Creating and Managing Users Server 2003 User Accounts Domain user accounts Local user accounts Built in user accounts 2 Introduction to User Accounts A user account is an Active Directory object Used for user authentication Information that defines a user first name last name password etc Various configuration settings Required for anyone using resources on network Assists in administration and security Must follow organizational standards 3 User Account Templates A user account that is pre configured with common settings Can be copied to create new user accounts with pre defined settings New account is then configured with detailed individual settings 4 Local User Accounts Allow users to log on to and gain access to resources on the computer where they log in Created in the computer s security database Not replicated to domain controllers 5 Built In User Accounts Administrator Rename Create new account with administrator privleges runas user domain name username prog Guest Disabled by default 6 Naming Conventions The naming convention establishes how users are identified in the domain Several considerations User account Naming Password requirements Length Complexity History Expiration Account options Logon hours Computer restrictions Etc additional attributes require replication 7 Logon Name Must be uniques within the OU 20 characters max invalid Not case sensitive How will you deal with duplicates Services may require an account name to run 8 Password Requirements Always assign a password for the Administrator account Determine whether the administrator or the users will control passwords Use passwords that are hard to guess Passwords can be up to 128 characters a minimum length of eight characters is recommended Use both uppercase and lowercase letters numerals and valid non alphanumeric characters 9 Creating and Managing User Accounts Standard tool is AD Users and Computers Can be run from command line dsa msc Can add modify move delete search for user accounts Can configure multiple objects simultaneously Also a number of command line tools and utilities 10 Domain User Accounts Allow users to log on to the domain and gain access to resources anywhere on the network Created in an OU in the Active Directory store Replicated to all domain controllers 11 Creating Domain User Accounts 12 Overview of Modifying Properties A set of default properties is associated with each user account Properties defined for a domain user account can be used to search for users in the Active Directory store Several properties should be configured for each domain user account You can use the Active Directory Users And Computers snap in to modify a domain user account You can use the Local Users And Groups snap in to modify a local user account 13 Administering User Accounts Managing user profiles Modifying user accounts Creating home folders 14 User Account Properties Primary tool for creating and managing accounts is Active Directory Users and Computers Active Directory is extensible so additional tabs may be added to property pages Major account properties that can be set include General generic info about user Address address info Account logon name password options Logon hours Profile Home dir Profile path Logon script Sessions Terminal services config 15 The Account Tab of Properties 16 Creating Home Folders 17 User Authentication The process by which a user s identity is validated Used to grant or deny access to network resources From a client operating system Name password resource required domain or local computer In Active Directory environment Domain controller authenticates In a workgroup Local SAM database authenticates 18 Authentication Methods Two main processes Interactive authentication User account information is supplied in Logon To Smart Card support Network authentication User s credentials are confirmed for network access When browsing for a resource 19 Authentication Protocols Windows Server 2003 supports two main authentication protocols Kerberos version 5 Kerberos v5 NT LAN Manager NTLM Kerberos v5 is primary protocol for Active Directory environments but is not supported on all client systems NTLM is primary protocol for older Microsoft operating systems 20 Kerberos 21 Kerberos Protocol Kerberos is the default authentication provider in Windows Server 2003 the primary security protocol Kerberos verifies the identity of the user and the integrity of the session data Kerberos operates as a trusted third party generate session keys grants tickets for specific client server sessions A ticket it contains Session key Name Expiration etc 22 Features of the Kerberos Protocol Mature open standard Faster connection authentication No pass through required Mutual authentication Authenticates both client and server NTLM only authenticates client Delegation of authentication Transitive trust 23 Kerberos Terminology Principal user client or server Realm security boundary Secret key used to encrypt info between KDC and Client Usually a hash of user password Session key Temporary encryption key used between principals Authenticator Key distribution center KDC Every Domain Contrller Privilege attribute certificate PAC Contains the user s SID Ticket Allows the client to authenticate to a server Ticket granting ticket TGT Contains a random session key 24 Domain Authentication and Resource Access 1 Request a ticket for TGS 2 Return TGT to client 3 Send TGT and request for ticket to AppServ 4 Return ticket for AppServ Kerberos client Authentication Service AS Ticket Granting Service TGS 5 Send session ticket to AppServ 6 Optional Send confirmation of identity to client Windows 2003 domain controller KDC AppServ 25 Kerberos v5 Recap Log on request passed to Key Distribution Center KDC a Windows Server 2003 domain controller KDC authenticates user and if valid issues a ticket granting ticket TGT to client system When client requests a network resource it presents the TGT to KDC KDC issues a service ticket to client Client presents service ticket to host server for network resource 26 Kerberos Policy Kerberos Policy Settings On a domain controller in your domain in Administrative Tools click Domain Security Policy click Windows Settings click Security Settings click Account Policies and then click Kerberos Policy Enforce logon restrictions Yes Maximum lifetime that a user ticket can be renewed 7 days Maximum service ticket lifetime 60 minutes Maximum tolerance for synchronization of computer