Managing User, Computer and Group Accounts

About This Presentation

Title:

Description:

Number of Views:125

Avg rating:3.0/5.0

Slides: 14

Provided by: Gla3

Category:

more less

Transcript and Presenter's Notes

Title: Managing User, Computer and Group Accounts

1
Managing User, Computer and Group Accounts

2
Computer Accounts

To access Windows 2003 domain a computer needs an
account
Joining a domain creates a computer account
object in the AD
Each computer account has SID (other security
principals, such as users and groups have SIDs as
well)

3
User Accounts

To access Windows 2003 network a user needs an
account
Account determines 3 factors- when a user may
log on- where within the domain/workgroup- what
privilege level a user is assigned

4
User Accounts

5
Interactive Logon Process

Interactive Logon a process to verify users
credentials for logon to a Win2003 computer
If the local account its checked against the
local user account database.
Domain account using encryption process, user
credentials are verified at a DC, and after
successful authentication a logon key/logon token
is granted for the session

6
Network Authentication Process

Process of verifying users credentials to allow
access to network resources
When a user attempts to access a resources,
users credentials and session key/token are
compared against resources ACL list to grant
access

7
Local Accounts

Supported on all Windows 2000 and 2003 systems
except DCs (on member servers participating in
domains and on standalone systems participating
in workgroups )
Maintained on the local system, not distributed
to other systemsLocal user account authenticates
the user for local machine access only access to
resources on other computers is not supported
Built-in local accounts Guest Administrator

8
Domain User Accounts

Permit access throughout a domain and provide
centralized user administration through AD
Created within a domain container in AD database
and propagated to all other DCs
Once authenticated against AD database using GC,
a user obtains an access token for the logon
session, which determines permissions to all
resources in the domain

9
Naming Conventions

RDN relative distinguished name an attribute of
the object tself, a unique name. E.g.
3rdFloorPrinter or JSmith.
DN distinguished name defines the domain and
related container in which an object resides.
Adds RDN to OU and domain names. E.g.
CNmyserver, CNComputers, DCislab, DC451m
UPN user principal name is a friendly naming
convention. Combines user account name with the
DNS domain name. No OU is referenced. E.g.
dglazer_at_islab.451m or bgates_at_microsoft.com.

10
Creating User Accounts

Domain accounts names must be unique within the
domain, although the same logon name can be used
on several systems with local logon.
Logon names are not case sensitive, must not
contain more than 20 chars, and nust not contain
,,?,lt,gt,/,\,,,,.
Passwords are case sensitive, must be secure
not easy to guess

11
Copying, Moving, Disabling and Renaming User
Accounts

Renaming account doesnt affect any of the user
account properties, except the name.
Accounts can be moved from one container to
another
Disabled accounts cant be accessed
When account is copied, most properties are
copied, except the username, full name, password,
logon hours, address/phone info, organization
info, the Account is disabled option, and user
rights and permissions.

12
Deleting User and Computer Accounts

Deleting account permanently removes it, and
all if its group memberships, permissions and
user rights. The new account with the same name
has different SID and GUID
Disabling an account may be a better option!
Administrator and Guest can be renamed, but not
deleted

13
Understanding User Account Properties

As with all AD objects, user accounts have a
number of associated properties or attributes
Once the account is created, those properties
maybe modified using Computer Management tool
(local accounts) or AD Users and Computers
(domain accounts)

Write a Comment

User Comments (0)