name, last name, display
    name, description, office location, telephone
    number(s), e-mail address, home page, and
    additional Web pages
  • Address Users street address, post office box,
    city, state or province, zip or postal code, and
    country or region
  • Account Users logon name, logon hours,
    computers permitted to log on to, account
    options, and account expiration
  • Profile Profile path, logon script path, home
    directory, and shared document folder
  • Telephones Users home, pager, mobile, fax, and
    IP telephone numbers, and spaces for comments
  • Organization Users title, department, company,
    manager, and direct reports

24
Additional Properties Dialog Box Tabs
  • Remote Control Terminal Services remote control
    settings
  • Terminal Services Profile Terminal Services user
    profile
  • Member Of Groups to which the user belongs
  • Dial-In Dial-in properties for the user
  • Environment Terminal Services startup
    environment
  • Sessions Terminal Services timeout and
    reconnection settings

25
Address Tab of the Properties Dialog Box
26
Account Tab of the Properties Dialog Box
27
Additional Account Options
  • Store Password Using Reversible Encryption
    Enables Macintosh users to log on
  • Smart Card Is Required For Interactive Logon
    Allows a user to log on with a smart card
  • Account Is Trusted For Delegation Allows a user
    to assign responsibility for management and
    administration of a portion of the namespace to
    another user, group, or organization
  • Account Is Sensitive And Cannot Be Delegated
    Prevents the account from being assigned for
    delegation by another account
  • Use DES Encryption Types For This Account
    Provides the Data Encryption Standard (DES)
  • Do Not Require Kerberos Preauthentication
    Removes Kerberos preauthentication for accounts
    using another implementation of Kerberos
  • Account Expires Sets account expiration dates

28
Logon Hours Dialog Box
29
Setting Logon Hours
  • Controls when a user can log on to the domain.
  • Limits the hours users can explore the network.
  • By default, Windows 2003 permits access for all
    hours on all days.
  • Reduces the amount of time that the account is
    open to unauthorized access.

30
Logon Workstation Dialog Box
31
Setting Logon Options
  • Setting logon options for the domain user account
    allows you to control the computers from which a
    user can log on to the domain.
  • Setting the computers from which a user can log
    on prevents users from accessing another users
    data that is stored on that users computer.
  • By default, each user can log on from all
    computers in the domain.

32
Options on the Dial-In Tab
  • Allow Access
  • Deny Access
  • Control Access Through Remote Access Policy
  • Verify Caller-ID
  • Callback Options
  • No Callback
  • Set By Caller
  • Always Callback To
  • Assign A Static IP Address
  • Apply Static Routes
  • Static Routes

33
Creating User Profiles
  • User Profiles
  • Local User Profiles
  • Roaming User Profiles
  • Mandatory User Profiles
  • Practice Managing User Profiles

34
User Profile Overview
  • A collection of folders and data that stores the
    users current desktop environment, application
    settings, and personal data
  • Contains all network connections established when
    a user logs on to a computer
  • Maintains consistency of desktop environments
    provides each user with the same desktop
    environment used the last time that user logged on

35
User ProfilesAdvantages to Users
  • Multiple users can use the same computer each
    user receives own desktop settings at logon.
  • When logging on to their workstation, users
    receive the same desktop settings as existed when
    they logged off.
  • Customization of the desktop environment by one
    user does not affect another users settings.
  • Roaming user profile User profile stored on a
    server, which follows that user to any computer
    running Windows NT 4.0 or Windows 2003 on the
    network.
  • Application settings are retained for
    applications that are Windows 2003-certified.

36
User ProfilesAdministrative Advantages
  • Allows creation of a default user profile that is
    appropriate for the users task
  • Allows a mandatory user profile to be established
    that does not save changes made by the user to
    the desktop settings
  • Allows specific default user settings to be
    included in all of the individual user profiles

37
Profile Types
  • Local user profile Created upon first logon to a
    computer and stored on the computers local hard
    disk changes are saved on the computer on which
    changes are made.
  • Roaming user profile Created by the system
    administrator and stored on a server changes are
    updated on the server.
  • Mandatory user profile A roaming profile used to
    specify particular settings for individuals or an
    entire group of users changes made by the user
    are discarded.

38
User Profile Contents
  • Local user profiles are stored in C\Documents
    and Settings\user-logon-name folder.
  • Roaming user profiles are stored in a shared
    folder on the server.
  • Use the My Documents folder to centralize all
    user settings and personal documents into a
    single folder that is part of the user profile.
  • Windows 2003 automatically sets up the My
    Documents folder, which is the default location
    for storing users data for Microsoft
    applications.
  • Home directories can also contain files and
    programs for a user.

39
Contents of a User Profile Folder
  • Application data folder
  • Cookies folder
  • Desktop folder
  • Favorites folder
  • FrontPageTempDir folder
  • Local Settings folder
  • My Documents folder
  • My Pictures folder
  • NetHood folder
  • PrintHood folder
  • Recent folder
  • SendTo folder
  • Start Menu folder
  • Templates folder
  • NTUSER.DAT file

40
Local User Profiles
  • Windows 2003 creates a local user profile the
    first time a user logs on at a computer, storing
    the profile on that computer.
  • The local user profile is stored in the
    C\Documents and Settings\user_logon_name folder.
  • When logging on to Windows 2003, users always
    receive their individual desktop settings and
    connections, regardless of how many users share
    the same client computer.
  • When a user logs off, Windows 2003 incorporates
    the changes into the user profile stored on the
    computer.

41
Roaming User Profiles
  • Roaming user profiles support users who work at
    multiple computers.
  • Roaming user profiles are stored on the network
    server and are available to the user no matter
    where the user logs on in the domain.
  • Users always receive their own individual desktop
    settings and connections.
  • The first time a user logs on at a computer,
    Windows 2003 copies all documents to the local
    computer.
  • When a user logs off, Windows 2003 copies changes
    back to the server where the profile is stored.

42
Profile Path for a Roaming User Profile
43
Copying a User Profile Template
44
Mandatory User Profiles
  • A mandatory user profile is a read-only roaming
    user profile.
  • Users can modify the desktop settings of the
    computer while they are logged on, but none of
    these changes is saved when they log off.
  • The next time that the user logs on, the profile
    is the same as the last time that user logged on.
  • One mandatory profile can be assigned to multiple
    users who require the same desktop settings.
  • By changing one profile, several users desktop
    environments can be changed.

45
Creating a Mandatory User Profile
  • A hidden file called NTUSER.DAT contains that
    section of the Windows 2003 system settings that
    applies to the individual user account and
    contains the user environment settings.
  • This hidden file becomes a read-only file if you
    change its name to NTUSER.MAN.

46
Creating Home Directories
  • Introducing Home Directories
  • Creating Home Directories on a Server

47
Home Directory Overview
  • Folder that can be provided to users to store
    personal documents in addition to the My
    Documents folder
  • Sometimes the default folder for saving documents
    in older applications
  • Stored on a client computer or in a shared folder
    on a file server
  • Not a member of a roaming user profile
  • Does not affect network traffic during the logon
    process

48
Home Directory Advantages
  • Users can gain access to their home directories
    from any client computer on the network.
  • Backing up and administration of user documents
    are centralized.
  • Home directories are accessible from a client
    computer running any Microsoft operating system.

49
Creating Home Directories
  • Permission to administer the object in which the
    user accounts reside is mandatory.
  • When username is used to name a folder on an
    NTFS volume, the user is assigned the NTFS Full
    Control permission.
  • All other permissions are removed from the
    folder, including those for the Administrator
    account.

50
Specifying a Path to a Home Directory Folder
51
Maintaining User Accounts
  • Disabling, Enabling, Renaming, and Deleting User
    Accounts
  • Resetting Passwords
  • Unlocking User Accounts
  • Practice Administering User Accounts

52
Maintaining User Accounts Overview
  • The needs of an organization might require the
    modification of user accounts.
  • Modifications of user accounts are based on
    personnel changes or personal information.
  • You make changes to the user account object in
    Active Directory to modify a user account.
  • You must have permission to administer the object
    in which the user accounts reside.

53
Modifications Affecting Functionality of User
Accounts
  • Disabling and enabling a user account
  • Renaming a user account
  • Deleting a user account

54
Disabling, Enabling, Deleting, or Renaming User
Accounts
55
Resetting Passwords
  • Reset a password if a users password expires
    before it can be changed, or if a user forgets
    the password.
  • It is not necessary to know the old password.
  • Once the password is set, it is not visible to
    any user, including the administrator, thus
    improving security.

56
Unlocking User Accounts
  • A Windows 2003 group policy locks out a user
    account when the user violates the policy.
  • When a user account is locked out, Windows 2003
    displays an error message.
Write a Comment
User Comments (0)
About PowerShow.com