Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

Managing Domain Users

Domain user accounts
are
administered using the Active Directory Users and Computers console.
After opening this console, expand the console tree and select the OU
in which the account is located or where it will be created. Then
proceed with the steps described in the following sections. Note that
built-in user accounts such as Administrator and Guest are located in
the default Users container.

Create a User

Right-click on OU New User

Then specify first and/or last
name
(at least one of these is required) and the user logon name. The full
name and downlevel (Pre-Windows 2000) logon name are then generated
automatically from this information, but you can also define them
differently if desired. The wizard's second screen
asks you to specify a password and account restrictions (see

Configure a User later in this section for more
information).

You can also create multiple user accounts by importing a specially formatted .csv file using the bulk-import utility csvde.exe .

On the first screen of the wizard, specify:

User logon name

This is the name that the user will use to log on to the network,
which might be something like

marys or

msmith for user Mary Smith. User logon names
must always be unique within the domain. What's
confusing is that there is an unlabeled listbox to the right of the
text box for user logon name. This listbox displays the name of the
currently selected domain, but this domain name begins with an @
sign. The idea implied here is that the user logon name consists of
two parts, an alias such as

marys and a domain
such as

@mtit.com .

To create the account in a different domain, use the drop-down arrow
in the listbox. Note that you must be a member of the Administrator
or Account Operators group in a domain to be able to create accounts
in the domain.

User logon name (Pre-Windows 2000)

This is the logon name that the same user will use when logging on to
client computers running NT Workstation, Windows 98, or earlier
versions of Microsoft Windows. Once again, the confusion is that
there are two text boxes for this logon name: the first one is
already populated with the older NetBIOS name of the domain followed
by a backslash, and the second one is populated with the user logon
name or alias you typed in the previous step. For example, if

HEADQUARTERS is the NetBIOS domain name
associated with the domain

mtit.com , then Mary
Smith's downlevel logon name would be

HEADQUARTERS\marys .

A user's downlevel logon name must also be unique
within the domain. The NetBIOS domain name is determined when Active
Directory is installed using the Active Directory Installation
Wizard. This NetBIOS domain name can be found later using Active
Directory Users and Computers by right-clicking on the domain node
Properties General.

Full names must be unique within the OU in which the account resides.
For example, there can be an account named Mary Smith in both the
Accounting and Sales OUs within the

mtit.com
domain, provided that these accounts have different user logon names.
You can do this by assigning Mary Smith in Accounting the logon name

marys@mtit.com and Mary Smith in Sales the logon
name

marys2@mtit.com .

Accounts in different domains within a domain tree can also have
identical full names. For example, there can be an account named Mary
Smith in both the

mtit.com and

ny.mtit.com domains, where

mtit.com is the parent domain and

ny.mtit.com is the child domain. In this case,
the logon name for Mary Smith in

mtit.com would
be

marys@mtit.com , while that for Mary Smith in

ny.mtit.com would be

marys@ny.mtit.com , ensuring their uniqueness.

Configure a User

Right-click on user Properties

This opens the properties sheet for the account, which has a number
of tabs.

General, Address, Telephones, and Organization

These tabs let you specify personal information about the user. You
should

take
time to populate these fields so you can search for users in Active
Directory using search criteria such as name, address, organization,
email, and so on.

Account

These settings are a superset of the account settings you specified
when you created the account.

Logon Hours

Lets you specify when users can log on to the domain. This can help
prevent accounts from being misused during off-hours. If users are
logged on and their hours expire, they can't form
new connections to shared resources in the domain, but they
aren't bumped off resources they are already
connected to.

Log On To

Lets you specify the NetBIOS names of client computers in the domain
with which the user is permitted to log on to the domain. This can
help prevent users from trying to access information stored on
computers that belong to other users. By default, users can log on to
the domain using any client computer in the domain.

Account Options

These are more commonly known as account restrictions. Note that
selecting some options prevents others from being selected. The more
commonly enabled options include:

User must change password at next logon

This is a good choice in low- to medium-security environments because
it forces users to take responsibility for managing their passwords
and removes this burden from the administrator. In high-security
environments, complex passwords may be created and assigned to users
by the administrator.

User can't change password

Again, this is generally used in high-security environments or, at
the other end of the scale, it can be used to prevent careless users
from denying themselves access.

Password never expires

Note that an expired password and an expired account are two
different things.

Account is disabled

See

Disable a User Accoun t later in this section.

Account Expires

By default, new accounts never expire.

User Profile

This lets you specify the network location of the user profile, the
user's home folder, and a logon script that runs
when the user logs on.

Another way to configure logon scripts for users is to use Group Policy, which allows administrators to centrally manage startup, shutdown, logon, and logoff scripts for all users and computers in a domain. See the earlier section Group Policy for more information.

Remote Control

This lets you enable administrators to remotely observe and control a
Terminal Services session being run by the user.

Member Of

This displays the groups to which the user belongs and lets you
modify which groups the user belongs to. See

Groups earlier in this chapter for more
information on the different kinds of groups that can be created in
WS2003.

Leave the Primary Group as Domain Users unless you have Macintosh or POSIX clients and there is a reason you need to specify a different group.

Dial-in

This lets you control whether and how the user can remotely connect
via a dial-up connection to a remote access server. See

Routing and Remote Access earlier in this
chapter for more information.

Environment, Sessions, Terminal Services Profile

This lets you specify the startup environment, Terminal Services
profile, and time-out and reconnection settings for Terminal
Services.

Add Users to a Group

This option is obscurely

worded and means simply
"add the selected account(s) to a group you
specify":

Right-click on account(s) Add members to a group select group

Multiple accounts can be selected by the usual methods.

Copy a User Account

Right-click on account Copy

Similar to adding a user


account as shown earlier, except that
when you copy an account, the new account has many of the same
properties as the original one. Properties that are copied for the
new account include the account restrictions, account expiration
date, user profile, home folder, logon script, group membership, RAS,
and Terminal Services settings of the original account.
It's convenient when creating a large number of
accounts to create a series of account templates for the different
categories of users in your enterprise. Then copy each template as
needed to create accounts for your users, entering only the personal
information needed for each user. Make sure you disable account
templates, as they should not be used to log on to the network.

Disable a User Account

Right-click on account Disable Account

When an account is

disabled,
it still exists, but the user can't log on using the
account. Disabled accounts in Active Directory Users and Computers
have a red X icon on them. To enable an account that has been
disabled, right-click on the account Enable Account.

Delete a User Account

Right-click on account Delete

Deleting an account is an


irreversible action.
It's usually better to disable an account instead.
For example, if Bob is leaving the company and Susan is coming to
replace him, disable Bob's account when he leaves,
rename it Susan, and enable it when Susan arrives to take
Bob's place. This way, Susan will have access to all
the network resources that Bob had access to.

The problem with deleting rather than disabling accounts is that when
you delete an account, its security identifier becomes unusable. (The
SID is the internal way by which WS2003 identifies the account.)
Thus, if you delete the account bobsmith and then create a new
account called bobsmith, the new account has a different SID from the
old one and hence doesn't automatically inherit all
the settings and access privileges that the old one had.

Find a User Account

If you have a large number

of
user accounts, you can use the Find function of Active Directory
Users and Groups to find the account you want to work with. You can
find accounts in a particular domain or OU by:

Right-click on domain or OU Find

You can also change the focus of the Find Users, Contacts, and Groups
box to search the entire directory.

Rename a User Account

Right-click on account Rename specify new name, display name, user logon name, and Pre-Windows 2000

user logon name

Renaming an account allows you to transfer all the rights,
permissions, and group memberships of an account to another user. You
may want to do this when an employee is leaving the company and will
be replaced by someone new who will take over her job. Simply rename
the account with the new employee's username, then
change the personal information on the account's
properties sheet to that of the new employee.

Reset Password of a User Account

Right-click on account Reset Password

If a user forgets his password


or it expires before he can change
it, he will be unable to log on to the network with his user account.

Checking "Force user to change password at next logon" doesn't get replicated immediately like the password. Therefore, it is best to reset the password and check this setting on a domain controller in the site where the user is located.

Unlock a User Account

Right-click on account Properties Account clear Account Is Disabled

A user account is locked out

when
the user has violated the security policy for the domain. For
example, if a user exceeds the number of failed logon attempts
permitted by a policy, the user will receive an error message when
she attempts to log on, informing her that her account has been
locked out and must be unlocked by an administrator.

Managing Local Users

Local user accounts are administered using Local Users and Groups
under System Tools in Computer Management.

Create a Local User

Local Users and Groups right-click on Users New User

The minimum to specify
here
is the username for the user. This will automatically make the full
name the same as the username.

Configure a Local User

Local Users and Groups Users right-click on a user Properties

You can change the group

membership of the user (which by default
is the Users built-in local group) and specify a home folder, logon
script, and profile path for the user if desired. Most of these
settings aren't very useful in a workgroup setting,
however, which is what local user accounts are mainly designed for.

Manage User Profiles

The following tasks deal with default, local, roaming, and mandatory
user profiles.

Customize the Default User Profile

1. Log on to a WS2003 computer
   as
   an ordinary user (e.g., Bob).

2. Configure the computer to reflect the desktop environment you wish
   all your users to have.

3. Log off the client computer to create a local user profile
   

   C:\Documents and Settings\Bob .

4. Log on as Administrator and make hidden files visible by:

   Windows Explorer Tools Folder Options
   View Show hidden files and folders

   This step is necessary to access the hidden Default Users profile in
   the next step.

5. Replace the existing default user profile with the newly configured
   one by:

   Control Panel System Advanced User
   Profiles Settings select newly configured
   profile Copy To select

   C:\Documents
   and Settings\Default User Permitted to use
   Change Everyone

When a user logs on to the computer for the first time, he will be
assigned the customized default profile.

Configure a Local Profile

Log on with your user account,

make changes to your desktop
settings, then log off. Your local profile will be updated with any
changes you have made.

Create a Roaming User Profile

First you need to create and
customize
the profile:

Log on as Administrator Computer Management System Tools Local Users and Groups right-click on Users New User specify name and password clear User must change password at next logon Create Close Log off Log on as the newly created user configure desktop settings as desired log off

Your new profile is now stored in

C:\Documents and
Settings\<username> . Now create a share called
Profiles on a file server on your network and create a folder called
<

username > within this share to store the
new profile. Now copy your customized profile to the file server as
follows:

Control Panel System Advanced User Profiles Settings select the customized profile you created Copy To

\\fileserver\Profiles\<username> Permitted to use Change specify name of customized user account you created

Finally, assign the profile to the user by:

Computer Management System Tools Local Users and Groups right-click on Users Properties Profile Profile Path

\\fileserver\Profiles\<username>

Create a Mandatory User Profile

First, create a roaming user profile as described earlier, then open
the profile using Windows Explorer and rename

Ntuser.dat as

Ntuser.man .