Transcript Chapter 7 PowerPoint

User Account
Administration
•
•
•
•
•
•
Introduction to User Accounts
Planning New User Accounts
Creating User Accounts
Creating User Profiles
Creating Home Directories
Maintaining User Accounts
1
Introduction
to User Accounts
•
•
•
Local User Accounts
Domain User Accounts
Built-In User Accounts
2
Local User Accounts
3
Local User Accounts
•
Local user accounts allow users to log on and gain access to
resources only on the computer where the local user account is
created.
•
Microsoft Windows 2000 creates the account only in that
computer’s security database, which is called the local security
database.
•
Windows 2000 does not replicate local user account information
to domain controllers.
•
•
The domain does not recognize local user accounts.
Do not create local user accounts on computers that require
access to domain resources.
4
Domain User Accounts
5
Domain User Accounts
•
Allow users to log on to the domain and gain access to
resources anywhere on the network.
•
The user provides a user name and password during the logon
process.
•
A domain user account can be created in a container or OU in
the copy of the Active Directory database on a domain controller.
•
The domain controller replicates the new user account
information to all domain controllers in the domain.
•
After the new user account information is replicated, all of the
domain controllers in the domain tree can authenticate the user
during the logon process.
6
Access Tokens
•
Windows 2000 authenticates the user and then builds an access
token that contains information about the user and security
settings.
•
The access token identifies the user trying to gain access to
resources on computers running Windows 2000 and preWindows 2000 computers.
•
Windows 2000 provides the access token for the duration of the
logon session.
7
Built-In User
Accounts Administrator
•
Use this account to manage the overall computer and domain
configuration.
•
•
•
Create a user account to perform nonadministrative tasks.
•
The account cannot be deleted.
Use this account only when performing administrative tasks.
The account can be renamed to provide a greater degree of
security.
8
Built-In User
Accounts Guest
•
Allows occasional users the ability to log on and gain access to
resources
•
•
•
•
Disabled by default
Enabled only in low-security networks
Always assigned a password
Can be renamed and disabled, but not deleted
9
Planning New
User Accounts
•
•
•
•
Naming Conventions
Password Requirements
Account Options
Practice: Planning New User Accounts
10
Naming Conventions
•
•
•
•
•
•
•
•
Local user accounts: Unique to the computer
Domain user accounts: Unique to the directory
20 characters maximum
Invalid characters: “ / \ [ ] : ; | = , + * ? < >
User logon names: Not case-sensitive
Accommodate duplicate employee names
Identify type of employee
E-mail compatibility
11
Password Requirements
•
•
•
Use passwords that are hard to guess.
•
Use at least one symbol character in the second through sixth
positions.
•
•
•
Make password significantly different from prior passwords.
Maximum 14 characters; minimum eight recommended.
Use uppercase and lowercase letters, numerals, and
nonalphanumeric characters.
Must not contain the user’s name or user name.
Must not be a common word or name.
12
Account Options
•
•
•
Logon hours
Computers from which users can log on
Account expiration
13
Creating User Accounts
•
•
•
•
•
•
•
•
•
•
Creating Local User Accounts
Creating Domain User Accounts
Practice: Creating Domain User Accounts
User Account Properties
Setting Personal Properties
Setting Account Properties
Setting Logon Hours
Setting the Computers from Which Users Can Log On
Configuring Dial-In Settings
Practice: Modifying User Account Properties
14
Local Users and Groups
Snap-In, New User Dialog Box
15
Local User Account Options
•
User Name: A unique name based on naming conventions;
required.
•
Full Name: Complete name of the user; determines which
person belongs to an account; optional.
•
•
Description: Useful for identifying users; optional.
•
User Cannot Change Password: Only administrators are allowed
to control passwords.
•
•
Password Never Expires: Password will never change.
User Must Change Password At Next Logon: Requires user to
change password when logging on the first time.
Account Is Disabled: Prevents use of the user’s account.
16
Creating Domain
User Accounts
•
Use the Active Directory Users and Computers console to create,
delete, or disable domain user accounts on the domain
controller, or local user accounts on any computer in the domain.
•
The user logon name defaults to the domain in which the
domain user account is being created.
•
With proper permissions, any domain can be selected to create
domain user accounts.
•
•
The container must be selected to create the new account.
Create the account in the default Users container or in a
container that is created to hold domain user accounts.
17
Active Directory Users and
Computers Console
18
User Name Options
•
•
•
•
•
First Name: The user’s first name.
•
User Logon Name (Pre-Windows 2000): User’s unique logon
name that is used to log on from earlier versions of Windows;
entry is required and must be unique within the domain.
Initials: The user’s initials.
Last Name: The user’s last name.
Full Name: The user’s complete name.
User Logon: Uniquely identifies the user throughout the entire
network.
19
New Object-User
Dialog Box
20
Password Options
•
•
Password: Used to authenticate the user.
•
User Must Change Password At Next Logon: Requires user to
change password when logging on the first time.
•
User Cannot Change Password: Only administrators are allowed
to control passwords.
•
•
Password Never Expires: Password will never change.
Confirm Password: Confirmation that the password was typed
correctly.
Account Is Disabled: Prevents use of the user’s account.
21
User Account Properties
•
A default set of properties is associated with each user account
created.
•
Personal and account properties, logon options, and dial-in
settings can be configured after creating a user account.
•
•
Account properties equate to object attributes for domain users.
•
Detailed definitions should be provided for each domain user
account created.
Properties defined for a domain user account can be used to
search the directory or for use in other applications as objects’
attributes.
22
Properties Dialog Box Tabs
•
General: User’s first name, last name, display name, description,
office location, telephone number(s), e-mail address, home
page, and additional Web pages
•
Address: User’s street address, post office box, city, state or
province, zip or postal code, and country or region
•
Account: User’s logon name, logon hours, computers permitted
to log on to, account options, and account expiration
•
Profile: Profile path, logon script path, home directory, and
shared document folder
•
Telephones: User’s home, pager, mobile, fax, and IP telephone
numbers, and spaces for comments
•
Organization: User’s title, department, company, manager, and
direct reports
23
Additional Properties
Dialog Box Tabs
•
•
•
•
•
•
Remote Control: Terminal Services remote control settings
Terminal Services Profile: Terminal Services user profile
Member Of: Groups to which the user belongs
Dial-In: Dial-in properties for the user
Environment: Terminal Services startup environment
Sessions: Terminal Services timeout and reconnection settings
24
Address Tab of the
Properties Dialog Box
25
Account Tab of the
Properties Dialog Box
26
Additional Account Options
•
Store Password Using Reversible Encryption: Enables Macintosh
users to log on
•
Smart Card Is Required For Interactive Logon: Allows a user to
log on with a smart card
•
Account Is Trusted For Delegation: Allows a user to assign
responsibility for management and administration of a portion of
the namespace to another user, group, or organization
•
Account Is Sensitive And Cannot Be Delegated: Prevents the
account from being assigned for delegation by another account
•
Use DES Encryption Types For This Account: Provides the Data
Encryption Standard (DES)
•
Do Not Require Kerberos Preauthentication: Removes Kerberos
preauthentication for accounts using another implementation of
Kerberos
•
Account Expires: Sets account expiration dates
27
Logon Hours Dialog Box
28
Setting Logon Hours
•
•
•
Controls when a user can log on to the domain.
•
Reduces the amount of time that the account is open to
unauthorized access.
Limits the hours users can explore the network.
By default, Windows 2000 permits access for all hours on all
days.
29
Logon Workstation
Dialog Box
30
Setting Logon Options
•
Setting logon options for the domain user account allows you to
control the computers from which a user can log on to the
domain.
•
Setting the computers from which a user can log on prevents
users from accessing another user’s data that is stored on that
user’s computer.
•
By default, each user can log on from all computers in the
domain.
31
Options on the Dial-In Tab
•
•
•
•
•
•
•
•
Allow Access
Deny Access
Control Access Through Remote Access Policy
Verify Caller-ID
Callback Options
• No Callback
• Set By Caller
• Always Callback To
Assign A Static IP Address
Apply Static Routes
Static Routes
32
Creating User Profiles
•
•
•
•
•
User Profiles
Local User Profiles
Roaming User Profiles
Mandatory User Profiles
Practice: Managing User Profiles
33
User Profile Overview
•
A collection of folders and data that stores the user’s current
desktop environment, application settings, and personal data
•
Contains all network connections established when a user logs
on to a computer
•
Maintains consistency of desktop environments; provides each
user with the same desktop environment used the last time that
user logged on
34
User Profiles
Advantages to Users
•
Multiple users can use the same computer; each user receives
own desktop settings at logon.
•
When logging on to their workstation, users receive the same
desktop settings as existed when they logged off.
•
Customization of the desktop environment by one user does not
affect another user’s settings.
•
Roaming user profile: User profile stored on a server, which
follows that user to any computer running Windows NT 4.0 or
Windows 2000 on the network.
•
Application settings are retained for applications that are
Windows 2000-certified.
35
User Profiles
Administrative Advantages
•
Allows creation of a default user profile that is appropriate for
the user’s task
•
Allows a mandatory user profile to be established that does not
save changes made by the user to the desktop settings
•
Allows specific default user settings to be included in all of the
individual user profiles
36
Profile Types
•
Local user profile: Created upon first logon to a computer and
stored on the computer’s local hard disk; changes are saved on
the computer on which changes are made.
•
Roaming user profile: Created by the system administrator and
stored on a server; changes are updated on the server.
•
Mandatory user profile: A roaming profile used to specify
particular settings for individuals or an entire group of users;
changes made by the user are discarded.
37
User Profile Contents
•
Local user profiles are stored in C:\Documents and
Settings\user-logon-name folder.
•
Roaming user profiles are stored in a shared folder on the
server.
•
Use the My Documents folder to centralize all user settings and
personal documents into a single folder that is part of the user
profile.
•
Windows 2000 automatically sets up the My Documents folder,
which is the default location for storing users’ data for Microsoft
applications.
•
Home directories can also contain files and programs for a user.
38
Contents of a
User Profile Folder
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Application data folder
Cookies folder
Desktop folder
Favorites folder
FrontPageTempDir folder
Local Settings folder
My Documents folder
My Pictures folder
NetHood folder
PrintHood folder
Recent folder
SendTo folder
Start Menu folder
Templates folder
NTUSER.DAT file
39
Local User Profiles
•
Windows 2000 creates a local user profile the first time a user
logs on at a computer, storing the profile on that computer.
•
The local user profile is stored in the C:\Documents and
Settings\user_logon_name folder.
•
When logging on to Windows 2000, users always receive their
individual desktop settings and connections, regardless of how
many users share the same client computer.
•
When a user logs off, Windows 2000 incorporates the changes
into the user profile stored on the computer.
40
Roaming User Profiles
•
Roaming user profiles support users who work at multiple
computers.
•
Roaming user profiles are stored on the network server and are
available to the user no matter where the user logs on in the
domain.
•
Users always receive their own individual desktop settings and
connections.
•
The first time a user logs on at a computer, Windows 2000
copies all documents to the local computer.
•
When a user logs off, Windows 2000 copies changes back to the
server where the profile is stored.
41
Profile Path for a
Roaming User Profile
42
Copying a User
Profile Template
43
Mandatory User Profiles
•
•
A mandatory user profile is a read-only roaming user profile.
•
The next time that the user logs on, the profile is the same as
the last time that user logged on.
•
One mandatory profile can be assigned to multiple users who
require the same desktop settings.
•
By changing one profile, several users’ desktop environments
can be changed.
Users can modify the desktop settings of the computer while
they are logged on, but none of these changes is saved when
they log off.
44
Creating a Mandatory
User Profile
•
A hidden file called NTUSER.DAT contains that section of the
Windows 2000 system settings that applies to the individual user
account and contains the user environment settings.
•
This hidden file becomes a read-only file if you change its name
to NTUSER.MAN.
45
Creating Home Directories
•
•
Introducing Home Directories
Creating Home Directories on a Server
46
Home Directory Overview
•
Folder that can be provided to users to store personal
documents in addition to the My Documents folder
•
Sometimes the default folder for saving documents in older
applications
•
•
•
Stored on a client computer or in a shared folder on a file server
Not a member of a roaming user profile
Does not affect network traffic during the logon process
47
Home Directory Advantages
•
Users can gain access to their home directories from any client
computer on the network.
•
Backing up and administration of user documents are
centralized.
•
Home directories are accessible from a client computer running
any Microsoft operating system.
48
Creating Home Directories
•
Permission to administer the object in which the user accounts
reside is mandatory.
•
When %username% is used to name a folder on an NTFS
volume, the user is assigned the NTFS Full Control permission.
•
All other permissions are removed from the folder, including
those for the Administrator account.
49
Specifying a Path to a
Home Directory Folder
50
Maintaining User Accounts
•
•
•
•
Disabling, Enabling, Renaming, and Deleting User Accounts
Resetting Passwords
Unlocking User Accounts
Practice: Administering User Accounts
51
Maintaining User
Accounts Overview
•
The needs of an organization might require the modification of
user accounts.
•
Modifications of user accounts are based on personnel changes
or personal information.
•
You make changes to the user account object in Active Directory
to modify a user account.
•
You must have permission to administer the object in which the
user accounts reside.
52
Modifications Affecting
Functionality of User Accounts
•
•
•
Disabling and enabling a user account
Renaming a user account
Deleting a user account
53
Disabling, Enabling, Deleting,
or Renaming User Accounts
54
Resetting Passwords
•
Reset a password if a user’s password expires before it can be
changed, or if a user forgets the password.
•
•
It is not necessary to know the old password.
Once the password is set, it is not visible to any user, including
the administrator, thus improving security.
55
Unlocking User Accounts
•
A Windows 2000 group policy locks out a user account when the
user violates the policy.
•
When a user account is locked out, Windows 2000 displays an
error message.
56