70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User AccountsObjectivesIntroduction to User AccountsUser Account PropertiesActivity 3-1: Reviewing User Account PropertiesThe Account Tab of PropertiesUser AuthenticationAuthentication MethodsInteractive AuthenticationNetwork AuthenticationAuthentication ProtocolsKerberos v5Kerberos v5 (continued)NTLMNTLM (continued)User ProfilesUser Profile Folders and ContentsLocal ProfilesActivity 3-2: Testing Local Profile SettingsRoaming ProfilesActivity 3-3: Configuring and Testing a Roaming ProfileMandatory ProfilesActivity 3-4: Configuring a Mandatory ProfileCreating and Managing User AccountsActive Directory Users and ComputersActivity 3-5: Creating User Accounts Using Active Directory Users and ComputersUser Account TemplatesActivity 3-6: Creating a User Account TemplateCommand Line UtilitiesDSADDActivity 3-7: Creating User Accounts Using DSADDDSMODActivity 3-8: Modifying User Accounts Using DSMODDSQUERYDSMOVEDSRMBulk Import and ExportCSVDELDIFDEActivity 3-9: Exporting Active Directory Users Using LDIFDETroubleshooting User Account and Authentication IssuesAccount PoliciesPassword PolicyAccount Lockout SettingsKerberos PolicyAuditing AuthenticationResolving Logon IssuesResolving Logon Issues (continued)SummarySummary (continued)70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 EnvironmentChapter 3:Creating and Managing User Accounts70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment2Objectives•Understand the purpose of user accounts•Understand the user authentication process•Understand and configure local, roaming, and mandatory user profiles•Configure and modify user accounts using different methods•Troubleshoot user account and authentication problems70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment3Introduction to User Accounts•A user account is an Active Directory object•Represents information that defines a user with access to network (first name, last name, password, etc.)•Required for anyone using resources on network•Assists in administration and security•Must follow organizational standards70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment4User Account Properties•Primary tool for creating and managing accounts is Active Directory Users and Computers•Active Directory is extensible so additional tabs may be added to property pages •Major account properties that can be set include:•General•Address•Account•Profile •Sessions70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment5Activity 3-1: Reviewing User Account Properties•Objective is to review properties of user accounts through main tabs of Active Directory Users and Computers•Start  Administrative Tools  Active Directory Users and Computers  Users  AdminXX account  Properties•Explore tabs and values as directed70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment6The Account Tab of Properties70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment7User Authentication•The process by which a user’s identity is validated•Used to grant or deny access to network resources•From a client operating system•Name, password, resource required•In Active Directory environment•Domain controller authenticates•In a workgroup•Local SAM database authenticates70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment8Authentication Methods•Two main processes•Interactive authentication•User account information is supplied at log on•Network authentication•User’s credentials are confirmed for network access70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment9Interactive Authentication•The process by which a user provides a user name and password for authentication•For domain logon, credentials compared to centralized Active Directory database•For local logon, credentials compared to local SAM database•In domain environments, users normally don’t have local accounts70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment10Network Authentication•The process by which a network service confirms the identify of a user•For a user who logs on to domain, network authentication is transparent•Credentials from interactive authentication valid for network resources•A user who logs on to local computer will be prompted to log on to network resource separately70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment11Authentication Protocols•Windows Server 2003 supports two main authentication protocols:•Kerberos version 5 (Kerberos v5)•NT LAN Manager (NTLM)•Kerberos v5 is primary protocol for Active Directory environments but is not supported on all client systems•NTLM is primary protocol for older Microsoft operating systems70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment12Kerberos v5•Primary authentication protocol used in Active Directory domain environments•Supported by Windows 2000, Windows XP, Windows Server 2003•Protocol followed:•Log on request passed to Key Distribution Center (KDC), a Windows Server 2003 domain controller•KDC authenticates user and, if valid, issues a ticket-granting ticket (TGT) to client system70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment13Kerberos v5 (continued) •When client requests a network resource, it presents the TGT to KDC•KDC issues a service ticket to client•Client presents service ticket to host server for network resource•Every domain controller in Active Directory environment holds role of KDC•Not all clients follow this protocol70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment14NTLM•A challenge-response protocol•Used with operating systems running Windows NT 4.0 or earlier or with Windows 2000 or Server 2003 when necessary•Protocol followed:•User logs in, client calculates cryptographic hash of password•Client sends user name to domain controller70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment15NTLM (continued)•Domain controller generates random challenge and sends it to client•Client encrypts challenge with hash of password and sends to domain controller•Domain controller calculates expected value to be returned from client and compares to