Windows 2003 Server
Creating and Managing User Accounts
At the end of this chapter you should be able to:
Introduction to User Accounts
User accounts are what uniquely identify people on the network. Active Directory allows you to organize you user accounts with ease. We will spend this chapter looking at ways to create accounts and modify user attributes. Then we will look at the authentication process and learn how to troubleshoot logon problems.
User Account Properties
Active Directory User and Computers is the primary interface to interact with user accounts. If you want to view the properties or attributes of a user double click on it in Active Directory Users and Computers. In the properties page you will see tabs at the top. Below is a summary of the tabs.
Note: More tabs will be available if the Exchange Server tools are installed and if Advanced Features are turned on.
LAB ACTIVITY - Do the lab on page 89. (10 Minutes)
When a user logs into the the domain they enter their username, password, and domain. This process is called authentication. This can be done multiple ways using multiple protocols, this section will exam them.
Interactive authentication is when the user is required to type their username and password. Once they do this it is compared against the values in Active Directory. If correct the user is able to log on. If they are incorrect the user is denied access to the domain. On the logon screen for Windows 2000, Windows 2003 and Windows XP, there is a pull down menu for logon to. You can use this to choose the domain you wish to authenticate too. In this list you will also see the name of your computer. If you choose your computer name you will be logging into the local computer using it SAM database to authenticate you.
Network Authentication occurs when you try to access a resource on the domain. If you are already logged into the domain using interactive authentication, then network authentication is transparent. If a user outside of the domain tries to access a resource on the domain a username and password box will be displayed. In order to login you need to tell the server what domain to authenticate from, to do this you can type your name in one of the two formats:
Kerberos v5 is the preferred authentication type for Windows Server 2003. It is supported by Windows 2000/2003/XP. Below is a summary of what happens when a user authenticates using Kerberos.
If the client doesn't support Kerberos then NTLM authentication is used instead. NTLM is a challenge-response protocol outlined below.
After the user is authenticated they are given a token that they use to perform transparent network authentication.
Windows NT/XP/2000/2003 all support user profiles. User profiles allow two or more users to share a computer and keep different settings. By default in Windows NT profiles are stored in %systemroot%\Profiles (%systemroot% is usually C:\Winnt in Windows NT), and Windows XP/2000/2003 store the profiles in %systemdrive%\Documents and Settings (%systemdrive% is usually C:\). See side note for more details about environmental variables.
Note:Environmental variables store information about the system that you can reference in scripts and batch files. To see a list of environmental variables and their values open a command prompt, type set and hit enter.
Practice:Open the run box and type %userprofile% and click ok.
In the root of the profiles folder there is a hidden folder called Default User. When a new user logs onto a computer the contents of the Default User are copied to a folder with the users username as it's name. That new folder becomes the users profile. One thing that you should know is how printers work in the local profile. If a printer is a local printer it is available to all users of the computer. If the printer is a network printer it is only available in the profile for which it was installed. This means if you go to someone's office, logon as yourself, and install a network printer, the user will not see the printer when they log in.
LAB ACTIVITY - Do the lab on page 102. (10 Minutes)
You can take your users profile folders and move them to a shared location on a server. Then using the profile tab in the users profiles you can set the location of their profile. Now when a user logs in there profile is loaded from the server. If the user moves to another computer their settings will follow them. In chapter 9 we will look at folder redirection that can be used as an alternative or in conjunction with roaming profiles.
LAB ACTIVITY - Do the lab on page 105. (15 Minutes)
Each profile has a user portion of the registry. This file is called ntuser.dat, and by default it can be modified. If the user changes their background picture the settings for that are stored in the ntuser.dat. If you don't want the user to change any settings in their profile then rename the ntuser.dat to ntuser.man and it becomes a mandatory profile. The user can make changes when they are logged in but they aren't saved.
LAB ACTIVITY - Do the lab on page 109. (10 Minutes)
Creating and Managing User Accounts
Windows Server 2003 supports multiple ways to create and manage user accounts. The most common way is by using Active Directory User and Computers. We will look at some of the command line tools that can be used to manage user accounts as well.
Active Directory Users and Computers
Active Directory Users and Computers allows you to browse your users, groups, OU's and printers using a graphical interface. New in the Windows Server 2003 is the ability to move objects by dragging and dropping. Also you can now save queries that you might commonly perform. Windows Server 2003 places users in the Users container, this container is not an Organizational Unit, which means group policies can't be applied to it. You will want to setup your OU structure to organize your users and to have the ability to assign group policies.
LAB ACTIVITY - Do the lab on page 113. (20 Minutes)
Another new feature in Windows Server 2003 is the ability to modify multiple user accounts at once. Select multiple accounts, right click and choose properties. Before Windows Server 2003 you could use the ADModify tool from Microsoft or write a script that would do it.
User Account Templates
If you copy a user there are some settings that are copied over such as group membership, profile, script, and home folder settings. If you make an account that contains the settings for a department you can use it as a template for new users that come.
LAB ACTIVITY - Do the lab on page 116. (10 Minutes)
Command Line Utilities
Windows 2000 was missing some good command line utilities to create and manage user accounts. Windows 2003 Server includes some new tools that will allow you to manage accounts from a command line interface.
LAB ACTIVITY - Do the lab on page 120. (10 Minutes)
LAB ACTIVITY - Do the lab on page 122. (10 Minutes)
Bulk Import and Export
Microsoft includes two utilities to assist with the bulk import and export of users in Active Directory. CSVDE and LDIFDE.
LAB ACTIVITY - Do the lab on page 128. (5 Minutes)
Using ADSI (Active Directory Services Interface) you can create scripts that will do similar things. Below are two examples.
Troubleshooting User Account and Authentication Issues
Account policies can only be applied at the domain level. You will find them in the Default Domain Policy group policy. Their are three categories of policies you can set in this section.
Auditing is looked at in more detail in Chapter 14, but we will look at how to use it to troubleshoot logon problems. In the Default Domain Policy you can enable auditing for failed logon events. When a user fails to logon an event in the security event viewer will be logged. You can use the information from the even viewer to troubleshoot the problem
Click Here to download the slides for this chapter