Module 4: Implementing User, Group, and

Computer Accounts

Overview

Introduction to Accounts

Creating and Managing Multiple Accounts

Implementing User Principal Name Suffixes

Moving Objects in Active Directory

Planning a User, Group, and Computer Account Strategy

Planning an Active Directory Audit Strategy

Lesson: Introduction to Accounts

Types of Accounts

Types of Groups

What Are Domain Local Groups?

What Are Global Groups?

What Are Universal Groups?

Types of Accounts

User accountsUser accounts

Enables a single sign-on for a user

Provides access to resources

Enables a single sign-on for a user

Provides access to resources

Computer accountsComputer accounts

Enables authentication and auditing of computer access to resources

Enables authentication and auditing of computer access to resources

Group accountsGroup accounts

Helps simplify administrationHelps simplify administration

Types of Groups

Distribution groupsDistribution groups

Used only with e-mail applications

Not security-enabled

Used only with e-mail applications

Not security-enabled

Security groupsSecurity groups

Used to assign rights and permissions to groups of users and computers

Used most effectively when nested

Used to assign rights and permissions to groups of users and computers

Used most effectively when nested

The functional level determines the type of groups that you can createThe functional level determines the type of groups that you can create

What Are Domain Local Groups?

A security or distribution group that can contain:A security or distribution group that can contain:

Universal groups, global groups, and other domain local groups from its own domain

Accounts from any domain in the forest

Universal groups, global groups, and other domain local groups from its own domain

Accounts from any domain in the forest

What Are Global Groups?

A security or distribution group that can contain users, groups, and computers as members from its own domain A security or distribution group that can contain users, groups, and computers as members from its own domain

What Are Universal Groups?

A security or distribution group that can contain users, groups,and computers as members from any domain in its forest A security or distribution group that can contain users, groups,and computers as members from any domain in its forest

Lesson: Creating and Managing Multiple Accounts

Tools for Creating and Managing Multiple Accounts

How to Create Accounts Using the Csvde Tool

How to Create and Manage Accounts Using the Ldifde Tool

How to Create and Manage Accounts Using Windows Script Host

Tools for Creating and Managing Multiple Accounts

Active Directory Users and Computers

Active Directory Users and Computers

Directory Service ToolsDirectory Service Tools

Dsadd

Dsmod

Dsrm

Dsadd

Dsmod

Dsrm

Csvde and Ldifde ToolsCsvde and Ldifde Tools Windows Script HostWindows Script Host

How to Create Accounts Using the Csvde Tool

Your instructor will demonstrate how to create accounts by using the Csvde command-line toolYour instructor will demonstrate how to create accounts by using the Csvde command-line tool

How to Create and Manage Accounts Using the Ldifde Tool

Your instructor will demonstrate how to create and manage accounts by using the Ldifde command-line tool

Your instructor will demonstrate how to create and manage accounts by using the Ldifde command-line tool

How to Create and Manage Accounts Using the Windows Script Host

Your instructor will demonstrate how to create and manage accounts by using Windows Script HostYour instructor will demonstrate how to create and manage accounts by using Windows Script Host

Practice: Creating User Accounts

In this practice you will create and run a script file that contains commands to create a user account and then you will verify that the user account was created

Lesson: Implementing User Principal Name Suffixes

What Is a User Principal Name?

Multimedia: How Name Suffix Routing Works

How Name Suffix Conflicts Are Detected and Resolved

How to Create and Remove a UPN Suffix

How to Enable and Disable Name Suffix Routing in Forest Trusts

What Is a User Principal Name?

A logon name that is used only for logging on to a Windows Server 2003 network

Advantages

Unique in Active Directory

Can be the same as a user’s e-mail address

suzanf@contoso.msftsuzanf@contoso.msft

Multimedia: How Name Suffix Routing Works

contoso.msft

john@contoso.msft

adatum.msft

Trust

How Name Suffix Conflicts Are Detected and Resolved

Name suffix conflicts occur when

A DNS name is already in use

A NetBIOS name is already in use

A domain SID conflicts with another name suffix SID

Name suffix conflicts in a domain cause access to that domain from outside the forest to be denied

How to Create and Remove a UPN Suffix

Your instructor will demonstrate how to create and remove a UPN suffixYour instructor will demonstrate how to create and remove a UPN suffix

How to Enable and Disable Name Suffix Routing in Forest Trusts

Your instructor will demonstrate how to enable and disable name suffix routing in forest trustsYour instructor will demonstrate how to enable and disable name suffix routing in forest trusts

Practice: Creating UPN Suffixes

In this practice, you will create a name suffix for a second-level domain, and then enable name suffix routing between two forests

Lesson: Moving Objects in Active Directory

What Is SID History?

Implications of Moving Objects

How to Move Objects Within a Domain

How to Move Objects Between Domains

How to Use LDP to View Properties of Moved Objects

What Is SID History?

SID History

Is a list of all SIDs that were assigned to a user account

Provides a migrated user account with continuity of access to resources

Implications of Moving Objects

Within a domain No change to SID or GUID

Within a forest New SID SID history Same GUID

Across forests New SID SID history New GUID

How to Move Objects Within a Domain

Your instructor will demonstrate how to move Active Directory objects within a domainYour instructor will demonstrate how to move Active Directory objects within a domain

How to Move Objects Between Domains

Your instructor will demonstrate how to move objects between domainsYour instructor will demonstrate how to move objects between domains

How to Use LDP to View Properties of Moved Objects

Your instructor will demonstrate how to view the properties of objects by using the LDP utilityYour instructor will demonstrate how to view the properties of objects by using the LDP utility

Practice: Moving Objects

In this practice, you will use Ldp.exe to:

Examine the SID, SIDHistory, and GUID of a user object.

Move a user object to another organizational unit in the same domain.

View any changes to the SID, SIDHistory, and GUID of the user object.

Lesson: Planning a User, Group, and Computer Account Strategy

Guidelines for Naming Accounts

Guidelines for Setting a Password Policy

Guidelines for Authenticating, Authorizing, and Administering Accounts

Guidelines for Planning a Group Strategy

Guidelines for Naming Accounts

Define naming conventions for: Define naming conventions for:

User account names that identify the userUser account names that identify the user

Computers that identify the owner, location, and computer typeComputers that identify the owner, location, and computer type

Groups that identify the group type, its location, and the purpose of the groupGroups that identify the group type, its location, and the purpose of the group

Guidelines for Setting a Password Policy

Set Enforce password history to at least 24 passwords rememberedSet Enforce password history to at least 24 passwords remembered

Set the maximum password age to no more than 42 daysSet the maximum password age to no more than 42 days

Set the minimum password age to at least 2 daysSet the minimum password age to at least 2 days

Set password length to at least 8 charactersSet password length to at least 8 characters

Enable the setting Password must meet complexity requirementsEnable the setting Password must meet complexity requirements

Guidelines for Authenticating, Authorizing, and Administering Accounts

Set the account lockout threshold policy setting to a high valueSet the account lockout threshold policy setting to a high value

Protect administrative accounts Protect administrative accounts

Use multifactor authentication Use multifactor authentication

Implement a role-based security model for granting permissionsImplement a role-based security model for granting permissions

Disable the Administrator account and apply a least privilege policy to accountsDisable the Administrator account and apply a least privilege policy to accounts

Guidelines for Planning a Group Strategy

Assign users with common job responsibilities to global groupsAssign users with common job responsibilities to global groups

Create a domain local group for sharing resourcesCreate a domain local group for sharing resources

Add global groups that require access to resources to domain local groupsAdd global groups that require access to resources to domain local groups

Use universal groups to grant access to resources in multiple domainsUse universal groups to grant access to resources in multiple domains

Use universal groups when membership is staticUse universal groups when membership is static

Practice: Planning an Account Strategy

In this practice, you will determine:

An account naming strategy

A password policy

An authentication, authorization, and administration strategy

A group strategy for your forest

Lesson: Planning an Active Directory Audit Strategy

Why Audit Access to Active Directory?

Guidelines for Monitoring Changes to Active Directory

Why Audit Access to Active Directory?

To record all successful changes to Active Directory

To track access to a resource or by a specific account

To detect and log failed access attempts

Guidelines for Monitoring Changes to Active Directory

Enable:Enable:

Auditing of account management eventsAuditing of account management events

Success auditing of policy changesSuccess auditing of policy changes

Failure auditing for system eventsFailure auditing for system events

Failure auditing of policy change events and account management events when necessaryFailure auditing of policy change events and account management events when necessary

Practice: Planning an Audit Strategy

In this practice, you will determine which audit policies to enable for Active Directory

Lab A: Implementing an Account and Audit Strategy

Planning an Account and Audit Strategy

Creating Accounts by Using the Csvde Tool

Creating a UPN Suffix

Moving a Group of Users