Module 3 - Managing Users and Service Accounts

07/06/13
Module 3: Managing Users and Service Accounts
Module3:ManagingUsersandServiceAccounts
Contents: Lesson1: LabA: Lesson2: LabB: Lesson3: LabC: Lesson4: LabD: CreateandAdministerUserAccounts CreateandAdministerUserAccounts ConfigureUserObjectAttributes ConfigureUserObjectAttributes AutomateUserAccountCreation AutomateUserAccountCreation CreateandConfigureManagedServiceAccounts CreateandConfigureManagedServiceAccounts
Module Overview
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=5&FontSize=3&FontType=segoe
1/96
07/06/13
Inthismodule,youwilllearntocreateandsupportuseraccounts.Useraccounts storedinActive DirectoryDomainServices(ADDS)arethefundamentalcomponentsofidentity. Becauseoftheirimportance,knowledgeofuseraccountsandthetasksrelatedto supportingthemarecriticalaspectsinadministeringtheaccountssuccessfullyina

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=5&FontSize=3&FontType=segoe 2/96
07/06/13
Windowsenterprise. Managinganenterprisenetworkbringswithitauniquesetofchallengesrelatedto usermanagement. Employeesarehired,moved,married,anddivorced,andmanyeventuallyleavethe organization.Attimes,employeesforgettheirpasswordsorlockouttheiraccountsby loggingonincorrectly. Administratorsmustrespondtoalltheseevents,andyourabilitytoworkeffectively withuseraccounts canmakeabigdifferenceinyouroverallproductivity.Thismodulebeginswitha discussionofoptionsforcreatinguseraccountsbyusingtheActiveDirectoryUsers andComputerssnapinandWindows PowerShell.Thismodulealsointroducesseveraloptionsforautomatingthecreation ofusers. Ofcourse,creatingauserisonlythefirststepinthelifecycleofauserinadomain. Aftercreatingthe user,youmustconfigureattributesthatdefineboththepropertiesofthesecurity principal(theaccount)andpropertiesthatdefineandmanagetheuser.Youmust
07/06/13
alsoknowhowandwhentoadministertheaccounttoperformpasswordresetsand tounlocktheaccount,forexample.Youmustbeabletomove theuserbetweenorganizationalunits(OUs),andeventually,deprovisiontheaccount bydisablingor deletingit.Thismodulewillcovertheproceduresusedtosupportauserobject throughitslifecycleproceduresyoucanperformbyusingboththeWindows interfaceandthecommandlineorautomationtools.
Objectives
Aftercompletingthismodule,youwillbeableto: Createandadministeruseraccounts. Configuretheaccountrelatedpropertiesofauserobject. Automatethecreationofuseraccounts. Createandadministermanagedserviceaccounts.
Lesson 1: Create and Administer User Accounts

07/06/13
Auseraccountisthecornerstoneofidentityandaccess(IDA)inADDS.Consistent, efficient,andsecureprocessesregardingtheadministrationofuseraccountsare thereforethecornerstoneofenterprisesecuritymanagement.
Objectives
Aftercompletingthislesson,youwillbeableto: Createandconfiguretheaccountrelatedpropertiesofauserobject. Identifythepurposeandrequirementsofuseraccountattributes. Performcommonadministrativetaskstosupportuseraccounts,includingpassword
07/06/13
resetandaccountunlock. Enableanddisableuseraccounts. Delete,move,andrenameuseraccounts.
User Account
Userobjectsareoftenreferredtoasuseraccounts.However,whenyoulookclosely, whatyouthinkofasanaccount(theusername,password,andperhapsthe securityidentifier(SID))isjustasubsetofattributesofauserobject.ActiveDirectory userobjectsincludenumerousattributesthatareeitheronlyindirectlyrelatedtothe

07/06/13
account(suchastheprofilepathproperty),orareattributesofthehumanbeing whomtheaccountrepresents(suchastheemailaddress,phonenumber,and managerproperties). Useraccountstheactualaccountattributesoftheuserobjectenable authentication,whichisthelogonprocessduringwhichtheidentityoftheuseris validatedbycomparingtheuserslogonnameandpassword.Then,aftertheuser logson,theaccountSIDiscomparedwithpermissionsonresourcesthattheuser attemptstoaccess. NoteModule1describedthelogonprocess,thegenerationofthesecurity tokenthat
includestheusersSID,andthemechanismthroughwhichpermissionsinanaccess control list(ACL)arecomparedtotheSIDsinthetokentodeterminethelevelofaccesstoa resource. AuseraccountcanbecreatedandstoredinActiveDirectory.Adomainuseraccount enableslogontoanycomputerinthedomain,andaccesstoresourcesthroughout thedomain.Ofcourse,bothsetsofactivitiesaresubjecttothelogonrights,

07/06/13
privileges,andpermissionsassignedtotheaccount. AlthoughActiveDirectoryaccountsarethefocusofthiscourse,accountscanalsobe storedinthelocalsecurityaccountsmanager(SAM)database,enablinglocallogon andaccesstolocalresources.Localuseraccountsare,forthemostpart,beyondthe scopeofthiscourse.
Create Users with Windows PowerShell
UsetheActiveDirectoryModuleforWindowsPowerShelltocreateobjectsinActive Directory.TheNewADUsercommandcreatesauserobjectandacceptsparameters thatspecifypropertiesoftheuser.Thefollowingcommandshowsthebasic

07/06/13
parametersrequiredtocreateauseraccount.
N e w A D U s e r N a m e< s t r i n g > S a m A c c o u n t N a m e< p r e W i n d o w s2 0 0 0 l o g o nn a m e >A c c o u n t P a s s w o r d( R e a d H o s t A s S e c u r e s t r i n g A c c o u n t P a s s w o r d ) E n a b l e d$ t r u e C h a n g e P a s s w o r d A t L o g o n $ t r u e
TheAccountPasswordparameterspecifiesthepassword.Ifitissetto ReadHostAsSecurestringAccountPassword,youarepromptedforauser password. TheChangePasswordAtLogonparameterspecifiesthattheusermustchangethe passwordatnextlogon. NewADUseracceptsanumberofparametersthatspecifypropertiesoftheuser object. Thefollowingcommandcreatesauserwithsomeofthemoreimportantfields populated.
N e w A D U s e r N a m e A m yS t r a n d e S a m A c c o u n t N a m e" A m y S https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=5&FontSize=3&FontType=segoe 9/96
07/06/13
G i v e n N a m e A m y S u r n a m e S t r a n d e D i s p l a y N a m e A m y S t r a n d e A c c o u n t P a s s w o r d( C o n v e r t T o S e c u r e S t r i n g A s P l a i n T e x t P a $ $ w 0 r d F o r c e ) E n a b l e d$ t r u e P a t h O U = I T , D C = C o n t o s o ,D C = C o m D e s c r i p t i o n" V i c eP r e s i d e n t ,I T " C h a n g e P a s s w o r d A t L o g o n$ t r u e
Mostparameternamesareselfexplanatory:EmailAddress,ProfilePath,and
Company,forexample.TypeGetHelpNewADuserdetailedorsearchthe
WindowsServer2008HelpAndSupportCenterforcomprehensivedocumentation oftheNewADUserparameters.
Demonstration: Create a User Object
10/96
07/06/13
Auserobject,oftenreferredtoasauseraccount,includestheusernameand password,whichserveasthelogoncredentialsforauser.Auserobjectalsoincludes severalotherattributesthatdescribeandmanagetheuser. YoucanuseeithertheActiveDirectoryUsersorComputersconsole,orActive DirectoryAdministrativeCentertocreateauserobject. TocreateauserobjectbyusingActiveDirectoryUsersorComputers,performthe followingsteps: 1. RightclicktheOUorcontainerinwhichyouwanttocreatetheuser,pointto

11/96
07/06/13
New,andthenclickUser. 2. 3. IntheFirstnamebox,typetheusersfirstname. IntheInitialsbox,typetheusersmiddleinitial(s).
Notethatthispropertyis,infact,meantfortheinitialsofausersmiddle name,notthe
initialsoftheusersfirstandlastname. 4. 5. IntheLastnamebox,typetheuserslastname. TheFullnamefieldispopulatedautomatically.Makemodificationstoitif necessary. TheFullnamefieldisusedtocreateseveralattributesofauserobject,most notably,thecommonname(CN)anddisplaynameproperties.TheCNofauser isthenamedisplayedinthedetailspaneofthesnapin.Itmustbeunique withinthecontainerorOU.Therefore,ifyouarecreatingauserobjectfora personwiththesamenameasanexistinguserinthesameOUorcontainer,you willneedtoenterauniquenameintheFullnamefield. 6. IntheUserlogonnamebox,typethenamethattheuserwilllogonwith,and fromthedropdownlist,selecttheUPNSuffixthatwillbeappendedtothe userlogonnamefollowingthe@symbol.
07/06/13
UsernamesinActiveDirectorycancontainsomespecialcharacters(including periods,hyphens,andapostrophes),whichletyougenerateaccurateusernames suchasOHareandSmithBates.However,certainapplicationsmayhaveother restrictions,sowerecommendthatyouuseonlystandardlettersandnumerals untilyouhavefullytestedtheapplicationsinyourenterpriseforcompatibility withspecialcharactersinlogonnames. ThelistofavailableUPNsuffixescanbemanagedbyusingtheActiveDirectory DomainsandTrustssnapin.Rightclicktherootofthesnapin,Active DirectoryDomainsandTrusts,clickProperties,andusetheUPNSuffixes tabtoaddorremovesuffixes.TheDNSnameofyourActiveDirectorydomain willalwaysbeavailableasasuffixandcannotberemoved.
7.
IntheUserlogonname(preWindows2000)box,enterthepreWindows 2000logonname,oftencalledthe"downlevel"logonname.IntheActive Directorydatabase,thenameforthisattributeissAMAccountName.
8. 9.
ClickNext. EnteraninitialpasswordfortheuserinthePasswordandConfirmpassword boxes.
10. SelectUsermustchangepasswordatnextlogon. Werecommendthatyoualwaysselectthisoptionsothattheusercancreatea newpasswordunknowntotheITstaff.Appropriatesupportstaffcanalways

07/06/13
resettheuserspasswordatafuturedateiftheyneedtologonastheuseror accesstheusersresources.Butonlyusersshouldknowtheirpasswordsona daytodaybasis. 11. ClickNext. 12. ReviewthesummaryandthenclickFinish.
TheNewObjectUserinterfaceallowsyoutoconfigurealimitednumberof accountrelatedproperties,suchasnameandpasswordsettings.However,auser objectinActiveDirectorysupportsdozensofadditionalproperties.Thesecanbe configuredaftertheobjecthasbeencreated. 1. 2. 3. Rightclicktheuserobjectyoucreated,andthenclickProperties. Configureuserproperties. ClickOK.
Name Attributes
14/96
07/06/13
Thereareseveralattributesrelatedtothenameofauserobjectandanaccount.Itis importanttounderstandthedistinctionsbetweenthem. AusersUserlogonname(preWindows2000)is,behindthescenes,the sAMAccountNameattribute.Itisalsosometimescalledthesamid.Itmustbe uniquefortheentiredomain. TheUserlogonnameistheuserPrincipalName(UPN)attribute.TheUPNconsists ofalogonnameandaUPNsuffixwhichis,bydefault,theDNSnameofthe domaininwhichyoucreatetheobject.TheUPNmustbeuniquefortheentire forest.Emailaddresses,whichmustbeuniqueforthewholeworld,certainlymeet thatrequirement.ConsiderusingemailaddressesasUPNs.IfyourActiveDirectory
07/06/13
domainnameisnotthesameasyouremaildomainname,youmustaddtheemail domainnameasanavailableUPNsuffix.Todothis,opentheActiveDirectory DomainsandTrustssnapin,rightclicktherootofthesnapin,andthenclick Properties. TheNameofauser,whichisshowninthefirstcolumninthedetailspaneofthe ActiveDirectoryUsersandComputerssnapin.ThisnameisalsopresentedasFull Nameinsomeinterfaces,includingtheNewObjectUserdialogbox.Itmustbe uniqueintheOU.TheNamefieldisactuallythecommonname(CN),storedas thecnattribute.ThecnmustbeuniqueintheOUbecauseitisthefirstelementof thedistinguishedname(DN),thedistinguishedNameattribute,whichmustbe uniquewithintheforest. ThedisplaynameisthedisplayNameattributethatappearsintheMicrosoft Exchangeglobaladdresslist(GAL).ItcanbeeasiertolocateusersintheGALif theyaresortedbylastname.Therefore,youcancreateanamingconventionfor yourorganizationthatspecifiesthatthedisplayNameattributetakestheLastName, FirstNamesyntax.ThereisnorequirementforuniquenessofthedisplayName attribute,althoughitiscertainlyeasiertolocateusersintheGALifeachhasa uniquedisplayname. Question:Whatdoyoudoinyourorganizationtoensuretheuniquenessof name attributes,andwhatnamingconventionsdoyouuse?
07/06/13
Account Attributes
OntheAccounttabofausersPropertiesdialogbox,youcanfindtheattributes thataredirectlyrelatedtothefactthatauserisasecurityprincipal,meaningthatitis anidentitytowhichpermissionsandrightscanbeassigned. Thefollowingtablesummarizestheaccountattributes.
Property
LogonHours
Description
ClickLogonHourstoconfigurethehoursduringwhichauserisallowed tologontothenetwork.
17/96
07/06/13
LogOnTo
ClickLogOnToifyouwanttolimittheworkstationstowhichtheuser canlogon.ThisiscalledComputerRestrictionsinotherpartsoftheuser interfaceandcorrespondstotheuserWorkstationsattribute.Youmust haveNetBIOSoverTCP/IPenabledtousethisfeature,becauseitusesthe computernameratherthantheMediaAccessControl(MAC)addressofits networkcardtorestrictlogon.
UserMustChangePasswordAt NextLogon
Selectthischeckboxifyouwanttheusertochangethepasswordyou haveenteredthefirsttimeheorshelogson.Youcannotselectthis optionifyouhaveselectedPasswordNeverExpires.Selectingthisoption willautomaticallyclearthemutuallyexclusiveUserCannotChange Passwordoption.
UserCannotChangePassword
Selectthischeckboxifyouhavemorethanonepersonusingthesame domainuseraccount(suchasGuest)ortomaintaincontroloveruser accountpasswords.Thisoptioniscommonlyusedtomanageservice accountpasswords.Youcannotselectthisoptionifyouhaveselected UserMustChangePasswordAtNextLogon.
PasswordNeverExpires
Selectthischeckboxifyouneverwantthepasswordtoexpire.This optionwillautomaticallycleartheUserMustChangePasswordAtNext Logonsetting,becausethetwoaremutuallyexclusive.Thisoptionis commonlyusedtomanageserviceaccountpasswords.
AccountIsDisabled
Selectthischeckboxtodisabletheuseraccountforexample,when creatinganobjectforanewlyhiredemployeewhodoesnotyetneed accesstothenetwork.
StorePasswordUsing ReversibleEncryption
Thisoption,whichstoresthepasswordinActiveDirectorywithoutusing itspowerful,nonreversibleencryptionhashingalgorithm,existsto supportapplicationsthatrequireknowledgeoftheuserpassword.Ifitis notabsolutelyrequired,donotenablethisoptionbecauseitweakens
18/96
07/06/13
passwordsecuritysignificantly.Passwordsstoredbyusingreversible encryptionaresimilartothosestoredasplaintext. SmartCardIsRequiredFor InteractiveLogon Smartcardsareportable,tamperresistanthardwaredevicesthatstore uniqueidentificationinformationforauser.Theyareattachedto,or insertedinto,asystem,andtheyprovideanadditional,physical identificationcomponenttotheauthenticationprocess. AccountIsTrustedFor Delegation Thisoptionenablesaserviceaccounttoimpersonateausertoaccess networkresourcesonbehalfofauser.Thisoptionisnottypically selected,certainlynotforauserobjectrepresentingahumanbeing.Itis usedmoreoftenforserviceaccountsinthreetier(ormultitier)application infrastructures. AccountExpires UsetheAccountExpirescontrolstospecifywhenanaccountexpires.
User Account Management
19/96
07/06/13
Afteryouhavecreatedauseraccount,thereareanumberoftasksthatyouperform thatareconsideredAccountManagementtasks.Thesetasksmayincludethe following: Renamingauseraccount Resettingauserpassword Unlockingauseraccount Disablingorenablingauseraccount Movingauseraccount

07/06/13
Deletingauseraccount
Renaming a User Account

Whenauseraccountneedstoberenamed,therecanbeoneormoreattributesyou mustchange. TorenameauserintheActiveDirectoryUsersandComputerssnapin,performthe followingsteps: 1. 2. Rightclicktheuser,andthenclickRename. Typethenewcommonname(CN)fortheuser,andpressEnter. TheRenameUserdialogboxappearsandpromptsyoutoenteradditional nameattributes. 3. 4. 5. 6. TypetheFullname(whichcorrespondstothecnandnameattributes) TypetheFirstnameandLastname. TypetheDisplayname. TypetheUserlogonnameandUserlogonname(preWindows2000).
Iftheuserforgetshisorherpasswordandattemptstologon,heorshewillreceive
07/06/13
alogonmessage.Beforetheusercanlogonsuccessfully,youwillhavetoresetthe password.Youdonotneedtoknowtheusersoldpasswordtodoso. Toresetauser'spasswordintheActiveDirectoryUsersandComputerssnapin: 1. Rightclicktheuserobject,andthenclickResetPassword. TheResetPassworddialogboxappears. 2. EnterthenewpasswordinboththeNewPasswordandConfirmPassword boxes. Itisabestpracticetoassignatemporary,unique,strongpasswordfortheuser. 3. SelecttheUserMustChangePasswordAtNextLogoncheckbox. Itisabestpracticetoforcetheusertochangethepasswordatthenextlogon, sothattheusercreatesapasswordknownonlybytheuser. 4. 5. ClickOK. Communicatethetemporarypasswordtotheuserinasecuremanner.
YoucanalsousetheSetADAccountPasswordPowerShellcommandtoreseta userspassword.Forexample,thefollowingcommandwillresetAmyStrandes password.

07/06/13
S e t A D A c c o u n t P a s s w o r d i d e n t i t y c n = a m ys t r a n d ,o u = I T , d c = c o n t o s o ,d c = c o m R e s e tN e w P a s s w o r d( C o n v e r t T o S e c u r e S t r i n g A s P l a i n T e x t P a $ $ w 0 r d 2 F o r c e )
Unlocking a User Account

AnActiveDirectorydomainsupportsaccountlockoutpolicies.Alockoutpolicyis designedtopreventanintruderfromattemptingtopenetratetheenterprisenetwork byloggingonrepeatedlywithvariouspasswordsuntilheorshefindsacorrect password.Whenauserattemptstologonwithanincorrectpassword,alogonfailure isgenerated.Whentoomanylogonfailuresoccurwithinaspecifiedperiodoftime, definedbythelockoutpolicy,theaccountislockedout.Thenexttimetheuser attemptstologon,anotificationclearlystatestheaccountlockout. NoteYouwilllearntoconfigureaccountlockoutpoliciesinModule10.
Yourlockoutpolicycandefineaperiodoftimeafterwhichalockoutaccountis automaticallyunlocked.Butwhenauseristryingtologonanddiscoversthatheor sheislockedout,itislikelyheorshewillcontactthehelpdeskforsupport. TounlockauseraccountintheActiveDirectoryUsersandComputerssnapin, performthefollowingsteps:

07/06/13
1. 2. 3.
Rightclicktheuserobject,andthenclickProperties. ClicktheAccounttab. SelecttheUnlockAccountcheckbox.
WindowsServer2008alsoprovidestheoptiontounlockausersaccountwhenyou choosetheResetPasswordcommand. Tounlockauseraccountwhileresettingtheuser'spassword,performthefollowing step: IntheResetPassworddialogbox,selecttheUnlocktheusersaccountcheck box.
Thismethodisparticularlyhandywhenausersaccountislockedoutbecausethe userdid,infact,forgetthepassword.Youcannowassignanewpassword,specify thattheusermustchangethepasswordatnextlogon,andunlocktheusersaccount inonedialogbox. Watchfordrivesmappedwithalternatecredentials:Acommoncauseofaccount lockoutisadrivemappedwithalternatecredentials.Ifthepasswordischanged,and theWindowsclientattemptsrepeatedlytoconnecttothedrive,thataccountwillbe

07/06/13
lockedout. TounlockauseraccountbyusingWindowsPowerShell,youcanusethefollowing command.
U n l o c k A D A c c o u n t i d e n t i t y c n = a m ys t r a n d ,o u = I T , d c = c o n t o s o ,d c = c o m
Disabling and Enabling User Accounts

Useraccountsaresecurityprincipalsthatcanbegivenaccesstonetworkresources. EachuserisamemberofDomainUsersandoftheAuthenticatedUsersspecial identity.Bydefault,eachuseraccounthasatleastreadaccesstotheinformation storedinActiveDirectory.Therefore,itisimportantnottoleaveuseraccountsopen. Thatmeansyoushouldconfigurepasswordpoliciesandauditingbothdiscussedin othermodulesandprocedurestoensurethataccountsarebeingusedappropriately. Ifauseraccountisprovisionedbeforeitisneeded,orifanemployeewillbeabsent foranextendedperiodoftime,disabletheaccount. TodisableanaccountintheActiveDirectoryUsersandComputerssnapin: RightclickauserandthenclickDisableAccount.
07/06/13
Ifanaccountisalreadydisabled,theEnableAccountcommandwillappearwhenyou rightclicktheuser. TodisableorenableauseraccountwithWindowsPowerShell,usethefollowing cmdlets. EnableADAccountidentity<name> DisableADAccountidentity<name>
Moving a User Account

TomoveauserobjectintheActiveDirectoryUsersandComputerssnapin,perform thefollowingsteps: 1. 2. Rightclicktheuser,andthenclickMove. Clickthefoldertowhichyouwanttomovetheuseraccount,andthenclickOK.
Alternatively,youcandragtheuserobjecttothedestinationOU.
Deleting a User Account

Whenanaccountisnolongernecessary,youcandeleteitfromyourdirectory.
07/06/13
TodeleteauseraccountinActiveDirectoryUsersandComputers,performthe followingsteps: 1. SelecttheuserandpressDeleteorrightclicktheuser,andthenclickDelete. Youarepromptedtoconfirmyourchoicebecauseofthesignificantimplications ofdeletingasecurityprincipal. 2. Confirmtheprompt.
Lab A: Create and Administer User Accounts
27/96
07/06/13
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubegin thelab,youmustcompletethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1,andintheActionspane,click Start. 3. 4. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts. Logonbyusingthefollowingcredentials: Username:Pat.Coleman Password:Pa$$w0rd Domain:Contoso 5. 6. OpenWindowsExplorerandthenbrowsetoD:\Labfiles\Lab03a. RunLab03a_Setup.batwithadministrativecredentials.Usetheaccount Pat.Coleman_AdminwiththepasswordPa$$w0rd. 7. 8. Thelabsetupscriptruns.Whenitiscomplete,pressanykeytocontinue. ClosetheWindowsExplorerwindow,Lab03a.
28/96
07/06/13
Lab Scenario
YouaretheadministratorofContoso,Ltd.,anonlineuniversityforadulteducation. Twonewemployeeshavebeenhired:ChrisMayoandAmyStrande.Youmustcreate accountsfortheseusers.Aftersometime,ChrisMayoleavestheorganization,and hisaccountmustbeadministeredaccordingtothecompanypolicyforuseraccount lifecyclemanagement.
Exercise 1: Create User Accounts

Inthisexercise,youwillcreateuseraccountswithboththeActive DirectoryUsersandComputerssnapinandWindowsPowerShell. Themaintasksforthisexerciseareasfollows: 1. 2. CreateauseraccountwithActiveDirectoryUsersandComputers. CreateauseraccountwithWindowsPowerShell.
Task 1: Create a user account with Active Directory Users and Computers.
1.
RunActiveDirectoryUsersandComputerswithadministrativecredentials. Usetheaccount,Pat.Coleman_Admin,withthepassword,Pa$$w0rd.
29/96
07/06/13
2.
CreateauseraccountforChrisMayointheEmployeesOU. FirstName:Chris LastName:Mayo UserLogonName:Chris.Mayo UserLogonName(PreWindows2000):Chris.Mayo Password:Pa$$w0rd Specifythattheusermustchangethepasswordatthenextlogon
Task 2: Create a user account with Windows PowerShell.
1.
RuntheActiveDirectoryModuleforWindowsPowerShellwith administrativecredentials.Usetheaccount,Pat.Coleman_Admin,withthe password,Pa$$w0rd.
2.
AtthePSprompt,createauseraccountforAmyStrandeintheEmployeesOU. SamAccountName:Amy.Strande FirstName:Amy LastName:Strande
30/96
07/06/13
UserPrincipalName:Amy.Strande@contoso.com DisplayName:Strande,Amy Description:ResearchAssistant 3. InActiveDirectoryUsersandComputers,openthepropertiesoftheuser accountyoujustcreatedandconfirmthattheattributesweresetcorrectly.
Results:Inthisexercise,youcreateduseraccountsnamed,ChrisMayoandAmy Strande,intheEmployeesOU.
Exercise 2: Administer User Accounts

Inthisexercise,youwillperformcommontasksthatsupportuseraccounts throughtheirlifecycleinActiveDirectory. Themaintasksforthisexerciseareasfollows: 1. 2. Administerauseraccount. Administerthelifecycleofauseraccount.
31/96
07/06/13
Task 1: Administer a user account.
TheuseraccountforAmyStrandeiscurrentlydisabledbecausenopasswordwas specifiedbyusingthePowerShellcommand.
1. 2.
WhatparametershouldyouhaveusedwithPowerShelltospecifyapassword? InActiveDirectoryUsersandComputers,resetthepasswordforAmy StrandetoPa$$w0rd,andspecifythatshemustchangethepasswordatthe nextlogon.
3.
InActiveDirectoryUsersandComputers,enableAmyStrande'suser account.
4.
WhichcommandscanyouuseinWindowsPowerShelltoresetthepassword, specifythatthepasswordmustbechangedatthenextlogon,andenablethe account?
Task 2: Administer the life cycle of a user account.
TheContoso,Ltd.policyforthelifecyclemanagementofauseraccountstatesthe following:
32/96
07/06/13
Whenauserleavestheorganizationforanyreason,includingleaveofabsence,the user'saccountmustbedisabledimmediatelyandmovedtotheDisabledAccounts OU. Sixtydaysaftertheterminationofauser,theuser'saccountmustbedeleted.
1.
ChrisMayohasleftContoso,Ltd.Disablehisaccountandmoveittothe DisabledAccountsOU.
13. Ithasbeen60dayssinceyoudisabledChrisMayoandcompanyprocedures specifythatafter60days,adisableduseraccountmustbedeleted.Deletethe useraccountforChrisMayo. 14. LogofffromNYCDC1.
Results:Inthisexercise,youenabledAmyStrande'saccountanddeletedChris Mayo'saccount.
NoteDonotshutdownthevirtualmachineafteryoufinishthislabbecause thesettings
youhaveconfiguredherewillbeusedinLabB.
07/06/13
Lab Review Questions Question:Inthislab,whichattributecanbemodifiedtopromptforthe passwordwhenyou arecreatingauseraccountwithWindowsPowerShell? Question:Whathappenswhenyoucreateauseraccountthathasapassword thatdoesnot meettherequirementsofthedomain?
Lesson 2: Configure User Object Attributes
34/96
07/06/13
AuserobjectinActiveDirectoryisfarmorethanjustahandfulofpropertiesrelated totheuser'ssecurityidentity,oraccount.Auserobjectincludesattributesthat describetheindividualandhisorherrelationshipwiththeorganization,andthe contactinformationandconfigurationoftheuser'sexperienceonhisorher computer.Inthislesson,youwillexploremanyofthemoreusefulattributesofuser objects,andyouwilllearnhowtoadministertheseattributesforoneormoreusers.
Objectives
Aftercompletingthislesson,youwillbeableto: Viewandmodifyhiddenattributesofuserobjects.
07/06/13
Identifythepurposeandrequirementsofuserobjectattributes. Modifytheattributesofmultipleusers,simultaneously. ManageuserattributesfromWindowsPowerShell. Createusersfromuseraccounttemplates.
A Tour of User Attributes
WhenyoucreateauserwiththeNewObjectUserWizardoftheActiveDirectory UsersandComputerssnapin,youarepromptedforsomecommonproperties,
07/06/13
includinglogonnames,passwords,andtheusersfirstnameandlastname.Auser objectinActiveDirectory,however,supportsdozensofadditionalpropertiesthatyou canconfigureatanytimewiththeActiveDirectoryUsersandComputerssnapin. Toreadandmodifytheattributesofauserobject,rightclicktheuser,andthenclick Properties.
Theattributesofauserobjectfallintoseveralbroadcategoriesthatappearontabs ofthedialogbox.
37/96
07/06/13
Accountattributes:TheAccounttab.Thesepropertiesincludelogonnames, passwords,andaccountflags.Manyoftheseattributescanbeconfiguredwhen youcreateanewuserwiththeActiveDirectoryUsersandComputerssnapin.The AccountPropertiessectiondetailstheaccountattributes. Personalinformation:TheGeneral,Address,Telephones,and Organizationtabs.TheGeneraltabcontainsthenamepropertiesthatare configuredwhenyoucreateauserobject,alongwiththebasicdescriptionand contactinformation.TheAddressandTelephonestabsprovidedetailedcontact information.TheTelephonestabisalsowhereMicrosoftchosetoputtheNotes field,whichcorrespondstotheinfoattributeandisaveryusefulgeneralpurpose textfieldthatisunderusedbymanyenterprises.TheOrganizationtabshowsthe jobtitle,department,company,andorganizationalrelationships. Userconfigurationmanagement:TheProfiletab.Here,youcanconfigure theusersprofilepath,logonscript,andhomefolder. Groupmembership:TheMemberOftab.Youcanaddtheuserto,andremove theuserfrom,groupsandchangetheusersprimarygroup.Groupmemberships andtheprimarygroupwillbediscussedinanothermodule. RemoteDesktopServices:TheRemoteDesktopServicesProfile, Environment,Remotecontrol,Sessions,andPersonalVirtualDesktop tabs.Thesetabsenableyoutoconfigureandmanagetheusersexperiencewhen theuserisconnectedtoaRemoteDesktopServicessession. Remoteaccess:TheDialintab.Youcanenableandconfigureremoteaccess
07/06/13
permissionforauserontheDialintab. Applications:TheCOM+tab.Thistabenablesyoutoassigntheusertoan ActiveDirectoryCOM+partitionset.Thisfeaturefacilitatesthemanagementof distributedapplications.
View All Attributes
TheAttributeEditortaballowsyoutoviewandeditallattributesofauserobject. TheAttributeEditortabisnotvisibleuntilyouenableAdvancedFeaturesfromthe ViewmenuoftheMicrosoftManagementConsole(MMC).

07/06/13
TheAttributeEditordisplaysallthesystemattributesoftheselectedobject.The Filterbuttonenablesyoutochoosetoseeevenmoreattributes,includingbacklinks andconstructedattributes. Backlinksareattributesthatresultfromreferencestotheobjectfromotherobjects. Theeasiestwaytounderstandbacklinksistolookatanexample:thememberOf attribute.Whenauserisaddedtoagroup,itisthegroupsmemberattributethatis changed:Thedistinguishednameoftheuserisaddedtothismultivaluedattribute. Therefore,thememberattributeofagroupiscalledaforwardlinkattribute.Ausers memberOfattributeisupdatedautomaticallybyActiveDirectorywhentheuseris referredtobyagroupsmemberattribute.Youdonoteverwritedirectlytotheusers memberOfattributeitisdynamicallymaintainedbyActiveDirectory. AconstructedattributeisoneoftheresultsfromacalculationperformedbyActive Directory.AnexampleisthetokenGroupsattribute.Thisattributeisalistofthe securityidentifiers(SIDs)ofallthegroupstowhichtheuserbelongs,including nestedgroups.TodeterminethevalueoftokenGroups,ActiveDirectorymust calculatetheeffectivemembershipoftheuser,whichtakesafewprocessorcycles. Therefore,theattributeisnotstoredaspartoftheuserobjectordynamically maintained.Instead,itiscalculatedwhenneeded.Becauseoftheprocessingrequired toproduceconstructedattributes,theAttributeEditortabdoesnotdisplaythemby default.TheyalsocannotbeusedinLightweightDirectoryAccessProtocol(LDAP) queries.
40/96
07/06/13
Question:Areyouusinganyofthehiddenattributesinyourorganization?If so,howdoyoureadandmodifythoseattributes?
Modify Attributes of Multiple Users
TheActiveDirectoryUsersandComputerssnapinenablesyoutomodifythe propertiesofmultipleuserobjectssimultaneously. TomodifyattributesofmultipleusersintheActiveDirectoryUsersandComputers snapin: 1. SelectseveraluserobjectsbyholdingtheCTRLkeyasyouclickeachuser,orby

41/96
07/06/13
usinganyothermultiselectiontechnique. Becertainthatyouselectonlyobjectsofoneclass,suchasusers. 2. Afteryouhavemultiselectedtheobjects,rightclickanyoneofthem,andthen clickProperties.
Whenyouhavemultiselectedtheuserobjects,asubsetofpropertiesisavailablefor modification: General:Description,Office,TelephoneNumber,Fax,Webpage,andEmail Account:UPNsuffix,Logonhours,Computerrestrictions(logonworkstations),all Accountoptions,andAccountexpires Address:Street,P.O.Box,City,State/province,ZIP/PostalCode,and Country/region Profile:Profilepath,Logonscript,andHomefolder Organization:JobTitle,Department,Company,andManager
Modify User Attributes by Using Windows PowerShell
42/96
07/06/13
TheGetADUserandtheSetADusercmdletscanbothbeusedtomodifyoneor moreuserobjects. Forexample,youcanusetheGetADUsercmdlettospecifyanexistinguser(or multipleusers)andthenpipetheresultstotheSetADusercmdlettomodify attributes.Thesyntaxisshownasfollows.
G e t A D U s e rU s e r N a m e|S e t A D U s e r[ p a r a m e t e rv a l u e ]
TheUserNameplaceholderspecifiesthedistinguishednameoftheuserthatwillbe
07/06/13
modified.TheSetADUserparametersindicatetheattributestochangeandthenew values.Forexample,thefollowingcommandchangestheofficeattributeofTony Krijnen.
G e t A D U s e rT o n y . K r i j n e n|S e t A D U s e r o f f i c e" S t o c k h o l m "
Modifying attributes for Several Users at Once

YoucanusetheGetADUsercmdlettoviewseveralusers,baseduponspecific criteria.Toperformthistask,youneedtoprovideafilterparameterasfollows.
G e t A D U s e r F i l t e r N a m e l i k e * S e a r c h B a s e O U = P r o d u c t i o n ,D C = C o n t o s o ,D C = C o m
Thiscommanddisplaysallusers(indicatedasanasterisk*)intheProductionOU. YoucanthenpipethisinformationtotheSetADUsercmdlettomodifythe attributesasfollows.
G e t A D U s e r F i l t e r N a m e l i k e * S e a r c h B a s e O U = P r o d u c t i o n ,D C = C o n t o s o ,D C = C o m | S e t -A D u s e r D e p a r t m e n t
07/06/13
P r o d u c t i o n C o m p a n y C o n t o s o ,L t d
Thiscommandmodifiesthedepartmentandcompanyattributesforalluserslocated intheProductionOU. ForalistofparametersthatyoucansetbyusingtheSetADusercmdlet,referto theadditionalreadinglinksinthestudentcompanioncontent.
Demonstration: Create a User Template
Usersinadomainoftensharemanysimilarproperties.Forexample,allsales
07/06/13
representativescanbelongtothesamesecuritygroups,logontothenetworkduring similarhours,andhavehomefoldersandroamingprofilesstoredonthesameserver. Whenyoucreateanewuser,youcansimplycopyanexistinguseraccount,rather thancreateablankaccountandpopulateeachproperty. SincethedaysofWindowsNT4.0,Windowshassupportedtheconceptofuser accounttemplates.Auseraccounttemplateisagenericuseraccountprepopulated withcommonproperties.Forexample,youcancreateatemplateaccountforsales representatives,whichispreconfiguredwithgroupmemberships,logonhours,a homefolder,androamingprofilepath. Tocreateauseraccounttemplate,performthefollowingsteps: 1. Createauseraccountandprepopulateappropriateattributes.
TipUseanamingstandardthatmakestemplateseasytofind.For example,setthefull
nametobeginwithanunderscore(_),asin_SalesUser.Theunderscorewill causeall templatestoappearatthetopofthelistofusersinanOU. 2. Disablethetemplateuseraccount.

46/96
07/06/13
Thetemplateaccountitselfshouldnotbeusedtologontothenetwork,so ensurethatyoudisabletheaccount.
Tocreateauserbasedonthetemplate,performthefollowingsteps: 1. Rightclickthetemplateuseraccount,andthenclickCopy. TheCopyObjectUserWizardappears. 2. 3. 4. 5. IntheFirstnamebox,typetheuser'sfirstname. IntheLastnamebox,typetheuser'slastname. ModifytheFullnamevalueifnecessary. IntheUserlogonnamebox,typetheuserlogonname,andthenselectthe appropriateuserprincipalname(UPN)suffixinthedropdownlist. 6. IntheUserlogonname(preWindows2000)box,typetheuser'spre Windows2000username. 7. 8. ClickNext. InthePasswordboxandtheConfirmpasswordbox,typetheuser's password. 9. Selecttheappropriatepasswordoptions.
47/96
07/06/13
10. Iftheuseraccountfromwhichthenewuseraccountwascopiedwasdisabled, clearAccountisdisabledtoenablethenewaccount.
Create Users with Templates
Itisimportanttorealizethatnotallattributesarecopied.Thefollowinglist summarizestheattributesthatarecopied.Itisnotusefultoconfigureanyother attributesinthetemplate,becausetheywillnotbecopied. Generaltab.NopropertiesarecopiedfromtheGeneraltab.
48/96
07/06/13
Addresstab.P.O.box,city,stateorprovince,ZIPorpostalcode,andcountryor regionarecopied.Notethatthestreetaddressitselfisnotcopied. Accounttab.Logonhours,logonworkstations,accountoptions,andaccount expirationarecopied. Profiletab.Profilepath,logonscript,homedrive,andhomefolderpathare copied. Organizationtab.Department,company,andmanagerarecopied. MemberOftab.Groupmembershipandprimarygrouparecopied.
NoteThereareotherattributesthatarecopiedthatarenotevenvisiblein theuser
Propertiesdialogbox.Theseattributesincludeassistant,division,andemployee type. Question:Whatothermethodsdoyouusetocreatenewuseraccountswith commonattributes?
Lab B: Configure User Object Attributes

07/06/13
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubegin thelab,youmustcompletethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1,andintheActionspane,click Start. 3. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.
50/96
07/06/13
4.
Logonbyusingthefollowingcredentials: Username:Pat.Coleman Password:Pa$$w0rd Domain:Contoso
5. 6.
OpenWindowsExplorerandthenbrowsetoD:\Labfiles\Lab03b. RunLab03b_Setup.batwithadministrativecredentials.Usetheaccount Pat.Coleman_AdminwiththepasswordPa$$w0rd.
7. 8.
Thelabsetupscriptruns.Whenitiscomplete,pressanykeytocontinue. ClosetheWindowsExplorerwindow,Lab03b.
Lab Scenario
YouaretheadministratorofContoso,Ltd.,anonlineuniversityforadulteducation. ChangesintheSalesdepartmentrequireyoutomodifytheattributesofSalesusers. Additionally,youdecidetomakeiteasiertocreatenewaccountsforsalespeopleby preparingauseraccounttemplate.
Exercise 1: Examine User Object Attributes
51/96
07/06/13
Inthisexercise,youwillexaminetheattributesofauserobject. Themaintasksforthisexerciseareasfollows: 1. 2. 3. ExplorethepropertiesofanActiveDirectoryuserobject. ExploreallattributesofanActiveDirectoryuserobject. Analyzethenaminganddisplayofuserobjectattributes.
Task 1: Explore the properties of an Active Directory user object.
1.
RunActiveDirectoryUsersandComputerswithadministrativecredentials. Usetheaccount,Pat.Coleman_Admin,withthepassword,Pa$$w0rd.
2. 3.
OpenthepropertiesofTonyKrijnenintheEmployeesOU. Inthissamplecontoso.comdomain,attributeshavebeenconfiguredonthe General,Address,AccountandOrganizationtabs.Examineeachofthese tabs,andthenclosethePropertiesdialogbox.
Task 2: Explore all attributes of an Active Directory user object.
1.
EnabletheAdvancedFeaturesviewoftheActiveDirectoryUsersand
52/96
07/06/13
Computerssnapin. 2. ExaminetheAttributeEditortabofTonyKrijnen'sPropertiesdialogbox.
Task 3: Analyze the naming and display of user object attributes.
ForeachofthefollowingattributesintheTonyKrijnenPropertiesdialogbox, identifythecorrespondingattributenameontheAttributeEditortab. Properties dialogbox tab

General General General General General General General Address Address Firstname Lastname Displayname Description Office Telephonenumber Email Street City
53/96
Property name
Attributenameasshownonthe AttributeEditortab
07/06/13
Address Address Organization Organization Organization
ZIP/PostalCode Country JobTitle Department Company
Questions: 1. UsetheAttributeEditortabtoanswerthefollowingquestions. DoestheemployeeIDattribute,shownontheAttributeEditortab, showuponanormaltabofthePropertiesdialogbox?Ifso,which one?WhataboutcarLicense? Whatisthedistinguishedname(DN)ofTonyKrijnen'sobject? WhatisTony'sUPN?Onwhichothertabdoestheattributeappear,and howisitlabeledanddisplayed? 2. 3. Whymightthesnattributebenamedsn? Whatistheuseofthecattribute?
Results:Inthisexercise,youexamineduserobjectattributes.
54/96
07/06/13
Exercise 2: Manage User Object Attributes

Inthisexercise,youwillmanagetheattributesofuserobjects. Themaintasksforthisexerciseareasfollows: 1. 2. Modifytheattributesofmultipleuserobjects. Manageuserattributesfromthecommandprompt.
Task 1: Modify the attributes of multiple user objects.
AspecialMarketingtaskforcehasbeenestablishedbyArianeBerthier,theVice PresidentofMarketing.Membersofthetaskforcearebeingrelocatedto HeadquartersandwillreportdirectlytoAriane.
1.
SelectthefollowingusersintheEmployeesOU:AdamBarr,AdrianLannin, AjayManchepalli,AjaySolanki,AllanGuinot,AnavSilverman,and AndrsTth.
2.
Configurethefollowingpropertiesfortheusers: Office:Headquarters.
55/96
07/06/13
Description:MarketingTaskForce. Manager:ArianeBerthier. 3. Afterchangingtheattributes,openthepropertiesofAdamBarrandexaminethe attributesyoujustchanged. 4. TheManagerattributeisalinkedattribute.Theothersideofthelinkisthe DirectReportsattribute.OpenthepropertiesofArianeBerthierandexamine theDirectReports.
Task 2: Manage user attributes by using Windows PowerShell.
1.
OpentheActiveDirectoryModuleforWindowsPowerShellwith administrativecredentials.Usetheaccount,Pat.Coleman_Admin,withthe password,Pa$$w0rd.
2.
UseWindowsPowerShelltolisttheemailaddressesanddescriptionofallusers intheMarketingTaskForce.
TipUsersintheMarketingTaskForceshareacommonDescription property.
3.
UseWindowsPowerShelltoconfigureallMarketingTaskForcememberstohave
56/96
07/06/13
ahomedrivemappedtoU:andahomedirectorymappedto\\NYC DC1\Taskforceusers\%UserName%. 4. InActiveDirectoryUsersandComputers,confirmthatthechangesyou madewereappliedcorrectlybyexaminingthepropertiesofAdamBarr.
Results:Inthisexercise,youmanageduserobjectsbyusingActiveDirectory UsersandComputersandWindowsPowerShell.
Exercise 3: Create Users from a Template

Inthisexercise,youwillcreateauseraccounttemplateandthengenerate anewuseraccountbasedonthattemplate. Themaintasksforthisexerciseareasfollows: 1. 2. CreateauseraccounttemplateforSales. Createanewuseraccountbasedonatemplate.
Task 1: Create a user account template for Sales.
57/96
07/06/13
IntheEmployeesOU,createatemplateaccountfornewsalespeoplewiththe followingproperties: FirstNameandLastName:blank FullName:_SalesUser(notetheunderscoreatthebeginningofthename) UserLogonName:Template.Sales Password:Pa$$w0rd Usermustchangepasswordatnextlogon Accountisdisabled Memberof:Sales Department:Sales Company:Contoso,Ltd. Manager:AnibalSousa AccountExpires:Lastdayofthecurrentyear
Task 2: Create a new user account based on a template.
IntheEmployeesOU,createanaccountforanewsalesperson,basedonthe
07/06/13
_SalesUsertemplate.Theaccountshouldhavethefollowingproperties: FirstName:Rob LastName:Young Userlogonname:Rob.Young Password:Pa$$w0rd Accountisenabled
Results:Inthisexercise,youcreatedauseraccountnamed,RobYoung,inthe EmployeesOU.Theaccounthasalltheattributesyouconfiguredforthe_Sales Usertemplate.
Lab Review Questions Question:Whatmethodshaveyoulearnedformodifyingattributesofnewand existing users?
Lesson 3: Automate User Account Creation

07/06/13
AlthoughtheproceduresdiscussedinLessons1and2canbeappliedtocreatea smallnumberofusers,youwillneedmoreadvancedtechniquestoautomatethe creationofuseraccountswhenalargenumberofusersmustbeaddedtothe domain.Inthislesson,youwilllearnseveralofthesetechniques.
Objectives
Aftercompletingthislesson,youwillbeableto: ExportuserattributeswithCSVDE. ImportuserswithCSVDE.
07/06/13
ImportuserswithLDIFDE. ImportuserswithWindowsPowerShell.
Export Users with CSVDE
CSVDEisacommandlinetoolthatexportsorimportsActiveDirectoryobjectstoor fromacommadelimitedtextfile(alsoknownasacommaseparatedvaluetextfile, or.csvfile).Commadelimitedfilescanbecreated,modified,andopenedwithfamiliar toolssuchasNotepadandMicrosoftOfficeExcel.
61/96
07/06/13
ThefollowingisthebasicsyntaxoftheCSVDEcommandforexport.
c s v d eff i l e n a m e
However,thiscommandwillexportallobjectsinyourActiveDirectorydomain.You willwanttolimitthescopeoftheexport,whichyoucandowiththefollowingfour parameters: dRootDN.Specifiesthedistinguishednameofthecontainerfromwhichthe exportwillbegin.Thedefaultisthedomainitself. pSearchScope.Specifiesthescopeofthesearchrelativetothecontainerspecified byd.
SearchScopecanbeeitherbase(thisobjectonly),onelevel(objectswithinthis
container),orsubtree(thiscontainerandallsubcontainers).Thedefaultissubtree. rFilter.Filterstheobjectsreturnedwithinthescopeconfiguredbydandp.Filter isanLDAPquerysyntax.Youwillworkwithafilterinthelabforthislesson.The LDAPquerysyntaxisbeyondthescopeofthiscourse.Formoreinformation,see http://go.microsoft.com/fwlink/?LinkId=168752. lListOfAttributes.Specifiestheattributesthatwillbeexported.UsetheLDAP nameforeachattribute,separatedbyacomma,asin
07/06/13
lDN,objectClass,sAMAccountName,sn,givenName,userPrincipalName
TheoutputofaCSVDEexportliststheLDAPattributenamesonthefirstline.Each objectfollows,oneperline,andmustcontainexactlytheattributeslistedonthefirst line,asillustratedinthefollowingexample.
D N , o b j e c t C l a s s , s n , g i v e n N a m e , s A M A c c o u n t N a m e , u s e r P r i n c i p a l N a m e " C N = D a v i dJ o n e s , O U = E m p l o y e e s , O U = U s e r A c c o u n t s , D C = c o n t o s o , D C = c o m " , u s e r , J o n e s , D a v i d , d a v i d . j o n e s , d a v i d . j o n e s @ c o n t o s o . c o m " C N = L i s aA n d r e w s , O U = E m p l o y e e s , O U = U s e r A c c o u n t s , D C = c o n t o s o , D C = c o m " , u s e r , A n d r e w s , L i s a , l i s a . a n d r e w s , l i s a . a n d r e w s @ c o n t o s o . c o m
Import Users with CSVDE
63/96
07/06/13
CSVDEcanalsocreateuseraccountsbyimportinga.csvfile.Ifyouhaveuser informationinexistingOfficeExcelorMicrosoftOfficeAccessdatabases,youwill findthatCSVDEisapowerfulwaytotakeadvantageofthatinformationtoautomate useraccountcreation. ThefollowingisthebasicsyntaxoftheCSVDEcommandforimport.
c s v d eiff i l e n a m ek
Theiparameterspecifiesimportmodewithoutit,thedefaultmodeofCSVDEis
07/06/13
export.Thefparameteridentifiesthefilenametoimportfromorexportto.Thek parameterisusefulduringimportoperationsbecauseitinstructsCSVDEtoignore errors,includingObjectAlreadyExists Theimportfileitselfisacommadelimitedtextfile(.csvor.txt)inwhichthefirstline definestheimportedattributesbytheirLDAPattributenames.Eachobjectfollows, oneperline,andmustcontainexactlytheattributeslistedonthefirstline,for example,asamplefilewillbeasfollows.
D N , o b j e c t C l a s s , s n , g i v e n N a m e , s A M A c c o u n t N a m e , u s e r P r i n c i p a l N a m e " C N = D a v i dJ o n e s , O U = E m p l o y e e s , O U = U s e r A c c o u n t s , D C = c o n t o s o , D C = c o m " , u s e r , J o n e s , D a v i d , d a v i d . j o n e s , d a v i d . j o n e s @ c o n t o s o . c o m " C N = L i s aA n d r e w s , O U = E m p l o y e e s , O U = U s e r A c c o u n t s , D C = c o n t o s o , D C = c o m " , u s e r , A n d r e w s , L i s a , l i s a . a n d r e w s , l i s a . a n d r e w s @ c o n t o s o . c o m
Thisfile,whenimportedbytheCSVDEcommand,willcreateauserobjectforLisa AndrewsintheEmployeesOU.Theuserlogonnames,lastnameandfirstname,are configuredbythefile.YoucannotusetheCSVDEtoimportpasswords,andwithouta password,theuseraccountwillbedisabledinitially.Afteryouhaveresetthe password,youcanenabletheobject. FormoreinformationaboutCSVDE,includingdetailsregardingitsparametersand usagetoexportdirectoryobjects,typecsvde/?orsearchtheWindowsServer2008

07/06/13
HelpandSupportCenter.
Import Users with LDIFDE
YoucanalsouseLDIFDE.exetoimportorexportActiveDirectoryobjects,including users.LDIFisadraftInternetstandardforfileformatthatcanbeusedtoperform batchoperationsagainstdirectoriesthatconformtotheLDAPstandards.LDIF supportsbothimportandexportoperations,andbatchoperationsthatmodify objectsinthedirectory.TheLDIFDEcommandimplementsthesebatchoperationsby usingLDIFfiles. TheLDIFfileformatconsistsofablockoflinesthattogetherconstituteasingle

07/06/13
operation.Multipleoperationsinasinglefileareseparatedbyablankline.Eachline, comprisinganoperation,consistsofanattributenamefollowedbyacolonandthe valueoftheattribute.Forexample,supposeyouwantedtoimportuserobjectsfor twosalesrepresentativesnamedBonnieKearneyandBobbyMoore.Thecontentsof theLDIFfilewouldlooksimilartothefollowingexample.
d n :C N = B o n n i eK e a r n e y , O U = E m p l o y e e s , O U = U s e r A c c o u n t s , D C = c o n t o s o , D C = c o mc h a n g e t y p e :a d do b j e c t C l a s s :t o p o b j e c t C l a s s :p e r s o no b j e c t C l a s s :o r g a n i z a t i o n a l P e r s o n o b j e c t C l a s s :u s e rc n :B o n n i eK e a r n e ys n :K e a r n e yt i t l e : O p e r a t i o n sd e s c r i p t i o n :O p e r a t i o n s( L o n d o n )g i v e n N a m e : B o n n i ed i s p l a y N a m e :K e a r n e y ,B o n n i ec o m p a n y :C o n t o s o ,L t d . s A M A c c o u n t N a m e :b o n n i e . k e a r n e yu s e r P r i n c i p a l N a m e : b o n n i e . k e a r n e y @ c o n t o s o . c o mm a i l :b o n n i e . k e a r n e y @ c o n t o s o . c o m d n :C N = B o b b yM o o r e , O U = E m p l o y e e s , O U = U s e r A c c o u n t s , D C = c o n t o s o , D C = c o mc h a n g e t y p e :a d do b j e c t C l a s s :t o p o b j e c t C l a s s :p e r s o no b j e c t C l a s s :o r g a n i z a t i o n a l P e r s o n o b j e c t C l a s s :u s e rc n :B o b b yM o o r es n :M o o r et i t l e :L e g a l d e s c r i p t i o n :L e g a l( N e wY o r k )g i v e n N a m e :B o b b yd i s p l a y N a m e : M o o r e ,B o b b yc o m p a n y :C o n t o s o ,L t d .s A M A c c o u n t N a m e : b o b b y . m o o r eu s e r P r i n c i p a l N a m e :b o b b y . m o o r e @ c o n t o s o . c o m m a i l :b o b b y . m o o r e @ c o n t o s o . c o m
67/96
07/06/13
EachoperationbeginswiththeDNattributeoftheobjectthatisthetargetofthe operation.Thenextline,changeType,specifiesthetypeofoperation:add,modify, ordelete. Asyoucansee,theLDIFfileformatisnotasintuitiveorfamiliarasthecomma separatedtextformat.However,becausetheLDIFformatisalsoastandard,many directoryservicesanddatabasescanexportLDIFfiles. AftercreatingorobtaininganLDIFfile,youcanperformtheoperationsspecifiedby thefile,byusingtheLDIFDEcommand.Fromacommandprompt,typeldifde/?for usageinformation.ThetwomostimportantswitchesfortheLDIFDEcommandare: i.Turnsonimportmode.Withoutthisparameter,LDIFDEexportsinformation. ffilename.Thefilefromwhichtoimport,ortowhichtoexport.
Forexample,thefollowingcommandwillimportobjectsfromthefilenamed Newusers.ldf.
l d i f d e i fn e w u s e r s . l d f
Thecommandacceptsavarietyofmodificationsbyusingparameters.Themost
07/06/13
usefulparametersaresummarizedinthefollowingtable.
Command
Generalparameters i ffilename sservername cFromDNToDN
Usage
Importmode(Defaultisexportmode) Importorexportfilename Thedomaincontrollertobindtoforthequery ConvertoccurrencesofFromDNtoToDN.Forexample,thisisusefulwhenimporting objectsfromanotherdomain.
v jpath ?
Turnonverbosemode Logfilelocation Help
Exportspecificparameters dRootDN rFilter pSearchScope TherootoftheLDAPsearch.Thedefaultistherootofthedomain. LDAPsearchfilter.Thedefaultis(objectClass=*),meaningallobjects. Thescope,ordepth,ofthesearch.Canbesubtree(thecontainerandallchild containers),base(theimmediatechildobjectsofthecontaineronly),oronelevel(the containeranditsimmediatechildcontainers). llist Commaseparatedlistofattributestoincludeinexportforresultingobjects.Useful ifyouwanttoexportalimitednumberofattributes.
69/96
07/06/13
olist
Listofattributes(commaseparated)toomitfromexportforresultingobjects.Useful ifyouwanttoexportallbutafewattributes.
Importspecificparameters k IgnoreerrorsandcontinueprocessingifConstraintViolationorObjectAlreadyExists errorsappear.
Import Users with Windows PowerShell
TheActiveDirectoryModuleforWindowsPowerShellcanalsoutilizethe contentsofaCSVfiletoimportobjectsintoActiveDirectoryDomainServices. Twocmdletsareusedtoperformthistask:

07/06/13
ImportCSV.ThiscmdletcreatesobjectsfromCSVfilesthatcanthenbepiped intootherPowerShellcmdlets. NewADUser.Thiscmdletisusedtocreatetheobjectsthathavebeenimported fromtheImportCSVcmdlet.
Thefollowingexampleshowshowtousethesetwocmdletstocreatealargenumber ofuserswithspecificattributesinADDS.
I m p o r t C S VU s e r s . c s v|f o r e a c h{ N e w A D U s e rS a m A c c o u n t N a m e $ _ . S a m A c c o u n t N a m eN a m e$ _ . N a m eS u r n a m e$ _ . S u r n a m eG i v e n N a m e$ _ . G i v e n N a m eP a t h " O U = F i n a n c e , O U = U s e r A c c o u n t s , D C = F A B R I K A M , D C = C O M "A c c o u n t P a s s w o r d( C o n v e r t T o S e c u r e S t r i n gA s P l a i n T e x t $ _ . S a m A c c o u n t N a m eF o r c e )E n a b l e d$ t r u e }
Intheexample,theUsers.csvfileisimportedbyusingtheImportCSVcmdlet.Each entrywithintheUsers.csvfileisthenpassedtotheNewADUsercmdlet.Attributes arelistedandareprovidedbythematchingattributevaluesintheCSVfile.
Lab C: Automate User Account Creation

07/06/13
Lab Setup
72/96
07/06/13
4.
Logonbyusingthefollowingcredentials: Username:Pat.Coleman Password:Pa$$w0rd Domain:Contoso
5. 6.
OpenWindowsExplorerandthenbrowsetoD:\Labfiles\Lab03c. RunLab03c_Setup.batwithadministrativecredentials.Usetheaccount Pat.Coleman_AdminwiththepasswordPa$$w0rd.
7. 8.
Thelabsetupscriptruns.Whenitiscomplete,pressanykeytocontinue. ClosetheWindowsExplorerwindow,Lab03c.
Lab Scenario
YouaretheadministratorofContoso,Ltd.,anonlineuniversityforadulteducation. Youarehiringseveralnewemployees.TheHumanResourcesdepartmenthas providedyouwithextractsfromtheirdatabase,inbothcommadelimitedtextformat andinLDIFformat.Youwanttoimportthosedatafilestocreateuseraccountsfor thenewhires.
Exercise 1: Export and Import Users with CSVDE

07/06/13
Inthisexercise,youwillusetheCSVDEcommandtoexportuserattributes andtocreatenewuseraccountsfromacommadelimitedtextfile. Themaintasksforthisexerciseareasfollows: 1. 2. ExportuserswithCSVDE. ImportuserswithCSVDE.
Task 1: Export users with CSVDE.
1.OpentheCommandPromptwithadministrativecredentials.Usetheaccount, Pat.Coleman_Admin,withthepassword,Pa$$w0rd. 2.Typethefollowingcommand,andthenpressEnter.

c s v d efD : \ L A B F I L E S \ L A B 0 3 C \ U s e r s N a m e d A p r i l . c s vr" ( n a m e = A p r i l * ) "l D N , o b j e c t C l a s s , s A M A c c o u n t N a m e , s n , g i v e n N a m e , u s e r P r i n c i p a l N a m e
3.OpenD:\LABFILES\LAB03C\UsersNamedApril.csvinNotepad. 4.Examinethefile,andthencloseit.
74/96
07/06/13
Task 2: Import users with CSVDE.
1.
OpenD:\LABFILES\LAB03C\NewUsers.csvwithNotepad.Examinethe informationabouttheuserslistedinthefile.
2.
Inthecommandprompt,typethefollowingcommandandthenpressEnter.
c s v d eifD : \ L a b f i l e s \ L A B 0 3 C \ N e w U s e r s . c s vk
Thetwousersareimported.
3.
RunActiveDirectoryUsersandComputerswithadministrativecredentials. Usetheaccount,Pat.Coleman_Admin,withthepassword,Pa$$w0rd. Confirmthattheuserswerecreatedsuccessfully. IfyouhavehadtheActiveDirectoryUsersandComputerssnapinopen duringthisexercise,youmighthavetorefreshyourviewtoseethenewly createdaccounts.
4.
Examinetheaccountstoconfirmthatfirstname,lastname,userprincipalname, andpreWindows2000logonnamearepopulatedaccordingtotheinstructions inNewUsers.csv.
75/96
07/06/13
5. 6. 7.
ResetthepasswordsofthetwoaccountstoPa$$w0rd. Enablethetwoaccounts. CloseNewUsers.csv.
Results:Inthisexercise,youexportedandimportedaccountsbyusingcsvde.
Exercise 2: Import Users with LDIFDE

SimilartoCSVDE,LDIFDEcanbeusedtoimportusers.TheLDIFfileformat, however,isnotatypicaldelimitedtextfile.Inthisexercise,youwilluse LDIFDEtoimporttwousers. Themaintaskforthisexerciseisasfollows: ImportuserswithLDIFDE.
Task 1: Import users with LDIFDE.
1.
OpenD:\LABFILES\LAB03C\NewUsers.ldfwithNotepad.Examinethe informationabouttheusersthatislistedinthefile.
76/96
07/06/13
2.
Typethefollowingcommand,andthenpressEnter.
l d i f d eifD : \ L a b f i l e s \ L A B 0 3 C \ N e w U s e r s . l d fk
Thetwousersareimported.
3.
InActiveDirectoryUsersandComputers,confirmthattheuserswere createdsuccessfully. IfyouhavehadtheActiveDirectoryUsersandComputerssnapinopen duringthisexercise,youmighthavetorefreshyourviewtoseethenewly createdaccounts.
4.
Examinetheaccountstoconfirmthatuserpropertiesarepopulatedaccordingto theinstructionsinNewUsers.ldf.
5. 6. 7.
ResetthepasswordsofthetwoaccountstoPa$$w0rd. Enablethetwoaccounts. CloseNewUsers.ldf.
77/96
07/06/13
Results:Inthisexercise,youimportedtheaccountsforBobbyMoore,andBonnie Kearney.
Exercise 3: Import Users by Using Windows PowerShell

Themaintaskforthisexerciseisasfollows: ImportuserswithPowerShell.
Task 1: Import users with PowerShell.
1.
OpenActiveDirectoryUsersandComputersandundercontoso.comcreatea neworganizationalunitnamedImportUsers.Ifpromptedforcredentials,use Contoso\AdministratorwiththepasswordofPa$$w0rd.CloseActive DirectoryUsersandComputerswhenyouarefinished
2.
OpenD:\LABFILES\LAB03C\ImportUsers.ps1withNotepad.Examinethe contentsofthefile.
3.
Nextto$impfile,changepathandfilenametocsvto D:\LABFILES\LAB03C\ImportUsers.csvandthensavethefile.
4.
OpentheActiveDirectoryModuleforWindowsPowerShellwithadministrative
78/96
07/06/13
credentials.UseCONTOSO\administratorwiththepasswordofPa$$w0rd. 5. Typethefollowingcommands,andthenpressEnteraftereachcommand.When promptedtochangetheexecutionpolicypressentertoacceptthedefaultoption ofY.

S e t E x e c u t i o n P o l i c yr e m o t e s i g n e d D : \ l a b f i l e s \ L a b 0 3 c \ i m p o r t u s e r s . p s 1
6. 7.
Atthepasswordprompt,typePa$$w0rd. OpenActiveDirectoryUsersandComputersandverifythattheuseraccounts havebeenimportedintotheImportUsersOU.
Results:Inthisexercise,youimporteduseraccountsbyusingPowerShell.
Lab Review Question Question:WhatscenarioslendthemselvestoimportinguserswithCSVDEand LDIFDE?
Lesson 4: Create and Configure Managed Service

07/06/13
Accounts
NoteThecontentinthislessononlyappliestoWindowsServer2008R2.
Onecommonissuethatmostorganizationsfaceishowtosecurelymanageaccounts usedfornetworkservices.Manyapplicationsuseservicesthatrequireanaccountfor servicestartupandauthentication.Justlikenormaluseraccounts,serviceaccounts alsoneedtobemanagedeffectivelytoensuresecurityandreliability.
Objectives
07/06/13
Aftercompletingthislesson,youwillbeableto: Describethechallengesofusingstandarduseraccountsforservices. Describewhatamanagedserviceaccountis. Configureandadministermanagedserviceaccounts.
Challenges of Using Standard User Accounts for Services
ManyapplicationssuchasMicrosoftSQLServerorMicrosoftExchangeServer containservicesthatareinstalledontheserverthathoststheapplication.These
07/06/13
servicestypicallyrunatserverstartuporaretriggeredbyotherevents.Servicesoften runinthebackgroundanddonotrequireanyuserinteraction. Foraservicetostartupandauthenticate,aserviceaccountisused.Aserviceaccount maybeanaccountthatislocaltothecomputer,suchasthebuiltinLocalService, NetworkService,orLocalSystemaccounts.Aserviceaccountmayalsobeconfigured touseadomainbasedaccountlocatedinADDS. Tohelpcentralizeadministration,manyorganizationschoosetouseadomainbased accounttorunapplicationservices.Thisdoesprovidesomebenefitoverusingalocal accounthowever,thereareanumberofassociatedchallenges,suchasthefollowing: Extraadministrationefforttosecurelymanagetheserviceaccountpassword.This includestaskssuchaschangingthepasswordandresolvingsituationsthatcause anaccountlockout.Serviceaccountsarealsotypicallyconfiguredtohave passwordsdonotexpire,whichmaygoagainstthesecuritypolicyofyour organization. Difficulttodeterminewhereadomainbasedaccountisbeingusedasaservice account.Astandarduseraccountmaybeusedformultipleservicesonvarious serversthroughouttheenvironment.Asimpletasksuchaschangingthepassword maycauseauthenticationissuesforsomeapplications.Itisimportanttoknow whereandhowastandarduseraccountisbeingusedwhenitisassociatedwithan applicationservice.
07/06/13
Extraadministrationefforttomanagetheserviceprincipalname(SPN).Usinga standarduseraccountmayrequiremanualadministrationoftheserviceprincipal name(SPN).Ifthelogonaccountoftheservicechanges,thecomputernameis changed,orifaDNShostnamepropertyismodified,theSPNregistrationsmay needtobemanuallymodifiedtoreflectthechange.AmisconfiguredSPNcauses authenticationproblemswiththeapplicationservice.
Tomeetthesechallenges,WindowsServer2008R2andWindows7introducesanew objectcalledamanagedserviceaccount(alsocalledvirtualserviceaccountsin Windows7).Thefollowingtopicsprovideinformationontherequirementsanduseof managedserviceaccountsinWindowsServer2008R2.
What Is a Managed Service Account?
83/96
07/06/13
Amanagedserviceaccountcanprovideanapplicationwithitsownuniqueaccount, whileeliminatingtheneedforanadministratortomanuallyadministerthecredentials forthisaccount. Managedserviceaccountsprovidethefollowingbenefitstosimplifyadministration: Automaticpasswordmanagement.Amanagedserviceaccountautomatically maintainsitsownpasswordincludingpasswordchanges. SimplifiedServicePrincipalName(SPN)management.SPNmanagementcanbe automaticallymanagedifyourADDSdomainisconfiguredattheWindowsServer 2008R2domainfunctionallevel.Forexample,ifthesamaccountpropertyofthe

07/06/13
computerischanged,oriftheDNShostnamepropertyismodified,themanaged serviceaccountSPNwillautomaticallybechangedfromtheoldnametothenew nameforallmanagedserviceaccountsonthecomputer.
Requirements for Using Managed Service Accounts

Touseamanagedserviceaccount,theserverthatrunstheserviceorapplication mustberunningWindowsServer2008R2.Youalsomustensurethatthe.NET Framework3.5.x,andtheActiveDirectoryModuleforWindowsPowerShellareboth installedontheserver. NoteAmanagedserviceaccountcannotbesharedbetweenmultiple computersorbe
usedinserverclusterswheretheserviceisreplicatedbetweennodes. TosimplifyandprovidefullautomaticpasswordandSPNmanagement,we recommendthattheADDSdomainbeattheWindowsServer2008R2functional level.However,ifyouhaveadomaincontrollerrunningWindowsServer2008or WindowsServer2003,youcanupdatetheActiveDirectoryschematoWindows Server2008R2,tosupportthisfeature.Theonlydisadvantageisthatthedomain administratormustmanuallyconfigureSPNdataforthemanagedserviceaccounts.
85/96
07/06/13
ToupdatetheschemainWindowsServer2008,WindowsServer2003,ormixed modeenvironments,youmustperformthefollowingtasks: 1. Runadprep/forestprepattheforestlevelandrunadprep/domainprepat thedomainlevel. 2. DeployadomaincontrollerrunningWindowsServer2008R2,WindowsServer 2008withtheActiveDirectoryManagementGatewayService,orWindowsServer 2003withtheActiveDirectoryManagementGatewayService.
NoteTheActiveDirectoryManagementGatewayServiceallows administratorswith
domaincontrollersrunningWindowsServer2003orWindowsServer2008to useWindowsPowerShellcmdletstomanagemanagedserviceaccounts.
Configure and Administer Managed Service Accounts
86/96
07/06/13
Afterthedomainandserverprerequisiteshavebeenset,youcanusethefollowing processtocreateamanagedserviceaccount: 1. Onthedomaincontroller,usetheActiveDirectoryModuleforWindows PowerShelltocreateanewmanagedserviceaccount.Thefollowingcommand canbeusedasanexampleofthebasecommand.

N e w A D S e r v i c e A c c o u n t[ S A M A c c o u n t N a m e< S t r i n g > ][ P a t h < S t r i n g > ]
2.
Installthemanagedserviceaccountontheserverthatcontainstheserviceor
87/96
07/06/13
application.Thefollowingcommandisrunonthelocalserver.
I n s t a l l A D S e r v i c e A c c o u n tI d e n t i t y< A D S e r v i c e A c c o u n t >
3.
Configuretheserviceorapplicationtousethemanagedserviceaccount.
WindowsPowerShellprovidesanumberofcmdletsthatcanbeusedtoadminister managedserviceaccounts.Managementtasksinclude: Findingmanagedserviceaccounts. Associatingorremovingmanagementserviceaccountsonacomputer. Installingamanagedserviceaccountonacomputer. Deletingamanagedserviceaccount. Resettingthepasswordofamanagedserviceaccount.
Lab D: Create and Administer Managed Service Accounts

07/06/13
Lab Setup
89/96
07/06/13
4.
Logonbyusingthefollowingcredentials: Username:Administrator Password:Pa$$w0rd Domain:Contoso
5.
Start6425CNYCSVR1.Donotlogonuntildirectedtodoso.
Lab Scenario
YouareanetworkadministratorforContoso,Ltd.Youhavebeenaskedtoimplement amanagedserviceaccountforanapplicationthatwillbeinstalledonNYCSVR1.For thisproject,youmustcompletethefollowingtasks: 1. Createamanagedserviceaccountcalled,App1_SVR1,andassignittoNYC SVR1. 2. InstalltheApp1_SRV1serviceaccountonNYCSVR1.
Exercise: Create and Associate a Managed Service Account

Youhavebeenaskedtocreateamanagedserviceaccountcalled, App1_SVR1,tobeusedbyanapplicationlocatedonNYCSVR1.
07/06/13
Themaintasksforthisexerciseareasfollows: 1. 2. UseWindowsPowerShelltocreateandassociateamanagedserviceaccount. Installamanagedserviceaccountonaserver.
NoteBecauseofthecomplexityofthePowerShellcommands,these stepsarethesameas
theLabAnswerkey.
Task 1: Use Windows PowerShell to create and associate a managed service account. 1. OnNYCDC1,opentheActiveDirectoryModuleforWindowsPowershell consolewithadministrativecredentials.Usetheaccount,Administrator,with thepassword,Pa$$w0rd. 2. Attheprompt,typethefollowingcommand,andthenpressEnter.
N e w A D S e r v i c e A c c o u n t N a m eA p p 1 _ S V R 1
91/96
07/06/13
3.
Attheprompt,typethefollowingcommand,andthenpressEnter.
A d d A D C o m p u t e r S e r v i c e A c c o u n t i d e n t i t yN Y C S V R 1 S e r v i c e A c c o u n tA p p 1 _ S V R 1
4.
G e t A D S e r v i c e A c c o u n tF i l t e r' N a m el i k e" * " '|F T N a m e , H o s t C o m p u t e r s A
5. 6.
VerifythattheApp1_SVR1serviceaccountisassociatedwithNYCSVR1. CloseallopenwindowsonNYCDC1.
Task 2: Install a managed service account on a server.
1. 2.
SwitchtotheNYCSVR1virtualmachine. LogontoNYCSVR1asContoso\Administrator,withthepassword, Pa$$w0rd.
3.
OpenServerManagerandinstalltheActiveDirectoryModuleforWindows PowerShell.ThisisfoundundertheRemoteServerInstallationToolsnode.
92/96
07/06/13
4.
ClickStart,pointtoAdministrativeTools,andthenclickActiveDirectory ModuleforWindowsPowerShell.TheAdministrator:ActiveDirectory ModuleforWindowsPowershellconsoleopens.
5.
I n s t a l l A D S e r v i c e A c c o u n tI d e n t i t yA p p 1 _ S V R 1
6. 7.
ClickStart,pointtoAdministrativeTools,andthenclickServices. IntheServicesconsole,rightclickDiskDefragmenter,andthenclick Properties.
NoteTheDiskDefragmenterserviceisjustusedasanexampleforthis lab.Inaproductionenvironment,youwouldusetheactualservicethat shouldbeassignedthemanagedserviceaccount.
8. 9.
IntheDiskDefragmenterPropertiesdialogbox,clicktheLogOntab. OntheLogOntab,clickThisaccount,andthentype Contoso\App1_SVR1$.
10. ClearthepasswordforboththePasswordandConfirmpasswordboxes. ClickOK.

07/06/13
11. ClickOKatallprompts. 12. ClosetheServicesconsole. 13. CloseallopenwindowsonNYCSVR1.
Results:Inthisexercise,youcreatedandinstalledamanagedserviceaccount.
To prepare for the next lab
Whenyoufinishthelab,revertthevirtualmachinestotheirinitialstate.Todothis, completethefollowingsteps:
1. 2.
Onthehostcomputer,startHyperVManager. Rightclick6425CNYCDC1intheVirtualMachineslist,andthenclick Revert.
3. 4.
IntheRevertVirtualMachinedialogbox,clickRevert. Repeatthesestepsfor6425CNYCSVR1.
94/96
07/06/13
Module Review and Takeaways
Review Questions
1. Whichadministrationtoolshouldyouusetocreateandmanageuseraccounts withinyourorganization? 2. Whichuseraccountattributeswillbeimportanttousewithinyournetwork environment?
95/96
07/06/13
Windows Server 2008 R2 Features Introduced in this Module

WindowsServer2008 R2feature
ActiveDirectoryModulefor WindowsPowerShell ManagedServiceAccounts UsedtorunActiveDirectorycmdletsforadministeringvariousAD DStasks UsedtoautomatepasswordandSPNmanagementforservice accountsusedbyapplicationsandservices
Description
96/96

Module 3 - Managing Users and Service Accounts

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Module 3 - Managing Users and Service Accounts

Încărcat de

Drepturi de autor:

Formate disponibile

07/06/13

Module 3: Managing Users and Service Accounts

Module 3: Managing Users and Service Accounts

Inthismodule,youwilllearntocreateandsupportuseraccounts.Useraccounts storedinActive DirectoryDomainServices(ADDS)arethefundamentalcomponentsofidentity. Becauseoftheirimportance,knowledgeofuseraccountsandthetasksrelatedto supportingthemarecriticalaspectsinadministeringtheaccountssuccessfullyina

Module 3: Managing Users and Service Accounts

Module 3: Managing Users and Service Accounts

Lesson 1: Create and Administer User Accounts

Module 3: Managing Users and Service Accounts

Auseraccountisthecornerstoneofidentityandaccess(IDA)inADDS.Consistent, efficient,andsecureprocessesregardingtheadministrationofuseraccountsare thereforethecornerstoneofenterprisesecuritymanagement.

Module 3: Managing Users and Service Accounts

resetandaccountunlock. Enableanddisableuseraccounts. Delete,move,andrenameuseraccounts.

Userobjectsareoftenreferredtoasuseraccounts.However,whenyoulookclosely, whatyouthinkofasanaccount(theusername,password,andperhapsthe securityidentifier(SID))isjustasubsetofattributesofauserobject.ActiveDirectory userobjectsincludenumerousattributesthatareeitheronlyindirectlyrelatedtothe

Module 3: Managing Users and Service Accounts

Module 3: Managing Users and Service Accounts

privileges,andpermissionsassignedtotheaccount. AlthoughActiveDirectoryaccountsarethefocusofthiscourse,accountscanalsobe storedinthelocalsecurityaccountsmanager(SAM)database,enablinglocallogon andaccesstolocalresources.Localuseraccountsare,forthemostpart,beyondthe scopeofthiscourse.

Create Users with Windows PowerShell

UsetheActiveDirectoryModuleforWindowsPowerShelltocreateobjectsinActive Directory.TheNewADUsercommandcreatesauserobjectandacceptsparameters thatspecifypropertiesoftheuser.Thefollowingcommandshowsthebasic

Module 3: Managing Users and Service Accounts

N e w A D U s e r N a m e< s t r i n g > S a m A c c o u n t N a m e< p r e W i n d o w s2 0 0 0 l o g o nn a m e >A c c o u n t P a s s w o r d( R e a d H o s t A s S e c u r e s t r i n g A c c o u n t P a s s w o r d ) E n a b l e d$ t r u e C h a n g e P a s s w o r d A t L o g o n $ t r u e

N e w A D U s e r N a m e A m yS t r a n d e S a m A c c o u n t N a m e" A m y S https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=5&FontSize=3&FontType=segoe 9/96

Module 3: Managing Users and Service Accounts

Demonstration: Create a User Object

Module 3: Managing Users and Service Accounts

Module 3: Managing Users and Service Accounts

New,andthenclickUser. 2. 3. IntheFirstnamebox,typetheusersfirstname. IntheInitialsbox,typetheusersmiddleinitial(s).

Module 3: Managing Users and Service Accounts

IntheUserlogonname(preWindows2000)box,enterthepreWindows 2000logonname,oftencalledthe"downlevel"logonname.IntheActive Directorydatabase,thenameforthisattributeissAMAccountName.

ClickNext. EnteraninitialpasswordfortheuserinthePasswordandConfirmpassword boxes.

10. SelectUsermustchangepasswordatnextlogon. Werecommendthatyoualwaysselectthisoptionsothattheusercancreatea newpasswordunknowntotheITstaff.Appropriatesupportstaffcanalways

Module 3: Managing Users and Service Accounts

resettheuserspasswordatafuturedateiftheyneedtologonastheuseror accesstheusersresources.Butonlyusersshouldknowtheirpasswordsona daytodaybasis. 11. ClickNext. 12. ReviewthesummaryandthenclickFinish.

Module 3: Managing Users and Service Accounts

Module 3: Managing Users and Service Accounts

Module 3: Managing Users and Service Accounts

OntheAccounttabofausersPropertiesdialogbox,youcanfindtheattributes thataredirectlyrelatedtothefactthatauserisasecurityprincipal,meaningthatitis anidentitytowhichpermissionsandrightscanbeassigned. Thefollowingtablesummarizestheaccountattributes.

Module 3: Managing Users and Service Accounts

Selectthischeckboxifyouwanttheusertochangethepasswordyou haveenteredthefirsttimeheorshelogson.Youcannotselectthis optionifyouhaveselectedPasswordNeverExpires.Selectingthisoption willautomaticallyclearthemutuallyexclusiveUserCannotChange Passwordoption.

Selectthischeckboxifyouhavemorethanonepersonusingthesame domainuseraccount(suchasGuest)ortomaintaincontroloveruser accountpasswords.Thisoptioniscommonlyusedtomanageservice accountpasswords.Youcannotselectthisoptionifyouhaveselected UserMustChangePasswordAtNextLogon.

Selectthischeckboxifyouneverwantthepasswordtoexpire.This optionwillautomaticallycleartheUserMustChangePasswordAtNext Logonsetting,becausethetwoaremutuallyexclusive.Thisoptionis commonlyusedtomanageserviceaccountpasswords.

Selectthischeckboxtodisabletheuseraccountforexample,when creatinganobjectforanewlyhiredemployeewhodoesnotyetneed accesstothenetwork.

Thisoption,whichstoresthepasswordinActiveDirectorywithoutusing itspowerful,nonreversibleencryptionhashingalgorithm,existsto supportapplicationsthatrequireknowledgeoftheuserpassword.Ifitis notabsolutelyrequired,donotenablethisoptionbecauseitweakens

Module 3: Managing Users and Service Accounts

User Account Management

Module 3: Managing Users and Service Accounts

Afteryouhavecreatedauseraccount,thereareanumberoftasksthatyouperform thatareconsideredAccountManagementtasks.Thesetasksmayincludethe following: Renamingauseraccount Resettingauserpassword Unlockingauseraccount Disablingorenablingauseraccount Movingauseraccount

Module 3: Managing Users and Service Accounts

Renaming a User Account

Module 3: Managing Users and Service Accounts

YoucanalsousetheSetADAccountPasswordPowerShellcommandtoreseta userspassword.Forexample,thefollowingcommandwillresetAmyStrandes password.

Module 3: Managing Users and Service Accounts

Unlocking a User Account

Yourlockoutpolicycandefineaperiodoftimeafterwhichalockoutaccountis automaticallyunlocked.Butwhenauseristryingtologonanddiscoversthatheor sheislockedout,itislikelyheorshewillcontactthehelpdeskforsupport. TounlockauseraccountintheActiveDirectoryUsersandComputerssnapin, performthefollowingsteps:

Module 3: Managing Users and Service Accounts

Rightclicktheuserobject,andthenclickProperties. ClicktheAccounttab. SelecttheUnlockAccountcheckbox.

WindowsServer2008alsoprovidestheoptiontounlockausersaccountwhenyou choosetheResetPasswordcommand. Tounlockauseraccountwhileresettingtheuser'spassword,performthefollowing step: IntheResetPassworddialogbox,selecttheUnlocktheusersaccountcheck box.

Module 3: Managing Users and Service Accounts

lockedout. TounlockauseraccountbyusingWindowsPowerShell,youcanusethefollowing command.

Disabling and Enabling User Accounts

Module 3: Managing Users and Service Accounts

Ifanaccountisalreadydisabled,theEnableAccountcommandwillappearwhenyou rightclicktheuser. TodisableorenableauseraccountwithWindowsPowerShell,usethefollowing cmdlets. EnableADAccountidentity<name> DisableADAccountidentity<name>

Moving a User Account

Deleting a User Account