Chapter 8: Managing Accounts and Client Connectivity

1
Chapter 8Managing Accounts and Client
Connectivity
2
Learning Objectives

• Establish account naming conventions
• Configure account security policies
• Create and manage accounts, including setting up
  a new account, configuring account properties,
  delegating account management, and renaming,
  disabling, and deleting an account

3
Learning Objectives (continued)

• Create local user profiles, roaming profiles, and
  mandatory profiles
• Configure client network operating systems to
  access Windows 2000 Server, and install client
  operating systems through Remote Installation
  Services

4
Sample Naming Conventions

• Last name followed by the initial of the first
  name
• First name initial followed by the last name
• Username based on the position in the
  organization
• Username based on the function in the organization

5
Naming Tip

• For accounts that handle money, payroll,
  budgeting, or accounting transactions, financial
  auditors typically prefer that accounts are named
  for individuals

6
Account Policies

• Account policies security measures set up in a
  group policy, such as for a domain or local
  computer
• Account policies particularly focus on
• Password security
• Account lockout
• Kerberos security

7
Configuring Account Policies

• Use the Group Policy MMC snap-in to set up
  account policies

8
Setting Account Policies
Figure 8-1 Account policies
9
Password Policy Options

• Enforce password history Enables you to require
  users to choose new passwords when they make a
  password change, because the system can remember
  the previously used passwords
• Maximum password age Permits you to set the
  maximum time allowed until a password expires
• Minimum password age Permits you to specify that
  a password must be used a minimum amount of time
  before it can be changed

10
Password Policy Options (continued)

• Minimum password length Enables you to require
  that passwords are a minimum length
• Passwords must meet complexity requirements
  Enables you to create a filter of customized
  password requirements that each account password
  must follow
• Store password using reversible encryption for
  all users in the domain Enables passwords to be
  stored in reversible encrypted format

11
Account Lockout Policy Options

• Account lockout duration Permits you to specify
  in minutes how long the system will keep an
  account locked out after reaching the specified
  number of unsuccessful log on attempts
• Account lockout threshold Enables you to set a
  limit to the number of unsuccessful tries to log
  onto an account

12
Account Lockout Policy Options (continued)

• Reset account lockout count after Enables you
  to specify the number of minutes between two
  consecutive unsuccessful logon attempts to make
  sure that the account will not be locked out too
  soon

13
Kerberos Policy Options

• Enforce user logon restrictions Turns on
  Kerberos security, which is the default
• Maximum lifetime for a service ticket Determines
  the maximum amount of time in minutes that a
  service ticket can be used to continually access
  a particular service in one service session
• Maximum lifetime for a user ticket Determines
  the maximum amount of time in hours that a ticket
  can be used in one continuous session for access
  to a computer or domain

14
Kerberos Policy Options (continued)

• Maximum lifetime for user ticket renewal
  Determines the maximum number of days that the
  same Kerberos ticket can be renewed each time a
  user logs on
• Maximum tolerance for computer clock
  synchronization Determines how long in minutes a
  client will wait until synchronizing its clock
  with that of the server or Active Directory it is
  accessing

15
Creating Accounts

• For a server that does not have the Active
  Directory implemented, use the Local Users and
  Groups MMC snap-in to create accounts
• For a server that employs the Active Directory,
  use the Active Directory Users and Computers MMC
  snap-in to create accounts

16
Active Directory Users and Computers Tool
Figure 8-2 Creating a new user in a domain
17
Entering New User Information
Figure 8-3 New user information
18
Entering Account Parameters
Figure 8-4 New user account parameters
19
Configuring Account Properties
Figure 8-5 Account properties in the Active
Directory
20
Account Properties Tabs

• General tab Modify personal information about
  the user
• Address tab Provide street and city address
  information
• Account tab Provide account information, such as
  logon name, plus configure access restrictions,
  such as for certain days of the week and times of
  day

21
Setting Access Restrictions
Figure 8-6 Control account access by the day of
the week and time
22
Account Properties Tabs (continued)

• Profile tab Ability to associate a specific
  profile with an account, associate a home folder
  and drive, and associate a logon script
• Logon script A file that contains a series of
  commands to run each time a user logs onto his or
  her account, such as a command to map a home drive

23
Windows 2000 Server Logon Script Commands
24
Account Properties Tabs (continued)

• Telephones Ability to associate telephone
  contact numbers
• Organization Provide account holders title,
  department, and other information
• Member Of Ability to join this account to one or
  more groups of users for easier management

25
Adding an Account to a Group via the Member Of Tab
Figure 8-7 Adding an account to the Managers
and Print Operators groups
26
Account Properties Tabs (continued)

• Dial-in Controls remote access such as through a
  modem
• Environment Ability to configure the startup
  environment for clients using terminal services
• Sessions Configures session parameters, such as
  timeout limits, for clients using terminal
  services

27
Dial-in Access Parameters
Figure 8-8 Configuring remote access
28
Account Properties Tabs (continued)

• Remote Control Configures remote control
  parameters for the Administrator to view and
  manage terminal service client sessions
• Terminal Services Profile Ability to set up a
  user profile for a terminal services client

29
Creating an OU

• To create an OU
• Click the container in which to create the OU,
  such as the domain or another OU
• Click the Create a new organizational unit in the
  current container button
• Enter the name of the OU
• Click OK

30
Delegating Authority in an OU

• To delegate authority
• Right-click the OU and click Delegate control
• Click Next after the wizard starts
• Click the Add button and specify the accounts,
  groups, or computers to have the control
• Click OK and click Next
• Select the tasks to delegate and click Next
• Click Finish

31
Delegation of Control Options
32
Using Find to Locate an Account

• To locate a particular account in order to
  maintain it
• Right-click the domain
• Click Find
• Enter the username or the account holders name
• Click Find Now

33
Account Maintenance Activities

• Typical account maintenance activities include
• Disabling an account, such as when a user takes a
  leave of absence
• Enabling an account, such as when a user returns
• Renaming an account, such as when one user leaves
  and another user is hired into the same position
• Moving an account, such as into a different OU

34
Account Maintenance Activities (continued)

• Typical account maintenance activities include
  (continued)
• Deleting an account, such as when a user leaves
  the organization and there will be no replacement
  person
• Resetting a password for users who do not
  remember theirs
• Account auditing to track certain kinds of
  activity performed by an account holder

35
Sample Events that Can be Audited for an Account

• Logon and logoff activity
• Account modifications through account management
  tools
• Accesses to files and other objects (for files,
  folders, and objects that are set up to be
  audited)

36
Troubleshooting Tip

• Use account auditing sparingly because every
  audited event is written to the Security log
  you dont want to overload a server by devoting
  too much of its resources to auditing (consult
  your organizations management and financial
  auditors for advice on what to audit)

37
Local User Profile

• Local user profile A desktop setup that is
  associated with one or more accounts to determine
  what startup programs are used, additional
  desktop icons, and other customizations. A user
  profile is local to the computer on which it is
  stored.

38
Roaming Profile

• Roaming profile Desktop settings that are
  associated with an account so that the same
  settings are employed no matter what computer is
  used to access the account (the profile is
  downloaded to the client)

39
Mandatory User Profile

• Mandatory User Profile A user profile set up by
  the server administrator that is loaded from the
  server to the client each time the user logs on
  and changes that the user makes to the profile
  are not saved

40
Hardware Profile

• Hardware Profile A consistent setup of hardware
  components associated with one or more user
  accounts

41
Associating a Profile with an Account
Figure 8-9 Setting a roaming profile in an
accounts properties
42
Active Directory Support for Non-Windows 2000
Clients

• Plan to install Directory Service Client
  (DSClient) in Windows 95 and Windows 98 clients
• DSClient enables non-Windows 2000 Clients for
• Kerberos authentication
• Ability to view objects published in the Windows
  2000 Active Directory

43
DSClient Program Location

• Obtain the DSClient program, Dsclient.exe from
  the Windows 2000 Server CD-ROM
• Run this program on Windows 95 and Windows 98
  clients

44
Troubleshooting Tip

• If the Distributed File System (Dfs) cannot be
  accessed from a Windows 95 client, run DSClient
  to install Dfs capability (Dfs client) as well as
  the capability to access the Active Directory
  (DSClient)

45
Setting Up Client Desktops Using Group Policy and
Security Policy

• Use the Group Policy snap-in to set up group
  policies that govern clients
• Use the System Policy Editor (Poledit.exe) to
  configure system policies when running a mixture
  of Windows NT and Windows 2000 servers

46
Group Policy and System Policy Templates

• Windows 2000 Server comes with several templates
  already set up for using group policies or system
  policies
• System.adm is the default group policy for
  managing Windows 2000 Professional clients

47
Administrative Templates Included with Windows
2000
48
Templates Included with Windows 2000 (continued)
49
Group Policy Options

• A wide range of group policies can be set up to
  manage clients

50
Group Policy Components for Windows 2000 Clients
51
Group Policy Components for Windows 2000 Clients
(continued)
52
Remote Installation Services

• Remote Installation Services (RIS) Services
  installed on a Windows 2000 Server that enable
  you to remotely install Windows 2000 Professional
  on one or more client computers

53
RIS Pre-Installation Steps

• Purchase the appropriate number of Windows 2000
  Professional licenses
• Make sure the Active Directory is implemented and
  that there are DHCP and DNS servers on the
  network
• Create a Windows 2000 Professional operating
  system image
• Create user accounts for the Windows 2000
  Professional clients

54
RIS Installation Steps

• Installing RIS is a two stage process
• First install RIS using the Control Panel
  Add/Remove Programs tool
• Configure RIS from the Add/Remove Programs tool

55
Security Tip

• Configure an existing DHCP server to authorize
  only specific servers to provide RIS installations

56
Installing RIS on the Client

• Install in one of two ways
• Using a computer that has a boot-enabled ROM
• Creating a remote boot disk
• Both methods use the Preboot eXecution
  Environment (PXE)Services that enable a
  prospective client to obtain an IP address and to
  connect to a RIS server in order to install
  Windows 2000 Professional

57
Troubleshooting Tip

• When installing a client via RIS, first make sure
  that the client computer has a NIC that is
  supported by RIS and that is on the HCL

58
Client Installation Wizard Options
59
RIS Group Policy

• Use group policies to create different
  installation options for different groups or
  containers

60
Setting Installation Options for a Particular
Container or Group
Figure 8-10 Setting RIS installation options
through group policy
61
RIS Installation Choices

• Allow means that the designated capability can
  be used by the client accounts
• Dont care means that if a policy applies to a
  parent container, it also applies to the child
  containers
• Deny means that the capability cannot be used by
  the client accounts

62
Chapter Summary

• Preparing a server and domain entail configuring
  accounts and configuring client computers
• Before configuring accounts, consult with members
  of your organization about naming standards
• Set up account policies before configuring
  accounts

63
Chapter Summary

• After accounts are created, use the account
  properties capability to supplement or modify
  parameters for the accounts, such as time of day
  access restrictions
• Configure client computers to access Windows 2000
  Server, such as installing DSClient

64
Chapter Summary

• Manage clients by setting up group policies or
  system policies
• Use RIS to install multiple Windows 2000
  Professional clients in order to reduce your TCO