Microsoft Server 2008 R2 Account Management
Jan 22, 2016
Microsoft Server 2008 R2
Account Management
OVERVIEW
• Understand the differences between local user and domain user accounts.
• Plan, create, and manage local and domain user accounts.
• Create and manage user accounts by using Active Directory and creating templates
• Domain based security groups
UNDERSTANDING USER ACCOUNTS
• Local User Accounts– Stored in the Security Accounts Manager
(SAM) database on that system– Can be used only on that system
• Domain User Accounts– Stored on domain controllers and stored in
the Active Directory Database (NTDS.DIT)– Can be used on any system in the Active
Directory Domain
PLANNING USER ACCOUNTS• Account naming conventi ons
– Be consistent• Securing accounts and choosing passwords
– “moving target ” in industry today– You can help defend your domain from att ackers by requiring
strong passwords and implementi ng an account lockout policy.– Strong passwords reduce the risk of intel l igent password guessing
and dicti onary att acks on passwords. – An account lockout policy decreases the possibi l ity of an att acker
compromising your domain through repeated logon att empts. – An account lockout policy determines how many fai led logon
att empts a user account can have before it is disabled.– 15+ character “passphrase” is popular
• Januaryisreallycold (19 characters)• Populate common att ributes consistently
Account Naming GuidelinesA user account name:• Cannot be identi cal to any other user account
name or group name on the computer being administered
• Can contain up to 20 characters• Can contain uppercase or lowercase characters• Cannot contain any of the following characters:• " / \ [ ] : ; | = , + * ? < > @• Cannot consist solely of periods (.) or spaces• Are NOT case sensiti ve
Domain User Accounts
Account Naming Guidelines• Account names should be consistent– Not only users, but for all domain objects
• Organizati ons will typically have an account naming policy– [First name].[last name]:
• Luka.Abrus– [First initi al][last name]:
• [email protected]– [employeeID][fi rst initi al][lasti niti al]:
Domain User Accounts
Creating Domain User Accounts• Command line– Net user…– Dsadd user…
• PowerShell• Server Manager• Acti ve Directory Administrati ve Center• Acti ve Directory Users and Computers• Script and import
Domain User Accounts
• Command line
• GUI
Domain User Accounts
WORKING WITH DOMAIN USER ACCOUNTS
CREATING A DOMAIN USER ACCOUNT
Creating Domain Users
• What happens when the user is created?– User is stored in the database– User is automatically assigned a security
identi fier (SID)• Ie. S-1-5-21-D1-D2-D3-RID• S-1-5=Standard prefi x (5 means it was created
by NT• RID is unique to each account
THE GENERAL TAB
THE ACCOUNT TAB
THE PROFILE TAB
THE MEMBER OF TAB
MANAGING MULTIPLE USERS
MANAGING DOMAIN USER ACCOUNTS
• From the Action menu, you can:– Reset a user account password• Diff erent from Changing a password.
– Control-Alt-DeleteChange a Password
– Rename, disable, and delete an account.– Modify group membership.– Send e-mail and open a user’s homepage.
USING OBJECT TEMPLATES
• Can be an existing user account or an account created specifically for copying.
• Not all properties are copied.• Object templates should be disabled to
prevent use of the account.• In it’s simplest definition, templates are
user accounts that you copy.
Local groups govern only the local system Domain groups can govern any domain
based system– Domain joined workstati on– Domain joined server– Domain Controller
Both local systems and domains have built-in groups– Domain GroupDomain Admins– Local GroupAdministrators
Domain Groups
Domain groups can be nested in other groups Domain groups can be:– Domain Local—used only in domain it
was created in– Global—can be used in any domain
within a forest– Universal—is replicated to all other
domains within a forest
Examples of Local Groups Examples of Groups
Administrators Domain Admins
Users Domain Users
Domain Groups
• Domain—same options apply as creating users
Domain Groups
SUMMARY• Local user accounts are stored on the local system and
can provide users with access only to local resources. • Domain user accounts are stored on Acti ve Directory
domain controllers and can provide users with access to resources all over the network.
• User objects include the properti es related to the individuals they represent.
• A user object template is an object that is copied to produce new users. If the template is not a “real” user, it should be disabled.
• Only a subset of user properti es is copied from templates.