野猪尖

Lesson 1 Creating and Managing User Objects 3-3 Lesson 1: Creating and Managing User Objects
Active Directory requires the verification of an individual’s identity—a process called authentication—before that individual can access resources. The cornerstone of authentication is the user account, with its user logon name, password, and unique security identifier (SID). During logon, Active Directory authenticates the user name and password entered by the user. The security subsystem can then build the security access token that represents that user. The access token contains the user account’s SID, as well as the SIDs of groups to which the user belongs. That token can then be used to verify user rights assignments, including the right to log on locally to the system, and to authorize access to resources secured by access control lists (ACLs).
The user account is integrated into the Active Directory user object. The user object includes not just the user’s name, password, and SID, but also contact information, such as telephone numbers and addresses; organizational information including job title, direct reports and manager; group memberships; and configuration such as roaming profile, terminal services, remote access, and remote control settings. This lesson will review and enhance your understanding of user objects in Active Directory. After this lesson, you will be able to ■ Create user objects in Active Directory using the Active Directory Users and Computers snap-in ■ Configure user object properties ■ Understand important account options that are not self-explanatory based on their descriptions ■ Modify properties of multiple users simultaneously Estimated lesson time: 15 minutes Creating User Objects with Active Directory Users and Computers
You can create a user object with the Active Directory Users and Computers snap-in. Although user objects can be created in the domain or any of the default containers, it is best to create a user in an organizational unit, so that administrative delegation and Group Policy Objects (GPOs) can be fully leveraged.
To create a user object, select the container in which you want to create the object, click the Action menu, then choose New and choose User. You must be a member of the Enterprise Admins, Domain Admins, or Account Operators groups, or you must have been delegated administrative permissions to create user objects in the container. If you do not have sufficient permissions to create user objects, the New User command will be unavailable to you.
3-4 Chapter 3 User Accounts The New Object–User dialog box appears, as shown in Figure 3-1. The first page of the New Object–User dialog box requests properties related to the user name. Table 3-1 describes the properties that appear on the first page of the dialog box. Figure 3-1 The New Object–User dialog box Table 3-1 User Properties in the First Page of the New Object–User Dialog Box
Property Description
First Name The user’s first name. Not required.
Initials The middle initials of the user’s name. Not required.
Last Name The user’s last name. Not required.
Full Name The user’s full name. If you enter values for the first or last name, the full name property is populated automatically. However, you can easily modify the suggested value. The field is required. The name entered here generates several user object properties, specifically CN (common name), DN (distinguished name), name, and displayName. Because CN must be unique within a container, the name entered here must be unique relative to all other objects in the OU (or other container) in which you create the user object.
User Logon The user principal name (UPN) consists of a logon name and a UPN suffix
Name which is, by default, the DNS name of the domain in which you create the object. The property is required and the entire UPN, in the format logonname@UPN-suffix, must be unique within the Active Directory forest. A sample UPN would be someone@contoso.com. The UPN can be used to log on to any Microsoft Windows system running Windows 2000, Windows XP, or Windows Server 2003.
Lesson 1 Creating and Managing User Objects 3-5 Table 3-1 User Properties in the First Page of the New Object–User Dialog Box (Continued)
Property Description
User Logon This logon name is used to log on from down-level clients, such as Microsoft Name (Pre– Windows 95, Windows 98, Windows Millennium Edition (Windows Me), Windows 2000) Windows NT 4, or Windows NT 3.51. This field is required and must be
unique within the domain.
Once you have entered the values in the first page of the New Object–User dialog box, click Next. The second page of the dialog box, shown in Figure 3-2, allows you to enter the user password and to set account flags. Figure 3-2 Second page of the New Object–User dialog box Security Alert The default account policies in a Windows Server 2003 domain, set in the Default Domain Policy GPO, requires complex passwords that have a minimum of seven characters. That means a password must contain three of four character types: uppercase, lower-case, numeric, and non-alphanumeric. When you use Windows Server 2003 in a test or lab environment, you should implement the same best practices that are required in a production network. Therefore, in this book, you are encouraged to use complex passwords for the user accounts you create; it will be left to you to remember those passwords during exercises that require logging on as those users.
3-6 Chapter 3 User Accounts The properties available in the second page of the New Object–User dialog box are summarized in Table 3-2.
Table 3-2 User Properties in the Second Page of the New Object–User Dialog Box
Property Description
Password
Confirm Password
User Must Change Pass-word At Next Logon
User Cannot Change Password
Password Never Expires
Account Is Disabled The password that is used to authenticate the user. For security reasons, you should always assign a password. The password is masked as you type it.
Confirm the password by typing it a second time to make sure you typed it correctly.
Select this check box if you want the user to change the password you have entered the first time he or she logs on. You cannot select this option if you have selected Password Never Expires. Selecting this option will automatically clear the mutually exclusive option User Cannot Change Password.
Select this check box if you have more than one person using the same domain user account (such as Guest) or to maintain control over user account passwords. This option is commonly used to manage service account pass-words. You cannot select this option if you have selected User Must Change Password At Next Logon.
Select this check box if you never want the password to expire. This option will automatically clear the User Must Change Password At Next Logon setting, as they are mutually exclusive. This option is commonly used to manage service account passwords.
Select this check box to disable the user account, for example, when creating an object for a newly hired employee who does not yet need access to the network. Off the Record When creating objects for new users, choose a unique, complex password for each user that does not follow a predictable pattern. Select the option to enforce that the user must change password at next logon. If the user is not likely to log on to the network for a period, disable the account. When the user requires access to the network for the first time, ensure that the user’s account is enabled. The user will be prompted to create a new, unique password that only the user knows. Some of the account options listed in Table 3-2 have the potential to contradict policies set in the domain policies. For example, the default domain policy implements a best practice of disabling the storing of passwords using reversible encryption. However, in the rare circumstances that require reversible encryption, the user account property, Store Password Using Reversible Encryption, will take precedence for that specific user object. Similarly, the domain may specify a maximum password age, or that users must change password at next logon. If a user object is configured such that Password never expires, that configuration will override the domain’s policies.
Lesson 1 Creating and Managing User Objects 3-7 Managing User Objects with Active Directory Users And Computers
When creating a user, you are prompted to configure the most common user proper-ties, including logon names and password. However, user objects support numerous additional properties that you can configure at any time using Active Directory Users And Computers. These properties facilitate the administration of, and the searching for, an object.
To configure the properties of a user object, select the object, click the Action menu, and then choose Properties. The user’s Properties dialog box appears, as shown in Figure 3-3. An alternative way to view an object’s properties would be to right-click the object and select Properties from the shortcut menu. Figure 3-3 The user’s Properties dialog box The property pages in the Properties dialog box expose properties that fall into several broad categories:
■ Account properties: the Account tab These properties include those that are configured when you create a user object, including logon names, password and account flags.
■ Personal information: the General, Address, Telephones, and Organization tabs The General tab exposes the name properties that are configured when you create a user object.
■ User configuration management: the Profile tab Here you can configure the user’s profile path, logon script, and home folder locations.
3-8 Chapter 3 User Accounts ■ Group membership: the Member Of tab You can add and remove user groups, and set the user’s primary group.
■ Terminal services: the Terminal Services Profile, Environment, Remote Control, and Sessions tabs These four tabs allow you to configure and man-age the user’s experience when they are connected to a Terminal Services session.
■ Remote access: the Dial-in tab Allows you to enable and configure remote access permission for a user.
■ Applications: the COM+ tab Assigns Active Directory COM+ partition sets to the user. This feature, new to Windows Server 2003, facilitates the management of distributed applications.
Account Properties
Of particular note are the user’s account properties, on the Account tab of the user’s Properties dialog box. An example appears in Figure 3-4. Figure 3-4 The user Account tab Several of these properties were discussed in Table 3-2. Those properties were configured when creating the user object and can be modified, as can a larger set of account properties, using the Account tab. Several properties are not necessarily self-explanatory, and deserve definition in Table 3-3.
Lesson 1 Creating and Managing User Objects 3-9 Table 3-3 User Account Properties Property Description
Logon Hours Click Logon Hours to configure the hours during which a user is allowed to log on to the network.
Log On To Click Log On To if you want to limit the workstations to which the user can log on. This is called Computer Restrictions in other parts of the user interface. You must have NetBIOS over TCP/IP enabled for this feature to restrict users because it uses the computer name, rather than the Media Access Control (MAC) address of its network card, to restrict logon.
Store Password This option, which stores the password in Active Directory without using Using Reversible Active Directory’s powerful, nonreversible encryption hashing algorithm, Encryption exists to support applications that require knowledge of the user pass-
word. If it is not absolutely required, do not enable this option because it weakens password security significantly. Passwords stored using revers ible encryption are similar to those stored as plaintext. Macintosh clients using the AppleTalk protocol require knowledge of the user password. If a user logs on using a Macintosh client, you will need to select the option to Store password using reversible encryption.
Smart Card Is Required For Interactive Logon Smart cards are portable, tamper-resistant hardware devices that store unique identification information for a user. They are attached to, or inserted into, a system and provide an additional, physical identification component to the authentication process. Account Is Trusted For Delegation This option enables a service account to impersonate a user to access network resources on behalf of a user. This option is not typically selected, certainly not for a user object representing a human being. It is used more often for service accounts in three-tier (or multi-tier) application infrastructures.
Account Expires Use the Account Expires controls to specify when an account expires.
Managing Properties on Multiple Accounts Simultaneously
Windows Server 2003 allows you to modify the properties of multiple user accounts simultaneously. You simply select several user objects by holding the CTRL key as you click each user, or using any other multiselection options. Be certain that you select only objects of one class, such as users. Once you have multiselected, on the Action menu, choose Properties.
3-10 Chapter 3 User Accounts When you have multiselected user objects, a subset of properties is available for modification.
■ General tab Description, Office, Telephone Number, Fax, Web Page, E-mail
■ Account tab UPN Suffix, Logon Hours, Computer Restrictions (logon workstations), all Account Options, Account Expires
■ Address Street, PO Box, City, State/Province, ZIP/Postal Code, Country/Region
■ Profile Profile Path, Logon Script, and Home Folder
■ Organization Title, Department, Company, Manager Tip Be sure to know which properties can be modified for multiple users simultaneously. Exam scenarios that suggest a need to change many user objects’ properties as quickly as possible are often testing your understanding of multiselect. There are still many properties that must be set on a user-by-user basis. Also, certain administrative tasks, including the resetting of passwords and the renaming of accounts, can only be performed on one user object at a time. Moving a User
If a user is transferred within an organization, it is possible that you might need to move his or her user object to reflect a change in the administration or configuration of the object. To move an object in Active Directory Users and Computers, select the object and, from the Action menu, choose Move. Alternatively, you can right-click the object and select Move from the shortcut menu. Tip A new feature of Windows Server 2003 is that drag-and-drop operations are supported. You can move objects between OUs by dragging and dropping them in the Active Directory Users And Computers Snap-in.