Upload
felicity-philippa-rich
View
218
Download
1
Embed Size (px)
Citation preview
5.1 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Goals Plan strategies to create user accounts
Create local user accounts
Create domain user accounts
Set user account profiles
Introduce user profiles
Configure roaming user profiles
Create home folders
Maintain user accounts
5.2 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Planning Strategies for Creating User Accounts User account
Provides a form of identification for a user Used to build the user ticket
User ticket Also called TGT (Ticket Granting Ticket) Contains a list of associated Security IDs and all groups to which a
user belongs Used to prove account validity and construct a session ticket for
use by the resource server Ways to create user accounts
Manually using the Active Directory Users and Computers console Writing scripts using VBScript or Jscript Writing scripts using Active Directory Services Interfaces (ADSI), a
fully programmable automation object available for administrators
(Skill 1)
5.3 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Planning Strategies for Creating User Accounts (2)
Naming conventions Unique user names Easy-to-remember logon names Be able to differentiate between employees with similar or the same
names Password requirements
Hard to guess Mix of letters and numerals
Account properties Log On To option specifies the computers to which a user can log on Logon Hours option specifies the hours of the day and days of the week a
user can log on Account expires option specifies when an account will be invalid
(Skill 1)
5.4 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
(Skill 1)
Figure 5-1 Specifying user account properties
5.5 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Creating a Local User Account
Local user accounts allow users to log on to a specific computer and access only its resources
The local user account is stored only in the computer’s local security database
When a user logs on to a computer, the computer uses its local security database to authenticate the local user account
(Skill 2)
5.6 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Creating a Local User Account (2)
If you create a local user account on a computer that requires access to domain resources, the user cannot access resources in the domain
You cannot create local user accounts on a domain controller
You use the Local Users and Groups snap-in within the Computer Management console to create, delete, or disable local user accounts
(Skill 2)
5.7 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
(Skill 2)
Figure 5-2 Local security databaseFigure 5-2 Local security database
5.8 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
(Skill 2)
Figure 5-3 Creating a local user account
5.9 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Creating a Domain User Account A domain user account allows a user to log on to
a domain and access network resources The domain controller replicates the new user
account information to all domain controllers in the domain
You use the Active Directory Users and Computers console to create domain user accounts
(Skill 3)
5.10 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Creating a Domain User Account (2) Logon process
A user provides a logon name and password (or alternately, inserts a smartcard and provides a PIN)
The Windows 2000 Server builds a session ticket and generates an access token, which is available during the session
Domain names AD domain names are usually the full DNS name Each domain also has a pre-Windows 2000 domain name to allow
logon to a Windows 2000 domain from computers running pre-Windows 2000 operating systems
Built-in accounts Built-in Administrator user account Built-in Guest account
(Skill 3)
5.11 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
(Skill 3)
Figure 5-4 Domain user account
5.12 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
(Skill 3)
Figure 5-5 Creating a domain user account
5.13 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Figure 5-6 Specifying password for a new domain user account
(Skill 3)
5.14 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Figure 5-7 Summary screen for a new domain user account
(Skill 3)
5.15 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Figure 5-8 The new user in the Active Directory Users and Computers console
(Skill 3)
5.16 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Setting User Account Properties Every user account has a set of default properties You can also define detailed personal properties
Defined for a domain user accountUseful when searching for users
Logon settings control the logon hours for a user Dial-in settings include whether to allow remote
dial-in for the user
(Skill 4)
5.17 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Setting User Account Properties (2)
You can also specify Terminal Services settings for a user account Provide the ability to connect to a server from a
remote locationAllow the user to run a session as if sitting at the
machine
Create a template account containing the common information shared between user accounts
(Skill 4)
5.18 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Figure 5-9 Specifying user account properties
(Skill 4)
5.19 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Figure 5-10 Specifying logon hours for a user account
(Skill 4)
5.20 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Introducing User Profiles A user profile is a collection of data
Includes user’s personal data, desktop settings, printer connections, and network connections
Enables multiple users to work from the same computer
Enables a single user to work from multiple computers on a network
Three types of user profilesLocal user profileRoaming user profile Mandatory user profile
(Skill 5)
5.21 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Introducing User Profiles (2) Local user profile
Limited to the computer to which the user logs on Is stored on the system’s local hard disk
Roaming user profile Allows a user to work on multiple computers on a network Updates any changes users make to their user profiles on the
server Mandatory user profile
Specifies particular settings for individuals or a group Does not permanently save the desktop settings made by a user Only system administrators can change mandatory profiles
(Skill 5)
5.22 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Figure 5-11 A sample user profile folder
(Skill 5)
5.23 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Figure 5-12 Contents of the Documents and Settings folder
(Skill 5)
5.24 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Creating a Roaming User Profile Standard roaming user profiles are used for specific
groups of users Benefits
Provide a standard desktop environment with access to the same network resources
Provide a standard work environment consisting of only those applications and connections used by the group
Streamline troubleshooting To create a standard roaming user profile
Create a shared folder on the server Create a user profile template with the appropriate configuration Copy the roaming user profile template to the shared folder on the
server to allow users access to the profile
(Skill 6)
5.25 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Figure 5-13 Adding a user to a group
(Skill 6)
5.26 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Figure 5-14 Accessing the list of user profiles
(Skill 6)
5.27 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Figure 5-15 Copying the user profile template to the shared folder
(Skill 6)
5.28 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Figure 5-16 Permitting a user to use the profile
(Skill 6)
5.29 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Figure 5-17 Specifying the path to the roaming user profile
(Skill 6)
5.30 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Creating a Home Folder on a Server Home folders
Provide a default location for each user to store dataSimilar in concept to the My Documents folder on a
user’s desktop
BenefitsNot computer dependentEasily accessible from any computer on the networkAccessible from any client computer using any
Microsoft operating systemBacked up as per the server’s backup schedule
(Skill 7)
5.31 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Figure 5-18 Specifying the path of the home folder
(Skill 7)
5.32 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Figure 5-19 Home folder for a user
(Skill 7)
5.33 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Maintaining User AccountsNetwork administrator maintenance tasks Rename an account to maintain the rights, permissions,
and group memberships of a particular user account and transfer the account to a different user
Disable an account for security reasons when a user does not need the account for a certain period
Enable a disabled account Delete a user account when it is no longer needed Reset passwords when a user’s password expires before
the user changes it Lock out user accounts when users violate a security
policy
(Skill 8)
5.34 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Figure 5-20 Options in the Action menu
(Skill 8)
5.35 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Figure 5-21 Active Directory message box
(Skill 8)
5.36 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Figure 5-22 The disabled user account
(Skill 8)
5.37 © 2004 Pearson Education, Inc.
Lesson 5: Administering User Accounts
Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure
Figure 5-23 Resetting user password
(Skill 8)