Module 4: Implementing User, Group, and Computer Accounts.
-
Upload
crystal-mathews -
Category
Documents
-
view
227 -
download
0
Transcript of Module 4: Implementing User, Group, and Computer Accounts.
![Page 1: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/1.jpg)
Module 4: Implementing User, Group, and
Computer Accounts
![Page 2: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/2.jpg)
Overview
Introduction to Accounts
Creating and Managing Multiple Accounts
Implementing User Principal Name Suffixes
Moving Objects in Active Directory
Planning a User, Group, and Computer Account Strategy
Planning an Active Directory Audit Strategy
![Page 3: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/3.jpg)
Lesson: Introduction to Accounts
Types of Accounts
Types of Groups
What Are Domain Local Groups?
What Are Global Groups?
What Are Universal Groups?
![Page 4: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/4.jpg)
Types of Accounts
User accountsUser accounts
Enables a single sign-on for a user
Provides access to resources
Enables a single sign-on for a user
Provides access to resources
Computer accountsComputer accounts
Enables authentication and auditing of computer access to resources
Enables authentication and auditing of computer access to resources
Group accountsGroup accounts
Helps simplify administrationHelps simplify administration
![Page 5: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/5.jpg)
Types of Groups
Distribution groupsDistribution groups
Used only with e-mail applications
Not security-enabled
Used only with e-mail applications
Not security-enabled
Security groupsSecurity groups
Used to assign rights and permissions to groups of users and computers
Used most effectively when nested
Used to assign rights and permissions to groups of users and computers
Used most effectively when nested
The functional level determines the type of groups that you can createThe functional level determines the type of groups that you can create
![Page 6: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/6.jpg)
What Are Domain Local Groups?
A security or distribution group that can contain:A security or distribution group that can contain:
Universal groups, global groups, and other domain local groups from its own domain
Accounts from any domain in the forest
Universal groups, global groups, and other domain local groups from its own domain
Accounts from any domain in the forest
![Page 7: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/7.jpg)
What Are Global Groups?
A security or distribution group that can contain users, groups, and computers as members from its own domain A security or distribution group that can contain users, groups, and computers as members from its own domain
![Page 8: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/8.jpg)
What Are Universal Groups?
A security or distribution group that can contain users, groups,and computers as members from any domain in its forest A security or distribution group that can contain users, groups,and computers as members from any domain in its forest
![Page 9: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/9.jpg)
Lesson: Creating and Managing Multiple Accounts
Tools for Creating and Managing Multiple Accounts
How to Create Accounts Using the Csvde Tool
How to Create and Manage Accounts Using the Ldifde Tool
How to Create and Manage Accounts Using Windows Script Host
![Page 10: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/10.jpg)
Tools for Creating and Managing Multiple Accounts
Active Directory Users and Computers
Active Directory Users and Computers
Directory Service ToolsDirectory Service Tools
Dsadd
Dsmod
Dsrm
Dsadd
Dsmod
Dsrm
Csvde and Ldifde ToolsCsvde and Ldifde Tools Windows Script HostWindows Script Host
![Page 11: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/11.jpg)
How to Create Accounts Using the Csvde Tool
Your instructor will demonstrate how to create accounts by using the Csvde command-line toolYour instructor will demonstrate how to create accounts by using the Csvde command-line tool
![Page 12: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/12.jpg)
How to Create and Manage Accounts Using the Ldifde Tool
Your instructor will demonstrate how to create and manage accounts by using the Ldifde command-line tool
Your instructor will demonstrate how to create and manage accounts by using the Ldifde command-line tool
![Page 13: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/13.jpg)
How to Create and Manage Accounts Using the Windows Script Host
Your instructor will demonstrate how to create and manage accounts by using Windows Script HostYour instructor will demonstrate how to create and manage accounts by using Windows Script Host
![Page 14: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/14.jpg)
Practice: Creating User Accounts
In this practice you will create and run a script file that contains commands to create a user account and then you will verify that the user account was created
![Page 15: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/15.jpg)
Lesson: Implementing User Principal Name Suffixes
What Is a User Principal Name?
Multimedia: How Name Suffix Routing Works
How Name Suffix Conflicts Are Detected and Resolved
How to Create and Remove a UPN Suffix
How to Enable and Disable Name Suffix Routing in Forest Trusts
![Page 16: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/16.jpg)
What Is a User Principal Name?
A logon name that is used only for logging on to a Windows Server 2003 network
Advantages
Unique in Active Directory
Can be the same as a user’s e-mail address
[email protected]@contoso.msft
![Page 18: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/18.jpg)
How Name Suffix Conflicts Are Detected and Resolved
Name suffix conflicts occur when
A DNS name is already in use
A NetBIOS name is already in use
A domain SID conflicts with another name suffix SID
Name suffix conflicts in a domain cause access to that domain from outside the forest to be denied
![Page 19: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/19.jpg)
How to Create and Remove a UPN Suffix
Your instructor will demonstrate how to create and remove a UPN suffixYour instructor will demonstrate how to create and remove a UPN suffix
![Page 20: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/20.jpg)
How to Enable and Disable Name Suffix Routing in Forest Trusts
Your instructor will demonstrate how to enable and disable name suffix routing in forest trustsYour instructor will demonstrate how to enable and disable name suffix routing in forest trusts
![Page 21: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/21.jpg)
Practice: Creating UPN Suffixes
In this practice, you will create a name suffix for a second-level domain, and then enable name suffix routing between two forests
![Page 22: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/22.jpg)
Lesson: Moving Objects in Active Directory
What Is SID History?
Implications of Moving Objects
How to Move Objects Within a Domain
How to Move Objects Between Domains
How to Use LDP to View Properties of Moved Objects
![Page 23: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/23.jpg)
What Is SID History?
SID History
Is a list of all SIDs that were assigned to a user account
Provides a migrated user account with continuity of access to resources
![Page 24: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/24.jpg)
Implications of Moving Objects
Within a domain No change to SID or GUID
Within a forest New SID SID history Same GUID
Across forests New SID SID history New GUID
![Page 25: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/25.jpg)
How to Move Objects Within a Domain
Your instructor will demonstrate how to move Active Directory objects within a domainYour instructor will demonstrate how to move Active Directory objects within a domain
![Page 26: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/26.jpg)
How to Move Objects Between Domains
Your instructor will demonstrate how to move objects between domainsYour instructor will demonstrate how to move objects between domains
![Page 27: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/27.jpg)
How to Use LDP to View Properties of Moved Objects
Your instructor will demonstrate how to view the properties of objects by using the LDP utilityYour instructor will demonstrate how to view the properties of objects by using the LDP utility
![Page 28: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/28.jpg)
Practice: Moving Objects
In this practice, you will use Ldp.exe to:
Examine the SID, SIDHistory, and GUID of a user object.
Move a user object to another organizational unit in the same domain.
View any changes to the SID, SIDHistory, and GUID of the user object.
![Page 29: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/29.jpg)
Lesson: Planning a User, Group, and Computer Account Strategy
Guidelines for Naming Accounts
Guidelines for Setting a Password Policy
Guidelines for Authenticating, Authorizing, and Administering Accounts
Guidelines for Planning a Group Strategy
![Page 30: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/30.jpg)
Guidelines for Naming Accounts
Define naming conventions for: Define naming conventions for:
User account names that identify the userUser account names that identify the user
Computers that identify the owner, location, and computer typeComputers that identify the owner, location, and computer type
Groups that identify the group type, its location, and the purpose of the groupGroups that identify the group type, its location, and the purpose of the group
![Page 31: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/31.jpg)
Guidelines for Setting a Password Policy
Set Enforce password history to at least 24 passwords rememberedSet Enforce password history to at least 24 passwords remembered
Set the maximum password age to no more than 42 daysSet the maximum password age to no more than 42 days
Set the minimum password age to at least 2 daysSet the minimum password age to at least 2 days
Set password length to at least 8 charactersSet password length to at least 8 characters
Enable the setting Password must meet complexity requirementsEnable the setting Password must meet complexity requirements
![Page 32: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/32.jpg)
Guidelines for Authenticating, Authorizing, and Administering Accounts
Set the account lockout threshold policy setting to a high valueSet the account lockout threshold policy setting to a high value
Protect administrative accounts Protect administrative accounts
Use multifactor authentication Use multifactor authentication
Implement a role-based security model for granting permissionsImplement a role-based security model for granting permissions
Disable the Administrator account and apply a least privilege policy to accountsDisable the Administrator account and apply a least privilege policy to accounts
![Page 33: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/33.jpg)
Guidelines for Planning a Group Strategy
Assign users with common job responsibilities to global groupsAssign users with common job responsibilities to global groups
Create a domain local group for sharing resourcesCreate a domain local group for sharing resources
Add global groups that require access to resources to domain local groupsAdd global groups that require access to resources to domain local groups
Use universal groups to grant access to resources in multiple domainsUse universal groups to grant access to resources in multiple domains
Use universal groups when membership is staticUse universal groups when membership is static
![Page 34: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/34.jpg)
Practice: Planning an Account Strategy
In this practice, you will determine:
An account naming strategy
A password policy
An authentication, authorization, and administration strategy
A group strategy for your forest
![Page 35: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/35.jpg)
Lesson: Planning an Active Directory Audit Strategy
Why Audit Access to Active Directory?
Guidelines for Monitoring Changes to Active Directory
![Page 36: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/36.jpg)
Why Audit Access to Active Directory?
To record all successful changes to Active Directory
To track access to a resource or by a specific account
To detect and log failed access attempts
![Page 37: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/37.jpg)
Guidelines for Monitoring Changes to Active Directory
Enable:Enable:
Auditing of account management eventsAuditing of account management events
Success auditing of policy changesSuccess auditing of policy changes
Failure auditing for system eventsFailure auditing for system events
Failure auditing of policy change events and account management events when necessaryFailure auditing of policy change events and account management events when necessary
![Page 38: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/38.jpg)
Practice: Planning an Audit Strategy
In this practice, you will determine which audit policies to enable for Active Directory
![Page 39: Module 4: Implementing User, Group, and Computer Accounts.](https://reader035.fdocuments.net/reader035/viewer/2022062308/56649d135503460f949e6ee0/html5/thumbnails/39.jpg)
Lab A: Implementing an Account and Audit Strategy
Planning an Account and Audit Strategy
Creating Accounts by Using the Csvde Tool
Creating a UPN Suffix
Moving a Group of Users