6425c_03.ppt

Module 3Managing Users and Service Accounts

Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.

Module OverviewCreate and Administer User AccountsConfigure User Object AttributesAutomate User Account CreationCreate and Configure Managed Service Accounts

Lesson 1: Create and Administer User AccountsUser AccountCreate Users with Windows PowerShellDemonstration: Create a User ObjectName AttributesAccount AttributesUser Account Management

User AccountA user account:Enables authentication of a user with attributes, including a user logon name and passwordIs a security principal with a security identifier (SID) that can be assigned permissions to resourcesA user account can be stored:In Active Directory, where it enables logon to the domain and can be assigned permissions to resources anywhere in the domainDomain user accounts are administered with Active Directory snap-ins and commandsIn the local SAM database of a member computer, where it enables logon to the local computer and can be assigned permissions to local resourcesLocal user accounts are administered with the Local Users and Groups snap-in

Create Users with PowerShellNew-ADUser Name [Parameters]-Name: Name of user to create. If no other parameters are provided, this will also be the SAM Account name. [Parameters]: Parameters may include:-SAMAccountName: The name with which the user logs on.-AccountPassword: Used to set the account password. If this is not provided, the password is null and the account disabled.-Enabled: Used to enable the account. If this is not provided, the account is disabled by default.-Path: Used to specify the location where the object should be created. By default, it will be created in the Users container.Get-Help New-ADUser detailed: Use to get full explanations of the parameters that can be used.

Demonstration: Create a User ObjectIn this demonstration, you will learn:How to create a userHow to configure the properties of a user object

Name AttributesUser logon name (pre-Windows 2000): sAMAccountNameUnique in domain20-character limitUser logon name: userPrincipalName (UPN)Name + @ + UPN suffixUnique in forestName or Full Name: cn (common name)Unique in OU so that the relative distinguished name (RDN) is unique in the OU, so that, in turn, the objects distinguished name (distinguishedName attribute) is unique in the forestDisplay name: displayNameExchange global address list (GAL)Best if unique, but not technically required to be uniqueCONTOSO\[email protected] KrijnenKrijnen, Tony

Account AttributesLogon HoursLog On ToUser must change password at next logonUser cannot change passwordPassword never expiresAccount is disabledStore password by using reversible encryptionSmart Card is required for interactive logonAccount is trusted for delegationAccount expires

User Account ManagementAccount Management involves the following tasks:Renaming a user accountResetting a user passwordUnlocking a user accountDisabling or enabling a user accountMoving a user accountDeleting a user account

Lab A: Create and Administer User AccountsExercise 1: Create User AccountsExercise 2: Administer User AccountsLogon informationEstimated time: 10 minutes

Lab ScenarioYou are the administrator of Contoso, Ltd, an online university for adult education. Two new employees have been hired: Chris Mayo and Amy Strande. You must create accounts for these users. After some time, Chris Mayo leaves the organization, and his account must be administered according to the company policy for user account life-cycle management.

Lab ReviewIn this lab, which attribute can be modified to prompt for the password when you are creating a user account with Windows PowerShell?What happens when you create a user account that has a password that does not meet the requirements of the domain?

Lesson 2: Configure User Object AttributesA Tour of User AttributesView All AttributesModify Attributes of Multiple UsersModify User Attributes by Using Windows PowerShellDemonstration: Create a User TemplateCreate Users with Templates

A Tour of User AttributesIn this demonstration, you will learn:How to access the properties of a userThe role of each tab in the user Properties dialog box

View All AttributesThe Attribute Editor tabIn Active Directory Users and Computers, click the View menu, and then select Advanced Features

Modify Attributes of Multiple UsersProcedure for modifying attributesSelect multiple users (for example, by using CTRL+click)Right-click any one of the selected users, and then click PropertiesAttributes that can be modifiedGeneral: Description, Office, Telephone Number, Fax, Web page, E-mailAccount: UPN suffix, Logon hours, Computer restrictions (logon workstations), all Account options, Account expiresAddress: Street, P.O. Box, City, State/province, ZIP/Postal Code, Country/regionProfile: Profile path, Logon script, Home folderOrganization: Job Title, Department, Company, Manager

Modify User Attributes by Using PowerShellGet-AdUser returns attributes of objectsGet-ADUser UserDN [-parameter value]UserDN : distinguishedName of the userParameter: Name of attributevalue: Value for attribute (or use * for all attributes)Set-ADUser modifies specified attributesSet-ADUser UserDN [-parameter value]UserDN : distinguishedName of the userParameter value: Attribute and value to be modifiedExample using both cmdlets togetherGet-ADUser Tony.Krijnen | Set-ADUser office "Stockholm"

Demonstration: Create a User TemplateIn this demonstration, you will learn:What a template user account is, and why it is usefulHow to create a template user account

Create Users with TemplatesGeneral tab. No properties are copiedAddress tab. P.O. box, city, state or province, ZIP or postal code, and country or region are copiedNote that the street address itself is not copiedAccount tab. Logon hours, logon workstations, account options, and account expirationProfile tab. Profile path, logon script, home drive, and home folder pathOrganization tab. Department, company, and managerMember Of tab. Group membership and primary group

Lab B: Configure User Object AttributesExercise 1: Examine User Object Attributes Exercise 2: Manage User Object AttributesExercise 3: Create Users from a TemplateEstimated time: 15 minutesLogon information

Lab ScenarioYou are the administrator of Contoso, Ltd, an online university for adult education. Changes in the Sales department require you to modify attributes of Sales users. Additionally, you decide to make it easier to create new accounts for sales people by preparing a user account template.

Lab ReviewWhat are the options for modifying attributes of new and existing users?

Lesson 3: Automate User Account CreationExport Users with CSVDEImport Users with CSVDEImport Users with LDIFDEImport Users with Windows PowerShell

Export Users with CSVDECSV (comma-separated value, or comma-delimited text)Can be edited with simple text editors such as Notepad or Microsoft Office ExcelCSVDE.execsvde -f filename -d RootDN -p SearchScope -r Filter -l ListOfAttributesRootDN. Start of export (default = domain)SearchScope. Scope of export (Base,OneLevel,Subtree)Filter. Filter within the scope (LDAP query language)ListOfAttributes. Use the LDAP name

filename.ldf

Active DirectoryImportExport

CSVDE.exe

Import Users with CSVDECSVDE.execsvde i -f filename [-k]i. Importdefault mode is exportk. Continue past errors (such as Object Already Exists)Cannot import passwords, so users are created as disabledCannot modify existing users

filename.ldf


CSVDE.exe

Import Users with LDIFDELDAP Data Interchange Format (LDIF)LDIFDE.exeldifde [-i] [-f filename] [-k]i. Importdefault mode is exportk. Continue past errors (such as Object Already Exists)Cannot import passwords, so users are created as disabledCan modify or remove existing users

filename.ldf


LDIFDE.exe

Import Users with Windows PowerShellImport-CSVNew-ADUser

Import-CSV Users.csv | foreach {New-ADUser -SamAccountName $_.SamAccountName -Name $_.Name -Surname $_.Surname -GivenName $_.GivenName -Path "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM" -AccountPassword (ConvertTo-SecureString -AsPlainText $_.SamAccountName -Force) -Enabled $true}

filename.csv


Windows PowerShell

Lab C: Automate User Account CreationExercise 1: Export and Import Users with CSVDE Exercise 2: Import Users with LDIFDEExercise 3: Import Users by Using Windows PowerShell Estimated time: 10 minutesLogon information

Lab ScenarioYou are the administrator of Contoso, Ltd., an online university for adult education. You are hiring several new employees. The Human Resources department has provided you with extracts from their database, in both comma-delimited text format and in LDIF format. You want to import those data files to create user accounts for the new hires.

Lab ReviewWhat scenarios lend themselves to importing users with CSVDE and LDIFDE?

Lesson 4: Create and Configure Managed Service AccountsChallenges of Using Standard User Accounts for ServicesWhat Is a Managed Service Account?Configure and Administer Managed Service Accounts

Challenges of Using Standard User Accounts for ServicesChallenges to using standard user accounts for services include:Extra administration effort to manage the service account passwordDifficulty in determining where a domain-based account is used as a service accountExtra administration effort to mange the SPN

What Is a Managed Service Account?Requires a Windows Server 2008 R2 server installed with:.NET Framework 3.5.x Active Directory module for Windows PowerShellRecommended to run with AD DS configured at the Windows Server 2008 R2 functional levelCan be used in a Windows Server 2003 or 2008 AD DS environment:With Windows Server 2008 R2 schema updatesWith Active Directory Management Gateway Service Used to automate password and SPN management for service accounts used by services and applications

Configure and Administer Managed Service AccountsCreate a managed service account:New-ADServiceAccount [-SAMAccountName ] [-Path ]Install a managed service account on the host server:Install-ADServiceAccount -Identity Associate the service account with the intended service

Lab D: Create and Administer Managed Service AccountsExercise: Create and Associate a Managed Service AccountEstimated time: 10 minutesLogon information

Lab ScenarioYou are a network administrator for Contoso, Ltd. You have been asked to implement a managed service account for an application that will be installed on NYC-SVR1.

Lab ReviewYou need to obtain a list of all the managed service accounts in the domain. Which cmdlet would you use?Which cmdlet can be used to reset the password of a managed service account?

Module Review and TakeawaysReview QuestionsWindows Server 2008 R2 Features introduced in this module

Presentation: 45 minutes, Lab: 45 minutes Module GoalProvide coverage of administrative tasks related to the creation and management of user objects and their account attributes. Early lessons cover fundamentals; later lessons cover automation. Lesson 1 focuses on the administration of user accounts in Active Directory: creation, configuration, and administration (for example, password resets). Lesson 2 expands the discussion to look at the other properties of a user object. Lesson 3 describes bulk import and export operations by using Comma Separated Value Directory Exchange (CSVDE) and Lightweight Directory Access Protocol Data Interchange Format Directory Exchange (LDIFDE).ObjectivesCreate and administer user accounts.Configure the account-related properties of a user object.Automate the creation of user accounts. Create and administer managed service accounts.Preparation for LabsThere are four labs that occur during the course of the module. The labs have dependencies between each other, so students should not shut down the single virtual machine required after each lab. If you wish to prepare for them now and save time taken for startup, you should ask students to start the virtual machines now. The virtual machine used in all labs is 6425C-NYC-DC1.

Module 3: Managing Users and Service AccountsCourse 6425C**Preparation for DemosTo prepare for demos in this module, start the 6425C-NYC-DC1 virtual machine and log on to NYC-DC1. Log on as a standard user account (either the pre-created Pat.Coleman account or create an account for yourself) and run the Active Directory Users and Computers snap-in as an administrator (either the pre-created Pat.Coleman_Admin account or create an account for yourself that is a member of Domain Admins). Module 3: Managing Users and Service AccountsCourse 6425C*Objective: Discuss the role and importance of user accounts.Ask students to describe some of the tasks they or their colleagues perform on a day-to-day basis to support user accounts.Ask students to estimate the percentage of help desk calls at a typical organization that are for password reset. Ask students if any of them work in organizations where there are mass influxes or mass exoduses of users (for example, in educational institutions). How much work is it to manage user accounts during those intense periods of change?Ask students if any of them are concerned about security and therefore about the integrity of user accounts.Module 3: Managing Users and Service AccountsCourse 6425C*-blank-Module 3: Managing Users and Service AccountsCourse 6425C*Objective: Introduce user accounts and clarify terminology.The terminology used in the beginning of the module is user account, because that is what most administrators call a user object. Later lessons refer to the user object to be more technically purist. Theres technically no such thing as a user accounttheres the user object, which has a subset of properties such as the security identifier (SID), logon names, password, and account flags, which make up what would be considered the account. For most audiences, it wont be necessary to elaborate on this technicality, but the information is in the student handbook in the event that there is any confusion. If a question is raised, you can explain that the terms account and object are used interchangeably by administrators when referring to users.

ReferenceActive Directory Users and Computers Help: Managing Users: http://go.microsoft.com/fwlink/?LinkId=168740Create a New User Account: http://go.microsoft.com/fwlink/?LinkId=168741

Module 3: Managing Users and Service AccountsCourse 6425C*Objective: Windows PowerShell can be used to create users.Consider opening the Active Directory Module for Windows PowerShell and use the Get-Help New-ADUser command to display a list of parameters. Discuss the most important parameters.

ReferencesCreating a User with Windows PowerShell: http://go.microsoft.com/fwlink/?LinkID=214184

Module 3: Managing Users and Service AccountsCourse 6425C*Objective: Cover the basics of user account creation so that New User UI is familiar.Students may be familiar with the process of creating and configuring user accounts. If they are, as you perform the demonstration, ask them to provide the next steps for creating user accounts and for configuring settings. The student handbook includes the procedure for creating a user account, including details about each attribute that appears in the New Object - User dialog box. These details are included to answer any questions students might have about what they are seeing in the interface. However, you should be careful not to go into too much detail about the specific attributes of a user object, or about any user administrative tasks other than creating the object. Later topics in this module cover everything students will want and need to know about user .The steps below are identical to those in one of the exercises in this module, so you will be previewing the lab to the students.Logon and virtual machine information for demos is on SLIDE 2 for the entire module.Before performing this demonstration, open Windows Explorer and browse to D:\Labfiles\Lab03a. Run the Lab03a_Setup command with administrative credentials.Create a user account: Expand contoso.com and then expand the User Accounts OU. Right-click the Employees OU, point to New, and then click User. In First name, type the users first name: Chris. 4. In Last name, type the users last name: Mayo. 5. In User logon name, type the users logon name: Chris.Mayo.6. In the User logon name (pre-Windows 2000) text box, enter the pre-Windows 2000 logon name: Chris.Mayo. 7. Click Next.8. Type Pa$$w0rd in the Password and Confirm password boxes.Point out that the default password policy for an Active Directory domain requires a password of seven or more characters. Additionally, the password must contain three of four character types: uppercase (A-Z), lowercase (a-z), numeric (0-9), and non-alphanumeric (for example, !@#$%). The password cannot contain any of the users name or logon name attributes.Optionally, attempt to create the user account with a password that does not meet the policy, so that students can see the error that appears.In a production environment, you should use a unique, strong password for each user account that you create.9. Ensure that User must change password at next logon is selected, and then click Next.10. Review the summary and click Finish.Module 3: Managing Users and Service AccountsCourse 6425C*References Active Directory Users and Computers Help: Managing Users: http://go.microsoft.com/fwlink/?LinkId=168742 Create a New User Account: http://go.microsoft.com/fwlink/?LinkId=168743 Module 3: Managing Users and Service AccountsCourse 6425C*Objective: Discuss the name attributes and the real world challenges of managing name attributes. Discuss the name attributes listed on the slide, highlighting the role and unique requirement for each name. Another module discussed common names (CNs), relative distinguished names (RDNs), and distinguished names (DNs). If you did not discuss those concepts, you will need to introduce them as you discuss the cn (common name).Each must have a unique cn (within the OU), userPrincipalName (within the forest), and sAMAccountName (within the domain). Practical Advice sAMAccountName. Ideally, a unique identifier such as an employee ID that is not tied to the users actual name. That will reduce the possibility that there will be two users with the same name or a user who wishes to change his or her name. There is a 20-character limit (enforced by SAM). The attribute itself is 256 characters. userPrincipalName. Ideally, the same as the users email address, which must be unique to the forest (and to the whole world, for that matter) cn: firstName lastName displayName: lastName, firstName

References Object Names: http://go.microsoft.com/fwlink/?LinkId=168745

Question What do you do in your organization to ensure the uniqueness of name attributes, and what naming conventions do you use?Elicit suggestions from students who have experience in production Active Directory environments.

Module 3: Managing Users and Service AccountsCourse 6425C*

Time and audience permitting, this slide can open up a discussion of some very important and real considerations. Discuss the following challenges and proposed solutions, and find out what your students organizations are doing, if anything, to meet the challenges.REAL WORLD DISCUSSION: sAMAccountName and the two Scott Mitchells problemMany organizations use initials or some combination of first and last name to generate the sAMAccountName. That approach can be problematic, because any good-sized organization is likely to have users with names similar enough that the rules for generating the sAMAccountName would generate a duplicate name, so exceptions have to be built into the system; eventually, the rules will be riddled with exceptions. This problem is solved if the employee number or some other unique attribute of the users is used for the sAMAccountName. If you have the ability to direct the naming conventions at your organization, a unique, name-independent logon name is recommended.REAL WORLD DISCUSSION: sAMAccountName, %username%, and user name changesMany organizations are learning the hard way that using names or initials for the sAMAccountName can be problematic, because if a user changes his or her name, every configuration that refers to %username% must be modified; -- for example, roaming profile folders, redirected folders, and anything that was configured with the %username% based on the users former name. Name changes happen for several reasons, including marriage. Many organizations simply require that users retain their old user name after marriage. That is less problematic than the reverse scenario, in which a relationship ends because of divorce or even abuse. In such situations, users cannot be expected to retain their old user name and, in fact, have gone to court in some scenarios to break the ties to their old name.Therefore, we recommend that you use a unique and independent sAMAccountName that is not directly tied to a users namefor example, an employee ID.One concern that organizations have with using random sAMAccountNames is that users will forget their logon names. Not to worry! Users shouldnt be logging on by using their pre-Windows 2000 logon name anyway! The User Principal Name (UPN) can be used as a logon name instead.REAL WORLD DISCUSSION: userPrincipalName (UPN)The UPN must be unique in the forest. Email addresses, which must be unique for the whole world, certainly meet that requirement. Consider using e-mail addresses as UPNs. Users are highly unlikely to forget them.REAL WORLD DISCUSSION: UnicodeDiscuss the pros and cons of Unicode in these attributes, based on the relevance of Unicode to your locale.

Module 3: Managing Users and Service AccountsCourse 6425C*Time and audience permitting, this slide can open up a discussion of some very important and real considerations. Discuss the following challenges and proposed solutions, and find out what your students organizations are doing, if anything, to meet the challenges.REAL WORLD DISCUSSION: cn (common name) and the two Scott Mitchells problemThe CN must be unique in the OU in order for the RDN to be unique, and therefore, for the DN to be unique. This becomes problematic when you have two Scott Mitchells.If you have a single, flat OU for users that already contains a user named Scott Mitchell, and you hire a second Scott Mitchell, his user object cannot have the same common name as the first. Unfortunately, theres no perfect answer to this problem for all organizations. Design a naming standard that applies a single rule for all CNs. Perhaps the CN should include an employees numberfor example, Scott Mitchell (645928). If your OU structure for user accounts is flat, or if your organization is large, be prepared to address this challenge.REAL WORLD DISCUSSION: cn (common name) and the FirstName LastName versus LastName, FirstName problemAdditionally, many organizations choose to configure the cn attribute as LastName, FirstName because, by doing so, they can sort users by last name in the Active Directory Users and Computers snap-in. This is not a recommended method to achieve the goal. Instead of using a last-name-first format for cn, the cn should be FirstName LastName. Add the Last Name column to your view in the Active Directory Users and Computers snap-in by clicking the View menu and choosing Add/Remove Columns. Then click the Last Name column header to sort by last name.[Note: The detail in this paragraph may be too much to cover in class.] Demonstrate creating a user with the Full Name configured as LastName, FirstName. With Advanced Features selected in the View menu, open the Properties of that user and click the Attribute Editor tab. Locate the distinguishedName attribute. Point out that the CN becomes LastName\, FirstName. The backslash is used to "escape" the comma character, because the comma is a reserved character in a DN and is used to delimit the components of the CN.It is perfectly reasonable to configure the displayName attribute as LastName, FirstName. This solves a related problem: finding users in the Exchange global address list (GAL). Unfortunately, when you create a user account, the Full Name field in the New Object - User dialog box is used to populate both the cn and the displayName attributes. So you should enter FirstName LastName for Full Name when creating the object. Then, after the object has been created, you can use the Rename command, the Attribute Editor, or some other procedure to change the displayName attribute to LastName, FirstName. ADVANCED TIP: You can change the format used to create the displayName by using ADSIEdit to change the value of the createDialog attribute of the following object in the Configuration: CN=user-Display,CN=409,cn=DisplaySpecifiers The attribute can use the following tokens: %, %, and %. So %, % would set the default format to LastName, FirstName. For more details, see http://go.microsoft.com/fwlink/?LinkID=214192 .Module 3: Managing Users and Service Accounts Course 6425C*Objective: Discuss important account attributes.Point out the obvious options: User must change password at next logon User cannot change password Password never expires Account is disabledThen discuss these options, which are commonly used and likely to appear in examinations: Logon Hours Log On To Account expiresRemaining options can be discussed if time permits, or users can read about them on their own.Optionally, mention that some of these properties are stored in a single attribute called, UserAccountControl. References http://go.microsoft.com/fwlink/?LinkID=214193 . User Properties - Account Tab: http://go.microsoft.com/fwlink/?LinkId=168746Module 3: Managing Users and Service Accounts Course 6425C*Objective: Identify account management tasks.Consider demonstrating each of these tasks by using Active Directory Users and Computers, The Active Directory Administrative Center, and the Active Directory Module for Windows PowerShell.Use examples from the workbook so that students can follow along.Questions: Discuss these questions:1. What are the security implications of administrators having the right to reset user passwords?Access to resources to which the user has permissionAbility to "impersonate" a user and perform tasks that the administrator should not be performing, without accurate auditing of who actually did itDenial of service: Administrator accidentally or intentionally resets a user's password and the user cannot authenticate2. Who should be able to reset the password for standard users? For accounts with administrative privileges? For service accounts? Guide students to an understanding that, typically, there is a tiered management of accounts whereby the help desk can change user passwords, but not administrator passwords; the admins who can change admin and service account passwords are a small, well-trained group3. What business practices for password reset are in place at your organization?Elicit as much diverse experience as possible. Are there organizations in which password reset has been removed as an administrative task, and is instead supported by a password reset Web application? 4. Other than forgotten passwords, have you experienced other scenarios that lead to account lockout?You can initiate the conversation by discussing a common cause of account lockout: drives mapped with alternate credentials. When the password for the alternate credentials changes or is expired, the mapped drive may attempt repeatedly to connect, leading to an account lockout.

Module 3: Managing Users and Service Accounts Course 6425C*In this lab, students will create and administer user accounts. The goal of the lab is to provide a comprehensive experience with both user-interface and command-line tools for creating and administering Active Directory user accounts.ScenarioYou are the administrator of Contoso, Ltd., an online university for adult education. Two new employees have been hired: Chris Mayo and Amy Strande. You must create accounts for these users. After some time, Chris Mayo leaves the organization, and his account must be administered according to the company policy for user account life-cycle management. Exercise 1In this exercise, students will create user accounts with both the Active Directory Users and Computers snap-in and Windows PowerShell.Exercise 2In this exercise, students will perform common tasks that support user accounts through their life cycle in Active Directory.Before the students begin the lab, read the scenario associated with each exercise to the class. This will reinforce the broad issue that the students are troubleshooting and will help to facilitate the lab discussion at the end of the module. Remind the students to complete the discussion questions after the last lab exercise.

NOTE: Do not shut down the virtual machines after you finish this lab because the settings you have configured here will be used in Lab B.

Module 3: Managing Users and Service Accounts Course 6425C*Module 3: Managing Users and Service Accounts Course 6425C*Lab ReviewUse the questions on the slide to guide the discussion after students have completed the lab exercises.Question: In this lab, which attribute can be modified to prompt for the password when you are creating a user account with Windows PowerShell?Answer: -AccountPassword (Read-Host AsSecurestring AccountPassword)Question: What happens when you create a user account that has a password that does not meet the requirements of the domain?Answer: The account is created, but it is disabled. It cannot be enabled until a password that meets the requirements of the domain is configured.

Module 3: Managing Users and Service Accounts Course 6425C*-blank-Module 3: Managing Users and Service Accounts Course 6425C*Objective: Give a tour of user object attributes. If it is not already started, start the 6425C-NYC-DC1 virtual machine and log on to NYC-DC1. Log on as user Pat.Coleman, with the password, Pa$$w0rd Run the Active Directory Users and Computers snap-in as an administrator (use the Pat.Coleman_Admin account with the password, Pa$$w0rd).Open the properties of a user account (use the Jeff Ford account in the Employees OU) and step through a quick tour of user attributes. The goals of the tour are: Illustrate the diversity of attributes Emphasize the importance of configuring attributes after creating a user Highlight particularly interesting attributes.There is another topic that goes into detail about the user name attributes and the attributes on the Account tab, so you should not give those attributes more than passing mention during the tour.Organize the tour by the categories of attributes listed in the student handbook: Account attributes: The Account tab Personal information: The General, Address, Telephones, and Organization tabs User configuration management: The Profile tab Group membership: The Member Of tab Terminal services: The Terminal Services Profile, Environment, Remote Control, and Sessions tabs Remote access: The Dial-in tab Applications: The COM+ tab (We recommend that you skip this tab as it is well beyond the scope of this course.)

Module 3: Managing Users and Service Accounts Course 6425C*Objective: The Attribute Editor provides visibility to useful attributes that do not appear on other tabs of a users Properties dialog box.The Attribute Editor was covered in another module. If you have already discussed, demonstrated, or performed labs with the Attribute Editor, then simply remind students that it is available if Advanced Features are enabled. If you have not yet covered the Attribute Editor, spend time showing students that the tab appears only when Advanced Features is enabled in the Active Directory Users and Computers View menu.Using the illustration on the slide, or continuing the demonstration from the previous slide, emphasize that there are a number of attributes for an object that are not presented in the Properties dialog box. These hidden attributes include some very useful ones, such as employeeID, employeeNumber, employeeType, division, assistant, and carLicense.Question:Are you using any of the hidden attributes in your organization? If so, how do you interact with those attributes (read them and modify them)?Elicit discussion and input from students whose organizations use these hidden attributes. It's possible that no student works at such an organization. In that case, open the Attribute Editor tab of a user object and scroll through the attributes. Ask students if they see any attributes that could provide value to them in their organization.Module 3: Managing Users and Service Accounts Course 6425C*Objective: You can multi-select users and change a subset of properties.If possible, demonstrate the steps: Select multiple users and open the Properties dialog box.

Module 3: Managing Users and Service Accounts Course 6425CObjective: Use Windows PowerShell to work with user attributes.References Setting a Users Profile Attributes: http://go.microsoft.com/fwlink/?LinkID=214185 Modifying an Attribute for Several Users at Once http://go.microsoft.com/fwlink/?LinkID=214186 Module 3: Managing Users and Service Accounts Course 6425C**Objective: Create and use a user account template.In this demonstration, you will walk students through the creation and use of template user accounts. Begin by describing the concept of templatesensure students understand why they are helpful and how they are used. Right-click the Employees OU, point to New, and then click User. Leave the First name and Last name boxes empty. In the Full name box, type _Sales User.Point out to students that the underscore prefix will put the template at the top of the user list in the OU, making it easier to find. In User Logon name, type: Template.Sales. In the User logon name (pre-Windows 2000) text box, enter the pre-Windows 2000 logon name: Template.Sales. Click Next. Type Pa$$w0rd in the Password and Confirm password boxes. Ensure that User must change password at next logon is selected. Select Account is disabled. Click Next. Review the summary and click Finish.Module 3: Managing Users and Service Accounts Course 6425C*Right-click _Sales User, and then click Properties.Click the Member Of tab.Click Add.Type Sales and click OK.The Multiple Names Found dialog box appears. Select Sales and click OK.Click the Organization tab.In Department, type Sales.In Company, type Contoso, Ltd.Click the Change button in the Manager section.Type Anibal Sousa and click OK.Click the Account tab.In the Account Expires section, click End Of, and then select the last day of the current year.Click OK.Now demonstrate creating a user from the templateRight-click _Sales User, and then click Copy.In First name, type Amy.In Last name, type Strande.In User logon name, type Amy.Strande.Confirm that the User logon name (pre-Windows 2000) is also Amy.Strande, and click Next.In Password and Confirm password, type Pa$$w0rd.Clear Account is disabled.Click Next, review the summary, then click Finish.Open the object and show the configured attributes.ReferenceCopy a User Account: http://go.microsoft.com/fwlink/?LinkId=168751

Module 3: Managing Users and Service Accounts Course 6425C*Objective: Copying a template copies only a subset of attributes. Some very useful attributes are not copied.Draw attention to the similarities that the user accounts of people working in similar parts of an organization might have: group memberships or department attributes, for example. Emphasize that not all attributes are copied.In fact, most are not copied. Even some attributes that you would think would be copied, such as office, are not copied. So it is important that you know which attributes are and are not copied. It is not helpful to configure attributes that wont be copied.Many administrators consider the list of copied attributes to be somewhat limited. For example, you might want the job title and street address attributes to be copied. Advanced Tip: You can modify which attributes are copied to a new user. To do this, open the ActiveDirectory Schema snap-in, view the desired attribute properties, and select (or clear) the Attribute is copied when duplicating user check box. You can modify or add only the attributes that are instances of the user class. See Knowledge Base article 827832 at http://go.microsoft.com/fwlink/?LinkID=214194 for instructions.You will be well served to use more advanced methods for automating the creation of user accounts, including DS commands, Windows PowerShell, VBScript, CSVDE, and LDIFDE. Question: Discuss this question, which also appears in the student handbook.What other methods do you use to create new user accounts with common attributes?Do students use scripts or automation to provision users?Increasing numbers of organizations have automated tools to provision users in Active Directory based on changes made in a human resources database. Microsoft Identity Lifecycle Manager (ILM) 2007 is one example of such metadirectory tools.

Module 3: Managing Users and Service Accounts Course 6425C*In this lab, students will use command-line and user-interface tools to configure the attributes of one or more user objects. They will also create a user account template and copy it as the basis for a new user account.ScenarioYou are the administrator of Contoso, Ltd, an online university for adult education. Changes in the Sales department require you to modify attributes of Sales users. Additionally, you decide to make it easier to create new accounts for sales people by preparing a user account template. Exercise 1In this exercise, students will examine the attributes of a user object.Exercise 2In this exercise, students will manage the attributes of user objects.Exercise 3In this exercise, students will create a user account template and then generate a new user account based on that template.Before the students begin the lab, read the scenario associated with each exercise to the class. This will reinforce the broad issue that the students are troubleshooting and will help to facilitate the lab discussion at the end of the module. Remind the students to complete the discussion questions after the last lab exercise.NOTE: Do not shut down the virtual machines after you finish this lab because the settings you have configured here will be used in the Lab C.

Module 3: Managing Users and Service Accounts Course 6425C*Module 3: Managing Users and Service Accounts Course 6425C*Lab ReviewUse the question on the slide to guide the discussion after students have completed the lab exercises.Question: What are the options for modifying the attributes of new and existing users?Answer: Multiselecting users and opening the Properties dialog box, using the DSMod command, and creating a user account based on a user account template.It is also worth pointing out to students that user account templates, while an interesting concept, are not regularly utilized in the real world. This is because they don't support many attributes that administrators would want to copy to a new account; and an administrator must still configure a number of properties during and after creating a new user based on the template. Scripting is a far more powerful way to provision user accounts. Even commands such as CSVDE and LDIFDE, covered in the next lesson, can offer more value than user account templates.Module 3: Managing Users and Service Accounts Course 6425C*-blank-Module 3: Managing Users and Service Accounts Course 6425C*Objective: You can export data from Active Directory by using CSVDE.Comma Separated Value Directory Exchange (CSVDE) uses a comma-separated value (CSV) file as input to make changes to the directory. CSV files are written in text format and can be edited by using any text editor. For best viewing and editing of CSV files, use Microsoft Office Excel.Mention that one of the best ways to view the format for the CSVDE file is to export data from AD DS by using CSVDE. Because of the large amount of data that is exported with these commands, suggest that students start by exporting an OU with only a few users (using the -d switch). They should also learn the command switches for specifying the columns to export (the -l switch).It is not expected that you go into any depth about the LDAP query language or the LDAP attribute names. You can tell users they will experience examples in the Lab for this lesson.ReferencesCSVDE: http://go.microsoft.com/fwlink/?LinkId=99440LDAP Query Syntax: http://go.microsoft.com/fwlink/?LinkID=214187

Module 3: Managing Users and Service Accounts Course 6425C*Objective: CSVDE allows you to import users from a CSV file.Point out that the default mode for CSVDE is export, and that you must specify i to perform an input.Also mention that CSVDE cannot import passwords, and therefore, accounts are created in a disabled state if there is any password policy in effect, and CSVDE cannot modify existing users. In fact, CSVDE will generate an error and stop processing the .csv file if it encounters an object that already exists. The k switch instructs the CSVDE command to skip the line that generated an error and continue to the next line.ReferencesCSVDE: http://go.microsoft.com/fwlink/?LinkId=99440

Module 3: Managing Users and Service Accounts Course 6425C*Objective: You can use LDIFDE to import users into Active Directory.You can use the following two tools to import or export data from Active Directory: LDAP Data Interchange Format Directory Exchange (LDIFDE) uses an LDAP Data Interchange Format (LDIF) file as input to make changes to the directory. LDIF files are written in text format, and you can edit them by using any text editor.Mention that one of the best ways to view the format for the LDIFDE file is to export data from Active Directory Domain Services (AD DS) by using LDIFDE. Because of the large amount of data that is exported with these commands, suggest that students start by exporting an OU with only a few users. Consider showing students a sample LDF file in Notepad, and stepping students through the syntax. A sample file is in D:\Labfiles\Lab03c\NewUsers.ldf.ReferencesLDIFDE: http://go.microsoft.com/fwlink/?LinkId=99439

Module 3: Managing Users and Service Accounts Course 6425C*Objective: You can use Windows PowerShell to import users into Active Directory.You can use the following two cmdlets to import objects into Active Directory.Import-CSVNew-ADUser

Module 3: Managing Users and Service Accounts Course 6425C*In this lab, students will use the CSVDE and LDIFDE commands to import users into Active Directory.Exercise 1In this exercise, students will use the CSVDE command to export user attributes and to create new user accounts from a comma-delimited text file.Exercise 2In this exercise, students will use LDIFDE to import two users.Exercise 3In this exercise, students will use Windows PowerShell to import users.Before the students begin the lab, read the scenario associated with each exercise to the class. This will reinforce the broad issue that the students are troubleshooting and will help to facilitate the lab discussion at the end of the module. Remind the students to complete the discussion questions after the last lab exercise.

Module 3: Managing Users and Service Accounts Course 6425C*Module 3: Managing Users and Service Accounts Course 6425C*Lab ReviewUse the questions on the slide to guide the discussion after students have completed the lab exercises.Question: What scenarios lend themselves to importing users with CSVDE and LDIFDE?Answer: If you are importing a large quantity of users, CSVDE and LDIFDE add significant value. Also, CSVDE and LDIFDE give you the ability to configure most user attributes, unlike templates, which support a very limited number of attributes.Elicit students' thoughts as to which scenarios lend themselves to importing versus creating accounts manually in ADUC, using scripting, or with user account templates. Certainly, if you are importing a large number of users, CSVDE or LDIFDE add significant value. Propose the scenario of a university that must create accounts for 2,000 new students each semester.

Module 3: Managing Users and Service Accounts Course 6425C*-blank-Module 3: Managing Users and Service Accounts Course 6425C*Objective: Identify challenges to using standard user accounts as service accounts.Discuss with the students the following: What types of applications do they use that have service accounts? How do they manage service accounts? (relate to password management, changes to the server\account name, and so on.) What challenges have they encountered with service accounts?ReferenceWhats New in Service Accounts in Windows Server 2008 and Windows 7: http://go.microsoft.com/fwlink/?LinkID=214189

Module 3: Managing Users and Service Accounts Course 6425C*Describe the concept of managed service accounts.You may want to mention that Windows 7 also supports managed service accounts, and a similar type of account called a virtual account, which is basically a managed local account on the computer that can be used to access a domain environment, and does not require password management.Also point out that even though AD DS based upon Windows Server 2003 and Windows Server 2008 both support managed service accounts, you can only use managed service accounts on servers that run Windows Server 2008 R2, or on Windows 7-based computers.ReferenceManaged Service Accounts http://go.microsoft.com/fwlink/?LinkID=214190

Module 3: Managing Users and Service Accounts Course 6425CObjective: Use PowerShell to configure and administer a managed service account.Introduce each of these three tasks. You may want to consider demonstrating this process as you introduce the commands. As an example, you can use any existing service to associate the account.Reference PowerShell Commands for Managed Service Accountshttp://go.microsoft.com/fwlink/?LinkID=214191 Module 3: Managing Users and Service Accounts Course 6425C**In this lab, students will use Windows PowerShell to create and associate a managed service account.Exercise:In this exercise, students will create a managed service account, associate it with NYC-SVR1, and then assign the service account to a service located on NYC-SVR1.

Module 3: Managing Users and Service Accounts Course 6425C*Module 3: Managing Users and Service Accounts Course 6425C*Lab ReviewUse the questions on the slide to guide the discussion after students have completed the lab exercises.Question: You need to obtain a list of all the managed service accounts in the domain. Which command would you use?Answer: The Get-ADServiceAccount cmdlet would be used to obtain a list of managed service accounts in the domain.Question: Which cmdlet can be used to reset the password of a managed service account?Answer: The Reset-ADServiceAccountPassword cmdlet would be used to reset a password of a specific managed service account.

Module 3: Managing Users and Service Accounts Course 6425C*Review Questions and AnswersQuestion: Which administration tool should you use to create and manage user accounts within your organization?Answer: Answers will vary; however, options include Active Directory Users and Computers, Active Directory Administrative Center, or the Active Directory Module for Windows PowerShell.Question: Which user account attributes will be important to use within your network environment?Answer: Answers will vary, but should be based upon attributes listed in the user account properties.

Windows Server 2008 R2 Features Introduced in this Module

Module 3: Managing Users and Service Accounts Course 6425C

6425c_03.ppt

Documents