Creating and Managing Users

1
CreatingandManaging Users
2
Server 2003 User Accounts

• Domain user accounts
• Local user accounts
• Built-in user accounts

3
Introduction to User Accounts

• A user account is an Active Directory object
• Used for user authentication
• Information that defines a user (first name, last
  name, password, etc.)
• Various configuration settings
• Required for anyone using resources on network
• Assists in administration and security
• Must follow organizational standards

4
User Account Templates

• A user account that is pre-configured with common
  settings
• Can be copied to create new user accounts with
  pre-defined settings
• New account is then configured with detailed
  individual settings

5
Local User Accounts

• Allow users to log on to and gain access to
  resources on the computer where they log in
• Created in the computers security database
• Not replicated to domain controllers

6
Built-In User Accounts

• Administrator
• Rename
• Create new account with administrator privleges
• runas /userltdomain namegt\ltusernamegt prog
• Guest
• Disabled by default

7
Naming Conventions

• The naming convention establishes how users are
  identified in the domain.
• Several considerations
• User account Naming
• Password requirements
• Length
• Complexity
• History
• Expiration
• Account options
• Logon hours
• Computer restrictions
• Etc additional attributes require replication

8
Logon Name

• Must be uniques within the OU
• 20 characters max
• / \ lt gt invalid
• Not case sensitive

• How will you deal with duplicates
• Services may require an account name to run

9
Password Requirements

• Always assign a password for the Administrator
  account.
• Determine whether the administrator or the users
  will control passwords.
• Use passwords that are hard to guess.
• Passwords can be up to 128 characters a minimum
  length of eight characters is recommended.
• Use both uppercase and lowercase letters,
  numerals, and valid non-alphanumeric characters.

10
Creating and Managing User Accounts

• Standard tool is AD Users and Computers
• Can be run from command line (dsa.msc)
• Can add, modify, move, delete, search for user
  accounts
• Can configure multiple objects simultaneously
• Also a number of command line tools and utilities

11
Domain User Accounts

• Allow users to log on to the domain and gain
  access to resources anywhere on the network
• Created in an OU in the Active Directory store
• Replicated to all domain controllers

12
Creating Domain User Accounts
13
Overview of Modifying Properties

• A set of default properties is associated with
  each user account.
• Properties defined for a domain user account can
  be used to search for users in the Active
  Directory store.
• Several properties should be configured for each
  domain user account.
• You can use the Active Directory Users And
  Computers snap-in to modify a domain user
  account.
• You can use the Local Users And Groups snap-in to
  modify a local user account.

14
Administering User Accounts

• Managing user profiles
• Modifying user accounts
• Creating home folders

15
User Account Properties

• Primary tool for creating and managing accounts
  is Active Directory Users and Computers
• Active Directory is extensible so additional tabs
  may be added to property pages
• Major account properties that can be set include
• General generic info about user
• Address address info
• Account logon name, password options, Logon
  hours
• Profile Home dir, Profile path, Logon script
• Sessions Terminal services config

16
The Account Tab of Properties
17
Creating Home Folders
18
User Authentication

• The process by which a users identity is
  validated
• Used to grant or deny access to network resources
• From a client operating system
• Name, password, resource required (domain or
  local computer)
• In Active Directory environment
• Domain controller authenticates
• In a workgroup
• Local SAM database authenticates

19
Authentication Methods

• Two main processes
• Interactive authentication
• User account information is supplied in Logon To
• Smart Card support
• Network authentication
• Users credentials are confirmed for network
  access
• When browsing for a resource

20
Authentication Protocols

• Windows Server 2003 supports two main
  authentication protocols
• Kerberos version 5 (Kerberos v5)
• NT LAN Manager (NTLM)
• Kerberos v5 is primary protocol for Active
  Directory environments but is not supported on
  all client systems
• NTLM is primary protocol for older Microsoft
  operating systems

21
Kerberos
22
Kerberos Protocol

• Kerberos is the default authentication provider
  in Windows Server 2003
• the primary security protocol.
• Kerberos verifies the identity of the user and
  the integrity of the session data.
• Kerberos operates
• as a trusted third party
• generate session keys
• grants tickets for specific client/server
  sessions.
• A ticket, it contains
• Session key
• Name
• Expiration etc

23
Features of the Kerberos Protocol

• Mature open standard
• Faster connection authentication
• No pass through required
• Mutual authentication
• Authenticates both client and server
• NTLM only authenticates client
• Delegation of authentication
• Transitive trust

24
Kerberos Terminology

• Principal user, client or server
• Realm security boundary
• Secret key
• used to encrypt info between KDC and Client
• Usually a hash of user password
• Session key
• Temporary encryption key used between principals
• Authenticator
• Key distribution center (KDC) Every Domain
  Contrller
• Privilege attribute certificate (PAC)
• Contains the users SID
• Ticket
• Allows the client to authenticate to a server
• Ticket granting ticket (TGT)
• Contains a random session key

25
Domain Authentication and Resource Access
1. Request a ticket for TGS
Authentication Service (AS)
2. Return TGT to client
3. Send TGT and request for ticket to \\AppServ
Ticket Granting Service (TGS)
4. Return ticket for \\AppServ
Kerberos client
5. Send session ticket to \\AppServ
6. (Optional) Send confirmation of identity to
client
Windows 2003 domain controller (KDC)
\\AppServ
26
Kerberos v5 - Recap

• Log on request passed to Key Distribution Center
  (KDC), a Windows Server 2003 domain controller
• KDC authenticates user and, if valid, issues a
  ticket-granting ticket (TGT) to client system
• When client requests a network resource, it
  presents the TGT to KDC
• KDC issues a service ticket to client
• Client presents service ticket to host server for
  network resource

27
Kerberos Policy

• Kerberos Policy SettingsOn a domain controller
  in your domain in Administrative Tools, click
  Domain Security Policy, click Windows Settings,
  click Security Settings, click Account Policies,
  and then click Kerberos Policy.
• Enforce logon restrictions Yes
• Maximum lifetime that a user ticket can be
  renewed 7 days
• Maximum service ticket lifetime 60 minutes
• Maximum tolerance for synchronization of computer
  clocks 5 minutes
• Maximum TGT lifetime 10 hours

28
NTLM

• A challenge-response protocol
• Used with operating systems running Windows NT
  4.0 or earlier or with Windows 2000 or Server
  2003 when necessary
• Protocol followed
• User logs in, client calculates cryptographic
  hash of password
• Client sends user name to domain controller

29
NTLM (continued)

• Domain controller generates random challenge and
  sends it to client
• Client encrypts challenge with hash of password
  and sends to domain controller
• Domain controller calculates expected value to be
  returned from client and compares to actual value
• After successful authentication, domain
  controller generates a token for user for network
  access

30
Challenge/Response sequence
Request to connect
Respond with a challenge code
Send an encrypted password
Reply with the result of authentication
31
NTLM - Logon
32
Local Interactive Logon
33
User Profiles

• A collection of settings specific to a particular
  user
• Stored locally by default
• Do not follow user logging on to different
  computers
• Can create a roaming profile
• Does follow user logging on to different
  computers
• Administrator can create a mandatory profile
• User cannot alter it

34
Managing User Profiles

• A user profile is a collection of folders and
  data that stores your current desktop environment
  and application settings as well as personal
  data.
• Microsoft Windows 2000 creates a local user
  profile the first time you log on at a computer.
• User profiles operate in a specific manner.
• Stored in
• systemdrive\Documents and Settings\ltlogon namegt
• ltsystemdrivegt\profiles

35
Profiles

• Customizable
• ntuser.dat
• Mandatory
• ntuser.man
• Local
• Stored on the local machine
• In folder Documents and Settings
• Roaming
• Stored in a shared folder on a server

36
Assigning a Customized Roaming User Profile
37
User Profile Folders and Contents
38
Local Profiles

• New profiles are created from Default User
  profile folder
• User can change local profile and changes are
  stored uniquely to that user
• Administrator can manage various elements of
  profile
• Change Type
• Delete
• Copy To

39
Roaming Profiles

• Roaming profiles
• Allow a profile to be stored on a central server
  and follow the user
• Provide advantage of a single centralized
  location (helpful for backup)
• Assigned from Profiles Tab of Account properties
• Changing a profile from local to roaming requires
  care should copy first

40
Mandatory Profiles

• Local and roaming profiles allow users to make
  permanent changes
• Mandatory profiles allow changes only for a
  single session
• Local and roaming profiles can both be configured
  as mandatory
• ntuser.dat ? ntuser.man

41
Command Line Utilities

• Some administrators prefer working from command
  line
• Can be used to automate creation or management of
  accounts more flexibly

42
DSADD

• Allows object types to be added to directory
• Computer accounts, contacts, quotas, OUs, users,
  etc.
• Syntax for user account is
• DSADD USER distinguished-name switches
• Switches include
• -pwd (password), -memberof, -email, -profile,
  -disabled

43
DSMOD

• Allows object types to be modified from the
  command line
• Computer accounts, users, quotas, OUs, servers,
  etc.
• Syntax for modifying user account is
• DSMOD USER distinguished-name switches
• Can modify multiple accounts simultaneously

44
DSQUERY

• Allows various object types to be queried from
  command line
• Supports wildcard ()
• Output can be redirected to another command
  (piped)
• Example return all user accounts that have not
  changed passwords in 14 days
• dsquery user domainroot name -stalepwd 14

45
DSMOVE

• Allows various object types to be moved from
  current location to a new location
• Allows various object types to be renamed
• Only moves within the same domain (otherwise use
  MOVETREE)
• Example to move a user account into a marketing
  OU
• dsmove "cnPaul Kohut,cnusers,dcdomain01,
  dcdovercorp,dcnet" newparent "oumarketing,
  dcdomain01,dcdovercorp,dcnet"

46
DSRM

• Allows objects to be deleted from directory
• Can delete single object or entire subtree
• Has a confirm option that can be overridden
• Example to delete the Marketing OU and all its
  contained objects without a confirm prompt
• dsrm subtree noprompt c "oumarketing,
  dcdomain01,dcdovercorp,dcnet "

47
Bulk Import and Export

• Allows an organization to import existing stores
  of data rather than recreating from scratch
• Allows an organization to export data that is
  already structured in Active Directory to
  secondary databases
• Two command line utilities for import and export
• CSVDE
• LDIFDE

48
CSVDE

• Command-line tool to bulk export and import
  Active Directory data to and from comma-separated
  value (CSV) files
• CSV files can be created/edited using text-based
  editors
• Example
• csvde f output.csv --- export
• Csvde i f input.c

49
LDIFDE

• Command-line tool to bulk export and import
  Active Directory data to and from LDIF files
• LDAP Interchange Format
• Industry standard for information in LDAP
  directories
• Each attribute/value on a separate line with
  blank lines between objects
• Can be read in text-based editors
• Common uses extending AD schemas, importing bulk
  data to populate AD, manipulating user and group
  objects

50
Troubleshooting User Account and Authentication
Issues

• Normally creating and configuring user accounts
  is straightforward
• Issues do arise related to
• Configuration of account
• Policy settings

51
Account Policies

• Authentication-related policy settings
• Configured in Account Policies node of Group
  Policy objects at domain level
• Account lockout, passwords, Kerberos
• Default Domain Policy
• Accessed from Active Directory Computers and
  Users
• Configures policies for all domain users

52
Password Policy

• Configuration settings
• Password history and reuse
• Maximum password age
• Minimum password age
• Minimum password length
• Complexity requirements
• Encryption policy

53
Account Lockout Settings

• Configuration settings
• Account lockout duration
• Account lockout threshold
• Reset account lockout counter after

54
Auditing Authentication

• Audit account logon event
• Configured in Group Policy object linked to
  Domain Controllers OU (Default Domain Controllers
  Policy)
• Default is to log only successful logons
• Event viewable in Security log (use Event Viewer)
• Can choose to edit failed logons
• May be helpful for troubleshooting
• Codes provide information about type of failure

55
Resolving Logon Issues

• Some common logon issues (and fixes)
• Incorrect user name or password (administrative
  reset)
• Account lockout (manual unlock)
• Account disabled (administrative enable)
• Logon hour restrictions (check account
  restrictions)
• Workstation restrictions (check account
  restrictions)
• Domain controllers (check configured DNS
  settings)
• Client time settings (check client clock
  synchronization)

56
Resolving Logon Issues (continued)

• Down-level client issues (install Active
  Directory Client Extensions)
• UPN logon issues (check Global Catalog server)
• Unable to log on locally (set policy on local
  server)
• Remote access logon issues (check access on
  Dial-up properties)
• Terminal services logon issues (check allow logon
  to terminal server permission)

57
Summary

• A user account is an object stored in Active
  Directory
• Information that defines user and access to
  network
• Primary tools to create and manage user accounts
• Active Directory Users and Computers
• Command line utilities (DSADD, DSMOD, DSQUERY,
  DSMOVE, DSRM)
• Two main authentication processes
• Interactive authentication
• Network authentication

58
Summary (continued)

• Two main authentication protocols
• Kerberos v5, NTLM
• User profiles used to configure and customize
  desktop environment
• Local, roaming, mandatory
• Utilities for bulk importing and exporting user
  data to and from Active Directory
• LDIFDE and CSVDE