System and NetworkAdministration

CHAPTER 2

User Management and Administration

Learning Objectives:
➢ At the end of the topic, the students will be able to:

 know the concepts of user management

 understand the user registration, account policy and
user support services
 Create users and assign it to a group
 Create User policy, rights and privilege
 Demonstrate user and group registration and
administration in Windows 2016 Server
User Management
 Without users, there would be few challenges in system
administration
 System administrators must cater to all needs, and
ensure the stability and security of the system.
 From User Registration,Account Policy,controlling users
resources,etc.

User registration
 For small organizations, user registration is a relatively simple
matter.
 Users can be registered at a centralized location by the system
manager, and made available to all of the hosts in the network
by some sharing mechanism, such as a login server, distributed
authentication service or by direct copying of the data.
 continued
 For larger organizations, with many departments, user
registration is much more complicated.
 The need for centralization is often in conflict with the
need for delegation of responsibility.
 It is convenient for autonomous departments to be able to
register their own users, but it is also important for all
users to be registered under the umbrella of the
organization, to ensure unique identities for the users and
flexibility of access to different parts of the organization.
Local and network accounts
 With a local account, a user has permission to
use only the local host.
 With a network account, the user can use any
host which belongs to a network domain.
 They will need access to system resources
wherever they are.
 It follows that they need distributed accounts.
Account policy
 Most organizations need a strict policy for
assigning accounts and opening the system for
users.
 Users are the foremost danger to a computing
system, so the responsibility of owning an account
should not be dealt out lightly
 Continued
What should an account policy contain?

1.Rules about what users are allowed/not allowed to

do.
2.Specifications of what mandatory enforcement users
can expect,e.g.tidying of garbage files.
3.Any account policy should contain a clause about
weak passwords.If weak passwords are discovered,it
must be understood by users that their account can
be closed immediately.
Password Policy

Configuration settings
◦Password history and reuse
◦Maximum password age
◦Minimum password age
◦Minimum password length
◦Complexity requirements
◦Encryption policy
Account Lockout Settings
Configuration settings
◦ Account lockout duration
◦ Account lockout threshold
◦ Reset account lockout counter after

Kerberos Policy
Configuration settings
◦ Enforce user logon restrictions
◦ Maximum lifetime for service ticket
◦ Maximum lifetime for user ticket
◦ Maximum lifetime for user ticket renewal
◦ Maximum tolerance for computer clock synchronization
Types of Users
Passive users
• utilize the system often minimally, quietly
accepting the choices which have been made
for them.
Active users
• on the other hand, follow every detail of system
development.
• They frequently find every error in the system
and contact system administrators frequently,
demanding upgrades of their favorite programs
Controlling User Resources
► Disk quotas: Place fixed limits on the amount of
disk space which can be used per user.The
advantage of this is that the user cannot use more
storage than this limit
► CPU time limit: Some faulty software packages
leave processes running which consume valuable
CPU cycles to no purpose.
► Policy decisions: Users collect garbage.To limit
the amount of it, one can specify a system policy
which includes items of the form
Moving and Deleting Users
► When disk partitions become full, it is necessary to
move users from old partitions to new ones.
► Moving users is a straightforward operation, but it
should be done with some caution.
► A user who is being moved should not be logged in
while the move is taking place, or files could be copied
incorrectly.
► Users who leave an organization eventually need to be
deleted from the system.
► For the sake of certainty, it is often advisable to keep old
accounts for a time in case the user actually returns, or
wishes to transfer data to a new location
 Continued
Then we have to remove the following:
⸎ Account entry from the password database.
⸎ Personal files.
⸎ E-mail and voice mail and mailing lists.
⸎ Removal from groups and lists (e.g. mailing lists).
⸎ Revocation of smartcards and electronic ID codes
Computer usage policy
➢ Let us formulate a generic policy for computer users, the
like of which one might expect company employees to
agree to InformationTechnology Policy Documents are
becoming more widely used.
➢ Their practice has to be recommended, if only to make it
clear to everyone involved what is considered
acceptable behavior.
➢ Such documents could save organizations real money in
law-suits.The policy should include:
▪ What all parties should do in case of dismissal
▪ What all parties should do in case of security breach
▪ What are users’ responsibilities to their organization?
▪ What are the organization’s responsibilities to their
users?
Introduction to User Accounts
➢A user account is an Active Directory object
➢Represents information that defines a user with access to
network (first name, last name, password, etc.)
➢Required for anyone using resources on network
➢Assists in administration and security
➢Must follow organizational standards
User Account Properties
➢Primary tool for creating and managing accounts is
Active Directory Users and Computers
➢Active Directory is extensible so additional tabs may be
added to property pages
➢Major account properties that can be set include:
◦ General
◦ Address
◦ Account
◦ Profile
◦ Sessions
Activity 2-1: Reviewing User Account Properties
➢Objective is to review properties of user accounts
through main tabs of Active Directory Users and
Computers
oStart → Administrative Tools → Active Directory Users
and Computers → Users → AdminXX account →
Properties
Explore tabs and values as directed
The Account Tab of Properties
User Authentication
➢The process by which a user’s identity is
validated
➢Used to grant or deny access to network
resources
▪From a client operating system
◦ Name, password, resource required
▪In Active Directory environment
◦ Domain controller authenticates
▪In a workgroup
◦ Local SAM database authenticates
Authentication Methods
❖Two main processes
1. Interactive authentication

◦ User account information is supplied at log on

2. Network authentication

◦ User’s credentials are confirmed for network

access
Interactive Authentication
❑The process by which a user provides a user name and
password for authentication
✓For domain logon, credentials compared to centralized
Active Directory database
✓For local logon, credentials compared to local SAM
database
✓In domain environments, users normally don’t have
local accounts
Network Authentication
❑The process by which a network service confirms the
identify of a user
➢For a user who logs on to domain, network
authentication is transparent
◦ Credentials from interactive authentication valid for
network resources
➢A user who logs on to local computer will be prompted
to log on to network resource separately
User Profiles
➢A collection of settings specific to a particular user
➢Stored locally by default
◦ Do not follow user logging on to different computers
➢Can create a roaming profile
◦ Does follow user logging on to different computers
➢Administrator can create a mandatory profile
◦ User cannot alter it
User Profile Folders and Contents
Local Profiles
➢New profiles are created from Default User profile
folder
➢User can change local profile and changes are stored
uniquely to that user
➢Administrator can manage various elements of profile
◦ Change Type
◦ Delete
◦ Copy
Activity 2-2: Testing Local Profile Settings
➢Objective is to configure and test a local user profile
oStart → Administrative Tools → Active Directory Users
and Computers → Users → New → User
oFollow directions to create a new user profile
oExplore and configure properties
oTest by logging in as new user
Roaming Profiles
➢Roaming profiles
◦ Allow a profile to be stored on a central server and
follow the user
◦ Provide advantage of a single centralized location
(helpful for backup)
➢Configured from Profiles page of Active Directory
Users and Computers
➢Changing a profile from local to roaming requires care –
should copy first
Activity 2-3: Configuring and Testing a Roaming Profile
➢Objective: To configure and test a roaming user profile
➢Create a shared folder, copy a local profile to folder, and
configure properties of user account to use roaming folder
➢Follow directions in book to create, configure, and test
the new roaming profile
Mandatory Profiles
➢Local and roaming profiles allow users to make
permanent changes
➢Mandatory profiles allow changes only for a single
session
➢Local and roaming profiles can both be configured as
mandatory
◦ ntuser.dat → ntuser.man
Activity 2-4: Configuring a Mandatory Profile
➢Objective: To configure and test a mandatory user profile
Start → My Computer
➢Follow directions to make created test profile mandatory
by renaming file
➢Test that no permanent changes can be made by user
Creating and Managing User Accounts
➢Standard tool is Active Directory Users and Computers
➢Also a number of command line tools and utilities
Active Directory Users and Computers
➢Available from Administrative Tools menu
➢Can be added to a Microsoft Management Console
➢Can be run from command line (dsa.msc)
➢Graphical tool
◦ Can add, modify, move, delete, search for user
accounts
➢Can configure multiple objects simultaneously
Activity 2-5: Creating User Accounts Using Active
Directory Users and Computers
➢Objective: Use Active Directory Users and Computers
to create user accounts
➢Start → Administrative Tools → Active Directory Users
and Computers
➢Follow directions to create a number of new user
accounts