5.1 © 2004 Pearson Education, Inc. Lesson 5: Administering User Accounts Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure Goals

5.1 © 2004 Pearson Education, Inc.

Lesson 5: Administering User Accounts

Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure

Goals Plan strategies to create user accounts

Create local user accounts

Create domain user accounts

Set user account profiles

Introduce user profiles

Configure roaming user profiles

Create home folders

Maintain user accounts




Planning Strategies for Creating User Accounts User account

Provides a form of identification for a user Used to build the user ticket

User ticket Also called TGT (Ticket Granting Ticket) Contains a list of associated Security IDs and all groups to which a

user belongs Used to prove account validity and construct a session ticket for

use by the resource server Ways to create user accounts

Manually using the Active Directory Users and Computers console Writing scripts using VBScript or Jscript Writing scripts using Active Directory Services Interfaces (ADSI), a

fully programmable automation object available for administrators

(Skill 1)




Planning Strategies for Creating User Accounts (2)

Naming conventions Unique user names Easy-to-remember logon names Be able to differentiate between employees with similar or the same

names Password requirements

Hard to guess Mix of letters and numerals

Account properties Log On To option specifies the computers to which a user can log on Logon Hours option specifies the hours of the day and days of the week a

user can log on Account expires option specifies when an account will be invalid

(Skill 1)




(Skill 1)

Figure 5-1 Specifying user account properties




Creating a Local User Account

Local user accounts allow users to log on to a specific computer and access only its resources

The local user account is stored only in the computer’s local security database

When a user logs on to a computer, the computer uses its local security database to authenticate the local user account

(Skill 2)




Creating a Local User Account (2)

If you create a local user account on a computer that requires access to domain resources, the user cannot access resources in the domain

You cannot create local user accounts on a domain controller

You use the Local Users and Groups snap-in within the Computer Management console to create, delete, or disable local user accounts

(Skill 2)




(Skill 2)

Figure 5-2 Local security databaseFigure 5-2 Local security database




(Skill 2)

Figure 5-3 Creating a local user account




Creating a Domain User Account A domain user account allows a user to log on to

a domain and access network resources The domain controller replicates the new user

account information to all domain controllers in the domain

You use the Active Directory Users and Computers console to create domain user accounts

(Skill 3)




Creating a Domain User Account (2) Logon process

A user provides a logon name and password (or alternately, inserts a smartcard and provides a PIN)

The Windows 2000 Server builds a session ticket and generates an access token, which is available during the session

Domain names AD domain names are usually the full DNS name Each domain also has a pre-Windows 2000 domain name to allow

logon to a Windows 2000 domain from computers running pre-Windows 2000 operating systems

Built-in accounts Built-in Administrator user account Built-in Guest account

(Skill 3)




(Skill 3)

Figure 5-4 Domain user account




(Skill 3)

Figure 5-5 Creating a domain user account




Figure 5-6 Specifying password for a new domain user account

(Skill 3)




Figure 5-7 Summary screen for a new domain user account

(Skill 3)




Figure 5-8 The new user in the Active Directory Users and Computers console

(Skill 3)




Setting User Account Properties Every user account has a set of default properties You can also define detailed personal properties

Defined for a domain user accountUseful when searching for users

Logon settings control the logon hours for a user Dial-in settings include whether to allow remote

dial-in for the user

(Skill 4)




Setting User Account Properties (2)

You can also specify Terminal Services settings for a user account Provide the ability to connect to a server from a

remote locationAllow the user to run a session as if sitting at the

machine

Create a template account containing the common information shared between user accounts

(Skill 4)




Figure 5-9 Specifying user account properties

(Skill 4)




Figure 5-10 Specifying logon hours for a user account

(Skill 4)




Introducing User Profiles A user profile is a collection of data

Includes user’s personal data, desktop settings, printer connections, and network connections

Enables multiple users to work from the same computer

Enables a single user to work from multiple computers on a network

Three types of user profilesLocal user profileRoaming user profile Mandatory user profile

(Skill 5)




Introducing User Profiles (2) Local user profile

Limited to the computer to which the user logs on Is stored on the system’s local hard disk

Roaming user profile Allows a user to work on multiple computers on a network Updates any changes users make to their user profiles on the

server Mandatory user profile

Specifies particular settings for individuals or a group Does not permanently save the desktop settings made by a user Only system administrators can change mandatory profiles

(Skill 5)




Figure 5-11 A sample user profile folder

(Skill 5)




Figure 5-12 Contents of the Documents and Settings folder

(Skill 5)




Creating a Roaming User Profile Standard roaming user profiles are used for specific

groups of users Benefits

Provide a standard desktop environment with access to the same network resources

Provide a standard work environment consisting of only those applications and connections used by the group

Streamline troubleshooting To create a standard roaming user profile

Create a shared folder on the server Create a user profile template with the appropriate configuration Copy the roaming user profile template to the shared folder on the

server to allow users access to the profile

(Skill 6)




Figure 5-13 Adding a user to a group

(Skill 6)




Figure 5-14 Accessing the list of user profiles

(Skill 6)




Figure 5-15 Copying the user profile template to the shared folder

(Skill 6)




Figure 5-16 Permitting a user to use the profile

(Skill 6)




Figure 5-17 Specifying the path to the roaming user profile

(Skill 6)




Creating a Home Folder on a Server Home folders

Provide a default location for each user to store dataSimilar in concept to the My Documents folder on a

user’s desktop

BenefitsNot computer dependentEasily accessible from any computer on the networkAccessible from any client computer using any

Microsoft operating systemBacked up as per the server’s backup schedule

(Skill 7)




Figure 5-18 Specifying the path of the home folder

(Skill 7)




Figure 5-19 Home folder for a user

(Skill 7)




Maintaining User AccountsNetwork administrator maintenance tasks Rename an account to maintain the rights, permissions,

and group memberships of a particular user account and transfer the account to a different user

Disable an account for security reasons when a user does not need the account for a certain period

Enable a disabled account Delete a user account when it is no longer needed Reset passwords when a user’s password expires before

the user changes it Lock out user accounts when users violate a security

policy

(Skill 8)




Figure 5-20 Options in the Action menu

(Skill 8)




Figure 5-21 Active Directory message box

(Skill 8)




Figure 5-22 The disabled user account

(Skill 8)




Figure 5-23 Resetting user password

(Skill 8)