3-48 Chapter 3 User Accounts Case Scenario Exercise
One of Contoso’s competitors recently made the news as a recent victim of a breach of password security, that exposed its sensitive data. You decide to audit Contoso’s security configuration and you set forth the following requirements:
■ Requirement 1: Because you upgraded your domain controllers from Windows 2000 Server to Windows Server 2003, the domain account policy remained that of Windows 2000 Server. The domain account policies shall require:
❑ Password changes every 60 days
❑ 8-character passwords
❑ Password complexity
❑ Minimum password duration of one week
❑ Password history of 20 passwords
❑ Account lockout after five invalid logon attempts in a 60-minute period
❑ Administrator intervention to unlock locked out accounts
■ Requirement 2: In addition, ensure that these policies take effect within 24 hours. Password policies are implemented when a user changes his or her password— the policies do not affect existing passwords. So you require that users change their passwords as quickly as possible. You do not want to affect accounts used by services. Service accounts are stored in Contoso’s Service Accounts OU. User accounts are stored in the Employees OU and 15 OUs located under the Employees OU.
■ Requirement 3: Lock down the desktops of the sales representatives so that they are less likely to install customized Web toolbars, weather watchers, wallpaper-of-the-day utilities, or other software that might connect to the Internet and expose the desktop to attack.
The first requirement involves modifying password and account lockout settings.
1. What should be modified to achieve Requirement 1?
a. The domain controller security template Hisecdc.inf
b. The Default Domain policy
c. The Default Domain Controller policy
d. The domain controller security template Ssetup Security.inf
The correct answer is b.
Chapter 3 User Accounts 3-49 2. To configure account lockout so that users must contact the Help Desk to unlock their accounts, which policy should be specified?
a. Account lockout duration: 999
b. Account lockout threshold: 999
c. Account lockout duration: 0
d. Account lockout threshold: 0
The correct answer is c.
Configure the appropriate domain policies. For guidance, refer to Lesson 4, Exercise 1.
Requirement 2 indicates that you want to force users to change their password as quickly as possible. You know that user accounts include the flag User Must Change Password At Next Logon.
1. What will be the fastest and most effective means to configure user accounts to require a password change at the next logon?
a. Select a user account. Open its properties and, on the Account page, select User Must Change Password At Next Logon. Repeat for each user account.
b. Press CTRL+A to select all users in the Employees OU. Choose the Properties command and, on the Account page, select User Must Change Password At Next Logon. Repeat for each OU.
c. Use the DSADD command.
d. Use the DSRM command.
e. Use the DSQUERY and DSMOD commands.
The correct answer is e.
2. The DSQUERY command allows you to create a list of objects based on those objects’ locations or properties, and pipe those objects to the DSMOD command, which then modifies the objects. Open a command prompt and type the following command:
DSQUERY user "OU=Employees,DC=Contoso,DC=Com"
The command will produce a list of all user objects in the Employees OU. An advantage of this command is that it would include users in sub-OUs of the Employees OU. The requirement indicates that you have 15 OUs under the Employees OU. All would be included in the objects generated by DSQUERY.
Now, to meet the requirement, type the following command:
DSQUERY user "OU=Employees,DC=Contoso,DC=Com" | DSMOD user -mustchpwd yes
3-50 Chapter 3 User Accounts Requirement 3
This requirement suggests that you modify the user profiles of the sales representatives.
1. What type of profile will be most useful to maintain a locked-down desktop common to all sales representatives?
a. Local profile
b. Local, mandatory profile
c. The All Users profile
d. Preconfigured roaming group profile
e. Preconfigured roaming mandatory group profile
The correct answer is b.
2. In Lesson 3, Exercise 5, you created a profile called Sales. You made it a mandatory profile by renaming Ntuser.dat to Ntuser.man. Finally, you assigned it to several users. How can you ensure that each new sales representative utilizes the same profile?
Modify the Sales Representative template account you created in Lesson 2, Exercise 1. On the Profile tab, type the profile path: \\server01\profiles\sales. Confirm the success of your work by copying the template to create a new user account; then log on as that user. Make modifications to the desktop, log off, and log on again. The changes you made to the profile do not persist between sessions.
In this lab, you will generate several types of logon and account-related failures. You will then identify the causes of those failures and correct them accordingly.
Before proceeding with this lab, you must have user accounts created. The user accounts mentioned in the lab are those generated in Lesson 2, Exercise 3. You must also have configured the domain account policies as in Lesson 4, Exercise 1.
Exercise 1: Generate Logon and Account Failures
1. Log off of Server01.
2. Generate an account lockout by logging on six times with the username lsmithbates and an invalid password. Notice the difference between the Logon Messages you receive after the attempts and the Logon Message you receive after the account has been locked out.
Chapter 3 User Accounts 3-51 3. Log on as Danielle Tiedt, with username dtiedt.
4. Press CTRL+ALT+DELETE and change the password to a new password.
5. Press CTRL+ALT+DELETE and try to change the password to the original pass- word. Is it possible? Why or why not?
6. Try to change the password to yet another new password. Is that possible? Why or why not?
7. Log off.
Exercise 2: Monitor and Identify Logon and Account Management Events
1. Log on as Administrator.
2. Open the Computer Management console from the Administrative Tools group.
3. Expand the Event Viewer and select Security.
4. Make sure the Category column is wide enough that you can identify the types of events that are logged.
5. Explore the events that have been generated by recent activity. Notice the failed logon attempts, the lockout, and the attempts to reset Danielle Tiedt’s password.
Exercise 3: Correct Authentication and Account Problems
1. Open Active Directory Users And Computers
2. In the tree pane, navigate to and select the Employees OU.
3. In the details pane, select Danielle Tiedt’s user object.
4. From the Action menu, click Reset Password.
5. Type Danielle Tiedt’s original password as the new password. Why are you able to change the password when, while logged on as Danielle Tiedt, you could not?
6. Select Lorrin Smith-Bates’s user object.
7. From the Action menu, click Properties.
8. On the Account tab, clear the Account Is Locked Out check box.
9. Click OK.
3-52 Chapter 3 User Accounts Chapter Summary
■ You must be a member of the Enterprise Admins, Domain Admins, or Account Operators groups, or you must have been delegated administrative permissions to create user objects.
■ User objects include the properties typically associated with a user “account,” including logon names and password, and the unique SID for the user. They also include a number of properties related to the individuals they represent, including personal information, group membership, and administrative settings. Windows Server 2003 allows you to change some of these properties for multiple users, simultaneously.
■ A user object template is an object which is copied to produce new users. If the template is not a “real” user, it should be disabled. Only a subset of user properties are copied from templates.
■ The CSVDE command enables you to import directory objects from a comma-delimited text file.
■ Windows Server 2003 supports powerful new command-line tools to create, man-age, and delete directory objects: DSQUERY, DSGET, DSADD, DSMOVE, DSMOD, and DSRM. Frequently, DSQUERY will produce a result set of objects that can be piped as input to other commands.
■ Windows Server 2003 provides individual profiles for each user who logs on to the system. Profiles are stored, by default, on the local system in %Systemdrive% \Documents and Settings\%Username%.
■ Roaming profiles require only a shared folder, and the profile path configured in the user object’s properties.
■ Preconfigured profiles are simply profiles that are copied to the profile path before the profile path is configured in the user object.
■ Group profiles must be made mandatory, by renaming Ntuser.dat to Ntuser.man, so that changes made by one user do not affect other users.
■ The Default Domain Policy drives account policies including the password and lockout policies, whereas the Default Domain Controllers Policy specifies key auditing policies for domain controllers.
■ Auditing for authentication generates events in each domain controller’s security logs.
Chapter 3 User Accounts 3-53 Exam Highlights
Before taking the exam, review the key points and terms that are presented below to help you identify topics you need to review. Return to the lessons for additional practice and review the “Further Readings” sections in Part 2 for pointers to more information about topics covered by the exam objectives.
■ The group memberships or permissions, or both, required to create user accounts.
■ The options at your disposal for creating or managing multiple user accounts: user templates, importing, and command-line utilities. Understand the differences among the options, and the relative strengths and weaknesses of each option.
■ The properties that can be accessed or modified, or both, when creating a user, modifying a user in Active Directory Users and Computers, copying a template, querying with DSQUERY, or adding and modifying users with DSADD and DSMOD.
■ The process for configuring a roaming user profile, a preconfigured roaming user profile, or a preconfigured, mandatory group profile.
■ The impact of group policy on password and account lockout settings.
■ How to audit authentication events.
User account template You might hear this referred to by other terms, but the idea is the same. A template account is used as the basis for new accounts. It is copied to create a new user, and some of its properties, most notably its group member-ships, are copied as well.
Disabled account versus locked account An account is disabled if it has expired, or if it has been disabled by an administrator. An account is locked out if it has been subject to invalid logons beyond the threshold specified by the account lock-out policy.
Mandatory profile A user profile that does not maintain modifications between sessions. A user can modify a mandatory profile, but users’ changes are not saved when they log off. Group profiles must be made mandatory, or a change made by one user will affect all users.
3-54 Chapter 3 User Accounts Questions and Answers Page Lesson 1 Review
1. You are using Active Directory Users And Computers to configure user objects in your domain, and you are able to change the address and telephone number properties of the user object representing yourself. However, the New User command is unavailable to you. What is the most likely explanation?
You do not have sufficient privileges to create a user object in the container. The snap-in’s commands will adjust to reflect your administrative capabilities. If you do not have the right to create an object, the appropriate New command will be unavailable.
2. You are creating a number of user objects for a team of your organization’s temporary workers. They will work daily from 9:00 A.M. to 5:00 P.M. on a contract that is scheduled to begin in one month and end two months later. They will not work outside of that schedule. Which of the following properties should you configure initially to ensure maximum security for the objects?
b. Logon Hours
c. Account expires
d. Store password using reversible encryption
e. Account is trusted for delegation
f. User must change password at next logon
g. Account is disabled
h. Password never expires
The correct answers are a, b, c, f, g.
3. Which of the following properties and administrative tasks can be configured or performed simultaneously on more than one user object?
a. Last Name
b. User Logon Name
c. Disable Account
d. Enable Account
e. Reset Password
f. Password Never Expires
g. User Must Change Password At Next Logon
Questions and Answers 3-55 h. Logon Hours
i. Computer Restrictions (Logon Workstations)
k. Direct Reports
The correct answers are c, d, f, g, h, i, j.
Page Lesson 2 Review
1. What option will be most useful to generate 100 new user objects, each of which have identical profile path, home folder path, Title, Web Page, Company, Department, and Manager settings?
DSADD will be the most useful option. You can enter one command line that includes all the parameters. By leaving the UserDN parameter empty, you can enter the users’ distinguished names one at a time in the command console. A user object template does not allow you to con-figure options including Title, Telephone Number and Web Page. Generating a comma-delimited text file would be time-consuming, by comparison, and would be overkill, particularly when so many parameters are identical.
2. Which tool will allow you to identify accounts that have not been used for two months?
The correct answer is e.
3. What variable can be used with the DSMOD and DSADD commands to create user-specific home folders and profile folders?
The correct answer is b.
3-56 Chapter 3 User Accounts 4. Which tools allow you to output the telephone numbers for all users in an OU?
The correct answers are b and e. DSQUERY will produce a list of user objects within an OU and can pipe that list to DSGET, which in turn can output particular properties, such as phone numbers.
Page Lesson 3 Review
1. Describe how a user’s desktop is created when roaming user profiles are not implemented.
When a user logs on to a system for the first time, the system copies the Default User profile and creates a user-specific profile in a folder named, by default, %Systemdrive%\Documents and Settings\%Username%. The environment that the user experiences is a combination of his or her user profile and the All Users profile.
2. Arrange, in order, the steps that reflect the creation of a preconfigured roaming user profile. Use all steps provided.
❑ Customize the desktop and user environment.
❑ Log on as a user with sufficient permissions to modify user account properties.
❑ Copy the profile to the network.
❑ Create a user account so that the profile can be created without modifying any user’s current profile.
❑ Log on as the profile account.
❑ Enter the UNC path to the profile in a user’s Profile property sheet.
❑ Log on as a local or domain administrator.
1. Create a user account so that the profile can be created without modifying any user’s cur-rent profile.
2. Log on as the profile account.
3. Customize the desktop and user environment.
4. Log on as a local or domain administrator.
5. Copy the profile to the network.
6. Log on as a user with sufficient permissions to modify user account properties.
7. Enter the UNC path to the profile in a user’s Profile property sheet.
Questions and Answers 3-57 3. How do you make a profile mandatory?
a. Configure the permissions on the folder’s Security property sheet to deny write permission.
b. Configure the permissions on the folders Sharing property sheet to allow only read permission.
c. Modify the attributes of the profile folder to specify the Read Only attribute.
d. Rename Ntuser.dat to Ntuser.man.
The correct answer is d.
Page Lesson 4 Review
1. You enable the password complexity policy for your domain. Describe the requirements for passwords, and when those requirements will take effect.
The password must not be based on the user’s account name; must contain at least six characters, with at least one character from three of the four categories: uppercase, lowercase, Arabic numerals, and nonalphanumeric characters. The requirements will take effect immediately for all new accounts. Existing accounts will be affected when they next change their password.
2. To monitor potential dictionary attacks against user passwords in your enterprise, what is the single best auditing policy to configure, and what log or logs will you evaluate?
The Audit Policy to audit Account Logon failures is the most effective policy to specify under these circumstances. Failed logons will generate events in the Security logs of all domain con-trollers.
3. A user has forgotten his or her password and attempts to log on several times with an incorrect password. Eventually, the user receives a logon message indicating that the account is either disabled or locked out. The message suggests that the user contact an administrator. What must you do?
a. Delete the user object and recreate it.
b. Rename the user object.
c. Enable the user object.
d. Unlock the user object.
e. Reset the password for the user object.
The correct answers are d and e. Although the logon message text on Windows 2000 and other previous operating system versions indicates that the account is disabled, the account is actually locked. Windows Server 2003 displays an accurate message that the account is, in fact, locked out. However, you can recognize the problem by examining what caused the message: a user forgot his or her password. You must unlock the account and reset the password.
注册－收款工具那么多，为何选择Payoneer？ ｜ 为何申请Payoneer万事达预付卡+欧美日收款银行账号？
Payoneer有卡账户和无卡账户的区别 ｜ Payoneer个人账户注册申请教程 ｜ P卡公司帐户注册教程
Payoneer欧元帐户（虚拟卡） ｜ Payoneer英镑帐户 ｜ Payoneer日元帐户 ｜ 订购实体卡（P卡）
Payoneer卡年费啥时候扣？ ｜ Payoneer卡休眠和激活 ｜ P卡到期后如何更换？ ｜ 如何注销P卡？
官方－Payoneer秉承公正、公开、透明服务 ｜ Payoneer官方最新政策汇总 ｜ 官方客服联系方式
Payoneer官方费用表 ｜ 如何减少Payoneer的手续费？ ｜ 点此免除入账费 ｜ 点此降低提现费
跨境收款服务商拷问篇——Payoneer ｜ Payoneer客户答疑手册（FAQ） ｜ Payoneer手机App
收款－跨境电商/外贸收款方式对比 ｜ Payoneer可以错名收款吗？
Amazon亚马逊卖家设置Payoneer卡收款教程 ｜ Payoneer支持从美国电商平台Newegg收款
CJ联盟设置Payoneer卡收款 ｜ ClickBank联盟设置Payoneer收款 ｜ Amazon联盟设置P卡收款
Payoneer如何从东南亚电商平台Lazada收款 ｜ 如何在Lazada开店？
Payoneer如何从拉美电商平台Linio收款？ ｜ Payoneer绑定非洲电商平台Jumia收款
Payoneer如何从跨境移动电商Wish收款？ ｜ Wish模式正在改变电商格局
Payoneer支持从法国乐天Priceminister收款 ｜ 法国电商平台CDiscount对接Payoneer收款
Payoneer可接受个人与公司信用卡付款（请求付款） ｜ 关于Payoneer卡充值
从PayPal提现到Payoneer卡教程及手续费用 ｜ PayPal无法绑定并转账到Payoneer卡？
提现－从Payoneer卡提现到国内银行账户 ｜ Payoneer无法从Dating联盟收款并限制提现方式
用P卡在中国银行ATM机取款4000元 ｜ 用Payoneer卡在中国建设银行ATM机取款500元