More Related Content
Similar to Network Implementation and Support Lesson 03 User Accounts - Eric Vanderburg (20)
More from Eric Vanderburg (20)
Network Implementation and Support Lesson 03 User Accounts - Eric Vanderburg
- 2. User Accounts
•
•
•
•
•
•
•
Used for assigning permissions
Customizing environment & settings
Tracking usage
Should adhere to naming conventions
Strong passwords
One for each person
Two for administrators
Eric Vanderburg © 2006
- 3. Adding & Changing accounts
• Active Directory Users & Computers
– Create users & groups
– Disable accounts
– Change account properties
– Change group membership
Eric Vanderburg © 2006
- 4. Property Tabs
• General – personal info
• Address – more personal
info
• Account – logon name,
domain, expiration date,
hours, computer to login
from
• Profile – scripts, shared
home folders
• Telephones
• Organization – Title, dept,
company, manager
Eric Vanderburg © 2006
- 5. Property Tabs
• Member Of – groups
• Dial-in – VPN & Dialup permissions
• Environment – terminal services programs to
run at startup
• Sessions – terminal services drop times,
reconnection times
• Remote Control – view options for terminal
services sessions
• Terminal Services Profile
• COM+ - allows app filtering by setting a COM+
partition for the user.
Eric Vanderburg © 2006
- 6. Authentication
• Verify identity
• Submit credentials
– Username/Password
– SmartCard
– Biometrics
• Interactive Authentication
– Use the logon screen
• Network Authentication
– Takes place when network resources are
accessed.
Eric Vanderburg © 2006
- 8. Kerberos Components
•
KDC (Key Distribution Center)
– AS (Authentication Service)
• Verifies identity through AD
• Gives TGT (Ticket Granting Ticket) which gives access to
certain resources
– TGS (Ticket-Granting Service)
• Verifies TGT
• Creates a service ticket & session key for a resource based
on TGT. Client can present the service ticket to another
server to access it’s content.
NOTE: Servers have tickets too.
• Only services it’s own domain. Must refer to another TGS for
interdomain resource access (gives referral ticket)
• Server with the desired resource
• Client
Eric Vanderburg © 2006
- 9. Kerberos
• Delegation with Forwarding and Proxy - For a
server such as a database server to access
resources on your behalf. (given proxy or
forwarding ticket)
• NTP (Network Time Protocol) is used to
synchronize time between machines. Keys are
based on system time so all must be the same.
• Replaces NTLM (NT LAN Manager) & NTLMv2
– still used with pre 2k clients
– Challenge – 16 bit random number (seeds the hash)
– Hashes password
– Hashes are compared
Eric Vanderburg © 2006
- 10. Profiles
• Local Profiles
• Roaming Profiles
• Mandatory Profiles
– Change ntuser.dat to ntuser.man
• Default Profile – for new accounts
• All Users Profile – for existing accounts
• Profile properties – System Properties
User Profiles Settings
Eric Vanderburg © 2006
- 12. User Template
• Configure with common settings
• Copy when new users are added
• Disable the template!
Eric Vanderburg © 2006
- 13. Command Line
• Dsadd
– create users
– Dsadd user “cn=Eric Vanderburg, ou=faculty,
dc=RemingtonCollege, dc=edu” –pwd password –
memberof administrators –email
evanderburg@gmail.com –disabled no
• Dsmod
– change properties & settings
– Dsmod user “cn=Eric Vanderburg, ou=faculty,
dc=RemingtonCollege, dc=edu” –phone “440-3762398”
• Dsquery
– Search
– Dsquery user “dc=RemingtonCollege, dc=edu”
Eric Vanderburg © 2006
- 14. Command Line
• Dsmove
– change location
– Dsmove “current ldap location” –newparent
“new ldap location”
• Dsrm
– delete users, groups
– Dsrm “ldap location” –noprompt
– Dsrm –subtree -c “ldap location” –noprompt
• Dsget user “ldap” -memberof
– Find groups user belongs to
Eric Vanderburg © 2006
- 15. Command Line
• CSVDE – export AD info to CSV file
• LDIFDE – export AD info to LDIF (LDAP
Interchange Format) file
• Redirection
– Send data out >
– append >>
– Bring data in <
– Make output input cmd1 | cmd2 (ex: | more)
Eric Vanderburg © 2006
- 16. Account Policies
•
•
•
•
Right click on an object (SDOU)
Select Properties Group Policy
You will see the object link, click edit
Under Computer Windows Security
Account Policies
Eric Vanderburg © 2006
- 17. Account Policies
• Password Policies (History, Age, Length,
Complexity, Encryption)
• Account Lockout
– Duration – length of lockout
– Threshold – how many bad passwords locks out
– Reset Counter - grace period
• Kerberos Policy
–
–
–
–
Enforce Logon Restrictions – check logon every time
Service ticket max lifetime
User ticket max lifetime – TGT life
Tolerance of computer clock sync
Eric Vanderburg © 2006
- 18. Auditing
• Audit account logon events
• Computer Windows Security
Local Policies Audit Policy Audit
Account Logon events
Eric Vanderburg © 2006