1-1
Guide to MCSE 70-290, Enhanced
Chapter 3: Creating and Managing User Accounts
Objectives
After reading the chapter and completing the exercises, students should be able to:
· Understand the purpose of user accounts
· Under the user authentication process
· Understand and configure local, roaming, and mandatory user profiles
· Configure and modify user accounts using different methods
· Troubleshoot user account and authentication problems
Teaching Tips
Introduction to User Accounts
1. Start by defining what a user account is, and why it is important from an administrative viewpoint. Note the organizational standards that should be set and adhered to.
2. Describe what a User Principal Name (UPN) is.
User Account Properties
1. Note that Active Directory Users and Computers is the primary tool for creating and managing accounts in an Active Directory Environment. Describe methods for opening the property page for a user object. Note that there are additional attributes of objects that are not available from Active Directory Users and Computers that can be configured programmatically.
2. Go through a brief summary of account properties that can be set for a user.
Teaching Tip / Describe how to view hidden tabs available in the properties of a user account such as Object, Published Certificates, and Security.Activity 3-1: Reviewing User Account Properties
1. The purpose of this activity is to have students review properties of user accounts to ensure that they are familiar and comfortable with Active Directory Users and Computers.
User Authentication
1. Summarize the process of authentication in different environments (Active Directory, workgroups).
Authentication Methods
1. Introduce the two main processes involved in authentication (interactive authentication and network authentication).
Interactive Authentication
1. Note that this is the process by which users enter information into the Log On dialog box and the system attempts to validate that they are authorized.
2. Log on can be to either a local workstation or domain as discussed in Chapter 1.
3. Mention the use of smart cards and why this is a very secure option.
Network Authentication
1. Note that this is the process by which network resources or servers attempt to confirm that a user is authorized (for example, shared folders).
2. Network authentication mechanisms are also dependent upon whether the user is logged on to a domain or workstation. Make sure students understand why it is that network authentication is transparent when the user is logged on to a domain, but requires additional validation when they are logged on to a local computer.
Authentication Protocols
1. Introduce the two main authentication protocols supported by Windows Server 2003.
Kerberos v5
1. Note the operating systems that support Kerberos v5. Step through the process used for Kerberos authentication. Be sure students understand that the process is transparent to the user. Mention that the protocol described is slightly more complicated when accessing resources across domains rather than within domains.
NTLM
1. Note that NTLM stands for NT LAN Manager and that is used with systems running Windows NT 4.0 and earlier (“down-level” systems).
2. Go over situations in which NTLM would be the authentication protocol used instead of Kerberos v5.
3. Note that NTLM is a challenge-response protocol and step through the authentication process with this protocol.
4. Mention how token-based network authentication works.
User Profiles
1. Describe what user profiles are and why they are used. Discuss the default location for local user profiles. Make sure that students understand the difference between a user profile and a user account.
2. Introduce the concepts of local, roaming and mandatory profiles.
3. Go over the folders that make up a user profile.
Local Profiles
1. Explain that local profiles are created by default when a user logs in for the first time from the pre-configured Default User folder. An administrator can edit the contents of Default User to create a specific default environment if desired.
2. Users can alter their own local environments and save the new settings.
3. Mention the ways in which an administrator can manage individual user profiles (changing type, deleting, copying).
Activity 3-2: Testing Local Profile Settings
1. The object of this activity is to have students configure and test a local user profile. This is an exploratory exercise and students should be encouraged to investigate different properties and settings. Specifically, students will use Active Directory Users and Computers to create new local user accounts, and then explore, change, and delete user profiles.
Roaming Profiles
1. Explain the rationale behind roaming profiles, both when users tend to log on to different workstations and when it is just advantageous to have central storage for profiles.
2. Describe where roaming profiles are stored and how to configure them from Active Directory Users and Computers.
3. Explain the recommended process for converting an existing local profile to a roaming profile.
4. Note how user changes are saved for roaming profiles.
Activity 3-3: Configuring and Testing a Roaming Profile
1. The object of this activity is to have students configure and test a roaming user profile. Students will create a shared storage folder for roaming profiles, and convert an existing local profile to roaming.
Mandatory Profiles
1. Explain the rationale behind mandatory profiles.
2. Mention that users can change their desktop environment during a session but that their changes will not be saved across sessions.
3. Describe how to change either a local or roaming user profile to a mandatory profile by changing the file name.
Activity 3-4: Configuring a Mandatory Profile
1. The object of this activity is to have students configure and test a mandatory profile. The roaming profile created in Activity 3-3 is changed to a mandatory roaming profile by renaming the file. The student logs on, makes a change within the session, logs off, and logs back on to test whether the changes were saved.
Quick Quiz
1. What does the Logon Hours property of a user account control?
Answer: The days and hours that the user will be allowed to log on the network
2. What type of authentication process is invoked when a user logs on to a domain or local workstation?
Answer: interactive authentication
3. Which authentication protocol is primarily used in systems running Windows NT 4.0 or earlier?
Answer: NT LAN Manager (NTLM)
4. If a user profile contains the file ntuser.man, what kind of profile is it?
Answer: a mandatory profile
Creating and Managing User Accounts
1. Reiterate that user accounts are required for every user, and that in Active Directory environments, they are stored on domain controllers. The standard tool for managing user accounts is Active Directory Users and Computers but there are a number of other utilities available. Sometimes command-line utilities are more comfortable for administrators and sometimes they are better for making bulk changes. Note that this section provides information about alternative methods for managing user accounts.
Active Directory Users and Computers
1. Mention different ways to access Active Directory Users and Computers and summarize the capabilities of this utility.
2. Describe the differences between the Windows 2000 and Windows Server 2003 versions.
3. Mention different types of containers that can contain user objects.
Activity 3-5: Creating User Accounts User Active Directory Users and Computers
1. The purpose of this activity is to explore the use of Active Directory Users and Computers to create user accounts.
2. Note that the settings that can be configured from Active Directory Users and Computers are limited, and that additional attributes can be configured from the properties of the account.
3. Also mention that a new feature in Windows Server 2003 is the ability to configure properties of multiple users simultaneously.
4. Explain the use of variables in user objects (as in pathnames for example).
User Account Templates
1. Explain why user templates are useful. Be sure that students understand that user templates are just pre-configured user accounts that can be copied to create new accounts with specific preset properties.
2. Note that the settings that are copied to new accounts can be controlled from the Active Directory schema.
Activity 3-6: Creating a User Account Template
1. The objective of this activity is to create a user account template and then copy it to create a new user account. Emphasize to students that this activity provides a real opportunity to become familiar with tools and techniques they will need as administrators.
2. Mention that the use of variables to automate insertion of appropriate information is particularly helpful in template accounts.
3. Note that user account templates should always be disabled for security purposes but that user accounts created from them must be enabled.
Command Line Utilities
1. Explain that these utilities are aimed at administrators who prefer working from the command line and/or those who would like more flexibility in automating creation and management of user accounts.
2. Summarize the utilities to be discussed in following sections.
DSADD
1. Discuss what DSADD is used for and provide example of objects that can be added with this utility.
2. Describe the syntax for DSADD USER and summarize common switches that can be used. Give an example of a complete command.
3. Mention where to get further information about switches and options
Teaching Tip / Be sure that students know how to get additional information about switches and options for the command-line utilities from the Windows Server 2003 Help and Support Center and from command-line help.Activity 3-7: Creating User Accounts Using DSADD
1. In this activity, students create new user accounts using DSADD and then use Active Directory Users and Computers to review the accounts that were created. Encourage students to explore and understand the options available with this command.
DSMOD
1. Explain the use of the DSMOD command and provide examples of objects that can be modified with this utility.
2. Describe the basic syntax for DSMOD USER and what the required arguments are.
3. Note that DSMOD USER can be used to change multiple user accounts simultaneously and give an example of that.
Activity 3-8: Modifying User Accounts Using DSMOD
1. In this activity, students will modify the properties of existing user accounts with DSMOD and review the changes using Active Directory Users and Computers.
DSQUERY
1. Explain the use of the DSQUERY command and provide examples of objects that can be queried for. Note that DSQUERY is a search utility and returns useful values rather than modifying objects. Give examples of possible queries. Also mention that it supports the use of the wildcard character (*) in queries.
2. Describe the basic syntax and show some examples.
3. Note that the output from DSQUERY can be piped to other command-line utilities and show an example.
DSMOVE
1. Explain the use of the DSMOVE command and provide an example. Be sure to point out that this utility can either be used to move an object or rename an object.
2. Describe the basic syntax and show an example.
3. Note that it can only be used to move objects within the same domain and that another command, MOVETREE, is needed to move objects between domains.
DSRM
1. Explain the use of DSRM. Point out that it can be used on a single object or on an entire subtree of objects.
2. Describe the basic syntax and give examples of both single object deletion and subtree deletion.
3. Note the use of the –noprompt switch and caution students to be careful with it.
Bulk Import and Export
1. Explain the need for bulk import and export. Introduce the two main utilities CSVDE and LDIFDE.
CSVDE
1. Introduce the concept of a CSV file. Describe the file structure. Note that it is easy to use traditional text editors to create and edit these files.
2. Give an example of using CSVDE to export information.
LDIFDE
1. Explain the similarities and differences between CSVDE and LIDFDE. Introduce the LDIF file format and describe the file structure. Note that traditional text editors can also be used with LDIF.
Activity 3-9: Exporting Active Directory Users Using LDIFDE
1. In this activity, students export user objects from Active Directory to an LDIF file and then use the Notepad editor to examine the contents of the file. It is a good opportunity to see an example of the LDIF file format.
Quick Quiz
1. What is the primary graphical utility used to create and manage user accounts?
Answer: Active Directory Users and Computers
2. A(n) ______is a pre-configured user account that is used to create new accounts with common settings.
Answer: user account template
3. The command-line utility, ______, can be used to rename a user account.
Answer: DSMOVE
4. True or False: In an LDIF file, each line in the file contains an attribute name/value pair with blank lines between objects.
Answer: True
Troubleshooting User Account and Authentication Issues
1. Briefly summarize the types of issues that can cause problems with user accounts. Emphasize to students that they will be responsible for troubleshooting and that it is important to be aware of how to find and fix problems related to user accounts.
Account Policies
1. Explain to students that authentication policies related to Group Policy objects can affect user accounts. The Default Domain Policy has important settings that affect the domain level configuration of all users in the domain.
2. Describe how to access the Default Domain Policy and to get to the Account Policies section. Introduce the three policies that can be accessed from there that will be described in the next sections.
Teaching Tip / Be sure that students can locate the Default Domain Policy node. There are a number of interesting settings along the path that may spark interest in future topics as well.Password Policy
1. Go over the password policy items that can be controlled from the Default Domain Policy. Note that these items don’t affect authentication but rather force the user to follow the organization’s rules about changing passwords occasionally, the complexity of passwords, etc.