Title: User Account Administration
1User Account Administration
- Introduction to User Accounts
- Planning New User Accounts
- Creating User Accounts
- Creating User Profiles
- Creating Home Directories
- Maintaining User Accounts
2Introduction to User Accounts
- Local User Accounts
- Domain User Accounts
- Built-In User Accounts
3Local User Accounts
4Local User Accounts
- Local user accounts allow users to log on and
gain access to resources only on the computer
where the local user account is created. - Microsoft Windows 2003 creates the account only
in that computers security database, which is
called the local security database. - Windows 2003 does not replicate local user
account information to domain controllers. - The domain does not recognize local user
accounts. - Do not create local user accounts on computers
that require access to domain resources.
5Domain User Accounts
6Domain User Accounts
- Allow users to log on to the domain and gain
access to resources anywhere on the network. - The user provides a user name and password during
the logon process. - A domain user account can be created in a
container or OU in the copy of the Active
Directory database on a domain controller. - The domain controller replicates the new user
account information to all domain controllers in
the domain. - After the new user account information is
replicated, all of the domain controllers in the
domain tree can authenticate the user during the
logon process.
7Access Tokens
- Windows 2003 authenticates the user and then
builds an access token that contains information
about the user and security settings. - The access token identifies the user trying to
gain access to resources on computers running
Windows 2003 and pre-Windows 2003 computers. - Windows 2003 provides the access token for the
duration of the logon session.
8Built-In User Accounts Administrator
- Use this account to manage the overall computer
and domain configuration. - Create a user account to perform
nonadministrative tasks. - Use this account only when performing
administrative tasks. - The account can be renamed to provide a greater
degree of security. - The account cannot be deleted.
9Built-In User Accounts Guest
- Allows occasional users the ability to log on and
gain access to resources - Disabled by default
- Enabled only in low-security networks
- Always assigned a password
- Can be renamed and disabled, but not deleted
10Planning New User Accounts
- Naming Conventions
- Password Requirements
- Account Options
- Practice Planning New User Accounts
11Naming Conventions
- Local user accounts Unique to the computer
- Domain user accounts Unique to the directory
- 20 characters maximum
- Invalid characters / \ , ? lt gt
- User logon names Not case-sensitive
- Accommodate duplicate employee names
- Identify type of employee
- E-mail compatibility
12Password Requirements
- Use passwords that are hard to guess.
- Maximum 14 characters minimum eight recommended.
- Use uppercase and lowercase letters, numerals,
and nonalphanumeric characters. - Use at least one symbol character in the second
through sixth positions. - Make password significantly different from prior
passwords. - Must not contain the users name or user name.
- Must not be a common word or name.
13Account Options
- Logon hours
- Computers from which users can log on
- Account expiration
14Creating User Accounts
- Creating Local User Accounts
- Creating Domain User Accounts
- Practice Creating Domain User Accounts
- User Account Properties
- Setting Personal Properties
- Setting Account Properties
- Setting Logon Hours
- Setting the Computers from Which Users Can Log On
- Configuring Dial-In Settings
- Practice Modifying User Account Properties
15Local Users and Groups Snap-In, New User Dialog
Box
16Local User Account Options
- User Name A unique name based on naming
conventions required. - Full Name Complete name of the user determines
which person belongs to an account optional. - Description Useful for identifying users
optional. - User Must Change Password At Next Logon Requires
user to change password when logging on the first
time. - User Cannot Change Password Only administrators
are allowed to control passwords. - Password Never Expires Password will never
change. - Account Is Disabled Prevents use of the users
account.
17Creating Domain User Accounts
- Use the Active Directory Users and Computers
console to create, delete, or disable domain user
accounts on the domain controller, or local user
accounts on any computer in the domain. - The user logon name defaults to the domain in
which the domain user account is being created. - With proper permissions, any domain can be
selected to create domain user accounts. - The container must be selected to create the new
account. - Create the account in the default Users container
or in a container that is created to hold domain
user accounts.
18Active Directory Users and Computers Console
19User Name Options
- First Name The users first name.
- Initials The users initials.
- Last Name The users last name.
- Full Name The users complete name.
- User Logon Uniquely identifies the user
throughout the entire network. - User Logon Name (Pre-Windows 2003) Users unique
logon name that is used to log on from earlier
versions of Windows entry is required and must
be unique within the domain.
20New Object-User Dialog Box
21Password Options
- Password Used to authenticate the user.
- Confirm Password Confirmation that the password
was typed correctly. - User Must Change Password At Next Logon Requires
user to change password when logging on the first
time. - User Cannot Change Password Only administrators
are allowed to control passwords. - Password Never Expires Password will never
change. - Account Is Disabled Prevents use of the users
account.
22User Account Properties
- A default set of properties is associated with
each user account created. - Personal and account properties, logon options,
and dial-in settings can be configured after
creating a user account. - Account properties equate to object attributes
for domain users. - Properties defined for a domain user account can
be used to search the directory or for use in
other applications as objects attributes. - Detailed definitions should be provided for each
domain user account created.
23Properties Dialog Box Tabs
- General Users first name, last name, display
name, description, office location, telephone
number(s), e-mail address, home page, and
additional Web pages - Address Users street address, post office box,
city, state or province, zip or postal code, and
country or region - Account Users logon name, logon hours,
computers permitted to log on to, account
options, and account expiration - Profile Profile path, logon script path, home
directory, and shared document folder - Telephones Users home, pager, mobile, fax, and
IP telephone numbers, and spaces for comments - Organization Users title, department, company,
manager, and direct reports
24Additional Properties Dialog Box Tabs
- Remote Control Terminal Services remote control
settings - Terminal Services Profile Terminal Services user
profile - Member Of Groups to which the user belongs
- Dial-In Dial-in properties for the user
- Environment Terminal Services startup
environment - Sessions Terminal Services timeout and
reconnection settings
25Address Tab of the Properties Dialog Box
26Account Tab of the Properties Dialog Box
27Additional Account Options
- Store Password Using Reversible Encryption
Enables Macintosh users to log on - Smart Card Is Required For Interactive Logon
Allows a user to log on with a smart card - Account Is Trusted For Delegation Allows a user
to assign responsibility for management and
administration of a portion of the namespace to
another user, group, or organization - Account Is Sensitive And Cannot Be Delegated
Prevents the account from being assigned for
delegation by another account - Use DES Encryption Types For This Account
Provides the Data Encryption Standard (DES) - Do Not Require Kerberos Preauthentication
Removes Kerberos preauthentication for accounts
using another implementation of Kerberos - Account Expires Sets account expiration dates
28Logon Hours Dialog Box
29Setting Logon Hours
- Controls when a user can log on to the domain.
- Limits the hours users can explore the network.
- By default, Windows 2003 permits access for all
hours on all days. - Reduces the amount of time that the account is
open to unauthorized access.
30Logon Workstation Dialog Box
31Setting Logon Options
- Setting logon options for the domain user account
allows you to control the computers from which a
user can log on to the domain. - Setting the computers from which a user can log
on prevents users from accessing another users
data that is stored on that users computer. - By default, each user can log on from all
computers in the domain.
32Options on the Dial-In Tab
- Allow Access
- Deny Access
- Control Access Through Remote Access Policy
- Verify Caller-ID
- Callback Options
- No Callback
- Set By Caller
- Always Callback To
- Assign A Static IP Address
- Apply Static Routes
- Static Routes
33Creating User Profiles
- User Profiles
- Local User Profiles
- Roaming User Profiles
- Mandatory User Profiles
- Practice Managing User Profiles
34User Profile Overview
- A collection of folders and data that stores the
users current desktop environment, application
settings, and personal data - Contains all network connections established when
a user logs on to a computer - Maintains consistency of desktop environments
provides each user with the same desktop
environment used the last time that user logged on
35User ProfilesAdvantages to Users
- Multiple users can use the same computer each
user receives own desktop settings at logon. - When logging on to their workstation, users
receive the same desktop settings as existed when
they logged off. - Customization of the desktop environment by one
user does not affect another users settings. - Roaming user profile User profile stored on a
server, which follows that user to any computer
running Windows NT 4.0 or Windows 2003 on the
network. - Application settings are retained for
applications that are Windows 2003-certified.
36User ProfilesAdministrative Advantages
- Allows creation of a default user profile that is
appropriate for the users task - Allows a mandatory user profile to be established
that does not save changes made by the user to
the desktop settings - Allows specific default user settings to be
included in all of the individual user profiles
37Profile Types
- Local user profile Created upon first logon to a
computer and stored on the computers local hard
disk changes are saved on the computer on which
changes are made. - Roaming user profile Created by the system
administrator and stored on a server changes are
updated on the server. - Mandatory user profile A roaming profile used to
specify particular settings for individuals or an
entire group of users changes made by the user
are discarded.
38User Profile Contents
- Local user profiles are stored in C\Documents
and Settings\user-logon-name folder. - Roaming user profiles are stored in a shared
folder on the server. - Use the My Documents folder to centralize all
user settings and personal documents into a
single folder that is part of the user profile. - Windows 2003 automatically sets up the My
Documents folder, which is the default location
for storing users data for Microsoft
applications. - Home directories can also contain files and
programs for a user.
39Contents of a User Profile Folder
- Application data folder
- Cookies folder
- Desktop folder
- Favorites folder
- FrontPageTempDir folder
- Local Settings folder
- My Documents folder
- My Pictures folder
- NetHood folder
- PrintHood folder
- Recent folder
- SendTo folder
- Start Menu folder
- Templates folder
- NTUSER.DAT file
40Local User Profiles
- Windows 2003 creates a local user profile the
first time a user logs on at a computer, storing
the profile on that computer. - The local user profile is stored in the
C\Documents and Settings\user_logon_name folder. - When logging on to Windows 2003, users always
receive their individual desktop settings and
connections, regardless of how many users share
the same client computer. - When a user logs off, Windows 2003 incorporates
the changes into the user profile stored on the
computer.
41Roaming User Profiles
- Roaming user profiles support users who work at
multiple computers. - Roaming user profiles are stored on the network
server and are available to the user no matter
where the user logs on in the domain. - Users always receive their own individual desktop
settings and connections. - The first time a user logs on at a computer,
Windows 2003 copies all documents to the local
computer. - When a user logs off, Windows 2003 copies changes
back to the server where the profile is stored.
42Profile Path for a Roaming User Profile
43Copying a User Profile Template
44Mandatory User Profiles
- A mandatory user profile is a read-only roaming
user profile. - Users can modify the desktop settings of the
computer while they are logged on, but none of
these changes is saved when they log off. - The next time that the user logs on, the profile
is the same as the last time that user logged on. - One mandatory profile can be assigned to multiple
users who require the same desktop settings. - By changing one profile, several users desktop
environments can be changed.
45Creating a Mandatory User Profile
- A hidden file called NTUSER.DAT contains that
section of the Windows 2003 system settings that
applies to the individual user account and
contains the user environment settings. - This hidden file becomes a read-only file if you
change its name to NTUSER.MAN.
46Creating Home Directories
- Introducing Home Directories
- Creating Home Directories on a Server
47Home Directory Overview
- Folder that can be provided to users to store
personal documents in addition to the My
Documents folder - Sometimes the default folder for saving documents
in older applications - Stored on a client computer or in a shared folder
on a file server - Not a member of a roaming user profile
- Does not affect network traffic during the logon
process
48Home Directory Advantages
- Users can gain access to their home directories
from any client computer on the network. - Backing up and administration of user documents
are centralized. - Home directories are accessible from a client
computer running any Microsoft operating system.
49Creating Home Directories
- Permission to administer the object in which the
user accounts reside is mandatory. - When username is used to name a folder on an
NTFS volume, the user is assigned the NTFS Full
Control permission. - All other permissions are removed from the
folder, including those for the Administrator
account.
50Specifying a Path to a Home Directory Folder
51Maintaining User Accounts
- Disabling, Enabling, Renaming, and Deleting User
Accounts - Resetting Passwords
- Unlocking User Accounts
- Practice Administering User Accounts
52Maintaining User Accounts Overview
- The needs of an organization might require the
modification of user accounts. - Modifications of user accounts are based on
personnel changes or personal information. - You make changes to the user account object in
Active Directory to modify a user account. - You must have permission to administer the object
in which the user accounts reside.
53Modifications Affecting Functionality of User
Accounts
- Disabling and enabling a user account
- Renaming a user account
- Deleting a user account
54Disabling, Enabling, Deleting, or Renaming User
Accounts
55Resetting Passwords
- Reset a password if a users password expires
before it can be changed, or if a user forgets
the password. - It is not necessary to know the old password.
- Once the password is set, it is not visible to
any user, including the administrator, thus
improving security.
56Unlocking User Accounts
- A Windows 2003 group policy locks out a user
account when the user violates the policy. - When a user account is locked out, Windows 2003
displays an error message.