Module 2

Creating Active Directory® Domain Services User and Computer Objects

Module Overview

• Managing User Accounts

• Creating Computer Accounts

• Automating AD DS Object Management

• Using Queries to Locate Objects in AD DS

Lesson 1: Managing User Accounts

• What Is a User Account?

• Names Associated with Domain User Accounts

• User Account Password Options

• Standard User Management

• Tools for Configuring User Accounts

• What Is a User Account Template?

A user account can be stored:In AD DS (AD DS account)

On the local computer (local account)

What Is a User Account?

Creating a user account also creates a Security ID (SID)

A user account is an object that enables authentication and access to local and network resourcesA user account is an object that enables authentication and access to local and network resources

AD DS accounts enable log on to domains and provide access to shared network resourcesAD DS accounts enable log on to domains and provide access to shared network resources

Local accounts enable log on to a single computer and local resourcesLocal accounts enable log on to a single computer and local resources

Naming options for domain user accounts:

Names Associated with Domain User Accounts

Object Names Example Uniqueness requirement

User logon name Gregory Must be unique within domain

User logon name (pre-Microsoft® Windows® 2000)

Woodgrove\Gregory Must be unique within domain

User principal name (UPN)

Gregory@WoodgroveBank.com

Must be unique within forest

LDAP distinguished name

CN=Gregory,OU=IT,DC=WoodgroveBank,DC=com

Will be globally unique, combining RDN, container name, and domain names

Relative distinguished name (RDN)

CN=Gregory Must be unique in OU

User Account Password Options

User object passwords are a significant aspect of network security and can have options configured for:

Password history

Length

Complexity

By default, Windows Server® 2008 domain passwords must meet three out of the following four complexity requirements:

Uppercase

Lowercase

Special characters

Numbers

Standard User Management

Standard User management activities include:

Updating group membership: provides user group membership and access rights

Resetting user passwords: resets security authentication used to access domain computer

Setting user expiration: sets expiration date on how long user can access domain

Setting logon hours: sets the hours in which users can log on to the domain

Assigning profiles and setting home folders: Assign user profiles and home folders to regulate access to resources

You use different tools for creating and managing local and domain user accounts:

Tools for Configuring User Accounts

Account Tools

Local computer account Windows XP and Windows Vista®: User Accounts

Domain account

• Windows Server 2003/2008: Active Directory Users and Computers

• Command-line utilities: dsadd, Windows PowerShell™, CSVDE, LDIFDE

Demonstration: Configuring User Accounts

In this demonstration, you will see how to:

• Create a new user account using Active Directory Users and Computers

• Rename user accounts

• View complexity requirements

What Is a User Account Template?

User accounts templates take advantage of similarity between user accounts

To use user templates:Create several typical users reflecting various groups within your organization

Copy the user account most like the new account you want to create

Modify the attributes: names, e-mail address, logon name, etc.

A user account template is an account with common properties already configuredA user account template is an account with common properties already configured

Demonstration: Creating and Using a User Account Template

In this demonstration, you will see how to:

• Create and use a User Account Template

Lesson 2: Creating Computer Accounts

• What Is a Computer Account?

• Options for Creating Computer Accounts

• Managing Computer Accounts

Computer accounts:

What Is a Computer Account?

Are required for authentication and auditing

A computer account is an object in AD DS that identifies a computer in a domain

A computer account is an object in AD DS that identifies a computer in a domain

Enable managing computer by using group policies

Are required for all computers running Windows NT or later

Options for Creating Computer Accounts

Scenario Process

Adding individual computers to a domain

• Add the computer to the domain through computer system properties

• Account will be created by default in Computers container

Creating multiple computer accounts in preparation for automating an operating system and software deployment

1. Create an OU for each department

2. Pre-stage new computer accounts

3. Add the computer to the domain

Managing Computer Accounts

Computer management activities include:

Adding computer accounts: provides computer name and specifies management option

Disabling computer accounts: maintains account, but prevents log on from the account

Resetting the computer account: resets the security association between the domain and the client computer (re-join necessary)

Deleting computer accounts: removes computer from all domain services

Configuring group policies: manages software or computer desktop environments

Demonstration: Configuring Computer Accounts

In this demonstration, you will see how to:

• Pre-stage a computer account

• Configure computer account settings

• Disable and reset a computer account

Lesson 3: Automating AD DS Object Management

• Tools for Automating AD DS Object Management

• Configuring AD DS Objects Using Command-Line Tools

• Managing User Objects with LDIFDE

• Managing User Objects with CSVDE

• What Is Windows PowerShell?

• Windows PowerShell Cmdlets

Tools for Automating AD DS Object Management

Active Directory Users and Computers

Directory Service Tools

• Dsadd

• Dsmod

• Dsrm

Csvde and Ldifde Tools Windows PowerShell

Configuring AD DS Objects Using Command-Line Tools

Command-line tools:

• Dsadd - Add objects to AD DS

• Dsmod - Modify objects in AD DS

• Dsrm - Remove objects from AD DS

• Dsget - Locate objects in AD DS

• net user - Add or modify user accounts

• Net group - Add or modify group access

• Net computer - Add or remove computer

objects from AD DS

filename.ldf

Managing User Objects with LDIFDE

Active Directory

import

export

• LDIFDE.exe

Managing User Objects with CSVDE

filename.csvActive Directory

import

export

• CSVDE.exe

HR Application

What Is Windows PowerShell?

Windows PowerShell is a scripting and command-line technology that you can use to manage AD DS and other Windows components

Windows PowerShell features include:

• Powerful single line cmdlets

• Aliases

• Variables

• Pipelining

• Scripting support

• Access to all cmd.exe commands

Results from one cmdlet can be pipelined to another

Windows PowerShell Cmdlets

Windows PowerShell cmdlets all use the same syntax

Noun Verb Date

Parameters Example

Get Get-Date

Start Service W3SVC Start-Service W3SVC

• Get-Service W3svc | format-list

• Get-Service | sort-object name

• Get-Service |where-object {$_.status –eq “running”} | sort-object name

Demonstration: Configuring Active Directory Objects Using Windows PowerShell

In this demonstration, you will see how to:

• Configure Active Directory Objects using Windows PowerShell

Lesson 4: Using Queries to Locate Objects in AD DS

• Options for Locating Objects in AD DS

• What Is a Saved Query?

Options for Locating Objects in AD DS

Sorting: use column headings in Active Directory Users and Computers to find the objects based on the columns

Sorting: use column headings in Active Directory Users and Computers to find the objects based on the columns

Searching: provide the criteria for which you want to search

Searching: provide the criteria for which you want to search

Command-line: dsquery parameter

Command-line: dsquery parameter

Demonstration: Searching AD DS

In this demonstration, you will see how to:

• Search AD DS for user accounts

What Is a Saved Query?

Saved queries provide:

A quick and consistent way to access a common set of directory objects to monitor or to perform specific tasks

A saved query is a way to save search criteriaA saved query is a way to save search criteria

Options for searching attributes (e.g. last logon date)

Demonstration: Using a Saved Query

In this demonstration, you will see how to:

• Create a saved query

Lab: Creating AD DS User and Computer Accounts

• Exercise 1: Creating and Configuring User Accounts

• Exercise 2: Creating and Configuring Computer Accounts

• Exercise 3: Automating the Management of AD DS Objects

Logon information

Virtual computers 6419A-NYC-DC1, 6419A-NYC-CL1

User name Administrator

Password Pa$$w0rd

Estimated time: 45 minutes

Lab Scenario

Woodgrove Bank is an enterprise that has offices located in several cities throughout the world. Woodgrove Bank has deployed AD DS for Windows Server 2008. As one of the network administrators, one of your primary tasks will be to create and manage user and computer accounts.

Lab Review

•In order for the searches like the ones used in this lab to return accurate results, what do you have to do when creating the user accounts?

•Your organization has a group of desktop support technicians who need to be able to add all computers to the AD DS domain. How can you ensure that these technicians can add more than 10 computers to the domain without granting them more permissions than required?

Module Review and Takeaways

• Review Questions

• Considerations for Managing AD DS User and Computer Accounts