Chapter 8

Chapter 8:
Managing Accounts
and Client Connectivity
 Learning Objectives
Chapter 8

■ Establish account naming conventions

■ Configure account security policies
■ Create and manage accounts, including
setting up a new account, configuring
account properties, delegating account
management, and renaming, disabling,
and deleting an account
Learning Objectives (continued)
Chapter 8

■ Create local user profiles, roaming

profiles, and mandatory profiles
■ Configure client network operating
systems to access Windows 2000
Server, and install client operating
systems through Remote Installation
Services
 Account Policies
Chapter 8

■ Account policies: security measures

set up in a group policy, such as for a
domain or local computer
■ Account policies particularly focus on:
◆ Password security
◆ Account lockout
◆ Kerberos security
■ Use the Group Policy MMC snap-in to
set up account policies
Setting Account Policies
Chapter 8

Figure 8-1 Account policies

 Password Policy Options
Chapter 8

■ Enforce password history: Enables you to

require users to choose new passwords when
they make a password change, because the
system can remember the previously used
passwords
■ Maximum password age: Permits you to set the
maximum time allowed until a password expires
■ Minimum password age: Permits you to specify
that a password must be used a minimum
amount of time before it can be changed
 Password Policy Options
(continued) Chapter 8

■ Minimum password length: Enables you

to require that passwords are a minimum
length
■ Passwords must meet complexity
requirements: Requires passwords to be
complex (use upper and lowercase
letters, numbers and special characters;
cannot contain the user name, etc.)
Account Lockout Policy Options
Chapter 8

■ Account lockout duration: Permits you to

specify in minutes how long the system
will keep an account locked out after
reaching the specified number of
unsuccessful log on attempts
■ Account lockout threshold: Enables you
to set a limit to the number of
unsuccessful tries to log onto an account
 Account Lockout Policy
Options (continued) Chapter 8

■ Reset account lockout count after :

Enables you to specify the number of
minutes between two consecutive
unsuccessful logon attempts to make
sure that the account will not be locked
out too soon
 Kerberos Policy Options
Chapter 8

■ Enforce user logon restrictions: Turns on

Kerberos security, which is the default
■ Maximum lifetime for a service ticket:
Determines the maximum amount of time in
minutes that a service ticket can be used to
continually access a particular service in one
service session
■ Maximum lifetime for a user ticket: Determines
the maximum amount of time in hours that a
ticket can be used in one continuous session
for access to a computer or domain
 Creating Accounts
Chapter 8

■ On a member server (not a domain

controller) use the Local Users and
Groups MMC snap-in to create
accounts
■ On a domain controller, use the Active
Directory Users and Computers MMC
snap-in to create accounts in the
domain.
 Creating an OU
Chapter 8

■ To create an OU:
◆ Click the container in which to create the
OU, such as the domain or another OU
◆ Click the Create a new organizational unit
in the current container button
◆ Enter the name of the OU
◆ Click OK
 Delegating Authority in an OU
Chapter 8

■ To delegate authority:
◆ Right-click the OU and click Delegate
control
◆ Click Next after the wizard starts
◆ Click the Add button and specify the
accounts, groups, or computers to have the
control
◆ Click OK and click Next
◆ Select the tasks to delegate and click Next
◆ Click Finish
 Delegation of Control Options
Chapter 8
Task Description

Create, delete, and manage user accounts Ability to fully set up and manage accounts

Reset passwords on user accounts Ability to reset a member user’s account password, should that

user forget his or her password

Read all user information Ability to access any information owned by the selected user

accounts

Create, delete, and manage groups Ability to set up and delete groups and modify group properties

Modify the membership of a group Ability to add and delete members in a group

Manage Group Policy links Ability to change the specified group policies or elements of a

group policy
Using Find to Locate an Account
Chapter 8

■ To locate a particular account in order

to maintain it:
◆ Right-click the domain
◆ Click Find
◆ Enter the username or the account holder’s
name
◆ Click Find Now
Account Maintenance Activities
Chapter 8

■ Typical account maintenance activities

include:
◆ Disabling an account, such as when a user takes a
leave of absence
◆ Enabling an account, such as when a user returns
◆ Renaming an account, such as when one user
leaves and another user is hired into the same
position
◆ Moving an account, such as into a different OU
Account Maintenance Activities
(continued) Chapter 8

■ Typical account maintenance activities

include (continued):
◆ Deleting an account, such as when a user leaves
the organization and there will be no replacement
◆ Resetting a password for users who do not
remember theirs
◆ Account auditing to track certain kinds of activity
performed by an account holder
 Sample Events that Can be
Audited for an Account Chapter 8

■ Logon and logoff activity

■ Account modifications through account
management tools
■ Accesses to files and other objects (for
files, folders, and objects that are set up
to be audited)
 Troubleshooting Tip
Chapter 8

■ Management will usually want to audit

EVERYTHING
■ Use account auditing sparingly because
every audited event is written to the
Security log.
■ A server can be overloaded by devoting
too much of its resources to auditing.
 User Profiles
Chapter 8

■ What is a profile?
◆ Windows maintains a group of settings for
each individual user that logs into the
system. This group of settings is known as
a user “profile”
■ What is included in a profile?
◆ Most anything that users may wish to set
independently from other users (favorites,
desktop wallpaper, email settings, web
browser home page, etc.)
 User Profiles
Chapter 8

■ Where are profiles stored?

◆ Under the “Documents and Settings” folder
on the boot partition.
■ Each time a new user logs in, a new
profile is created for them based on the
“Default” user profile.
 Local vs. Roaming User Profile
Chapter 8
■ Local user profile: a user profile that is
stored locally on the boot partition under
“Documents and Settings”. Since the
profile is local, it will only work on the
machine on which it is created.
■ Roaming user profile: a user profile that
is copied to a network server so that it
can be downloaded to each workstation
where the user logs on. This allows the
profile to “roam” with the user.
 Mandatory User Profile
Chapter 8

■ Mandatory User Profile: A user profile

set up by the server administrator that is
loaded from the server to the client
each time the user logs on. Changes
that the user makes to the profile are
not saved.
■ Used to lock down the desktop and
prevent users from customizing it.
 Associating a Profile with
an Account Chapter 8

Figure 8-9 Setting a roaming profile in an account’s properties

 Active Directory Support for
Non-Windows 2000 Clients Chapter 8

■ Plan to install Directory Service Client

(DSClient) on Windows 95 and Windows 98
clients
■ DSClient enables non-Windows 2000 Clients
for:
◆ Kerberos authentication
◆ Ability to view and search objects published in the
Windows 2000 Active Directory
◆ Access a Windows 2000 Distributed File System
■ The Directory Service client can be found on
the Windows 2000 Server CD-ROM
 Setting Up Client Desktops
Using Group Policy and Security
Policy Chapter 8

■ Use the Group Policy snap-in to set up

group policies that govern clients
■ Group Policy can only be applied to
Windows 2000 or later clients.
■ The System Policy Editor (Poledit.exe)
can be used to configure system
policies for Windows NT and Win9x.
 Remote Installation Services
Chapter 8

■ Remote Installation Services (RIS):

Services installed on a Windows 2000
Server that enable you to remotely
install Windows 2000 Professional on
one or more client computers
 RIS Pre-Installation Steps
Chapter 8
■ Purchase the appropriate number of Windows
2000 Professional licenses
■ Make sure the Active Directory is
implemented and that there are DHCP and
DNS servers on the network
■ Create a Windows 2000 Professional
operating system image on a standard PC
■ Create user accounts for the Windows 2000
Professional clients (called pre-staging the
clients). This prevents unauthorized users
from using Windows 2000 licenses.
 RIS Installation Steps
Chapter 8

■ Installing RIS is a two stage process:

◆ First
install RIS using the Control Panel
Add/Remove Programs tool
◆ Configure RIS from the Add/Remove
Programs tool
 Installing RIS on the Client
Chapter 8

■ Install in one of two ways:

◆ Using a computer that has a boot-enabled
PXE compliant NIC
◆ Creating a remote boot disk

■ Both methods use the Preboot

eXecution Environment (PXE):Services
that enable a prospective client to
obtain an IP address and to connect to
a RIS server in order to install Windows
2000 Professional
 Installing RIS on the Client
Chapter 8

■ After booting and contacting the RIS

server, the user is presented with a
menu to select which RIS image to
load.
 Chapter Summary
Chapter 8

■ Preparing a server and domain entail

configuring accounts and configuring
client computers
■ Before configuring accounts, consult
with members of your organization
about naming standards
■ Set up account policies before
configuring accounts
 Chapter Summary
Chapter 8

■ After accounts are created, use the

account properties capability to
supplement or modify parameters for
the accounts, such as time of day
access restrictions
■ Configure client computers to access
Windows 2000 Server, such as
installing DSClient
 Chapter Summary
Chapter 8

■ Manage clients by setting up group

policies or system policies
■ Use RIS to install multiple Windows
2000 Professional clients in order to
reduce your TCO