Scribd Logo
Upload

Welcome to Scribd!

  • Microsoft Official Course: Managing User and Service Accounts

    Uploaded by

    Ram Arao
    5 views20 pages
    Module 4

    Original Title

    20411B_04

    Copyright

    © © All Rights Reserved

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Module 4

    Copyright:

    © All Rights Reserved
    Flag for inappropriate content
    5 views20 pages

    Microsoft Official Course: Managing User and Service Accounts

    Uploaded by

    Ram Arao
    Module 4

    Copyright:

    © All Rights Reserved
    Flag for inappropriate content
    of 20

    Microsoft Official Course

    Module 4

    Managing User and Service


    Accounts
    Module Overview

    • Automating User Account Management


    • Configuring Password-Policy and User-Account
    Lockout Settings
    • Configuring Managed Service Accounts
    Lesson 1: Automating User Account Management

    • Demonstration: Exporting Users Accounts with


    Comma-Separated Values Data Exchange Tool
    • Demonstration: Demonstration: Importing User
    Accounts with the Comma-Separated Values Data
    Exchange Tool
    • Demonstration: Demonstration: Importing User
    Accounts with LDIFDE
    • Demonstration: Demonstration: Importing User
    Accounts with Windows PowerShell
    Demonstration: Exporting Users Accounts with
    Comma-Separated Values Data Exchange Tool
    Export

    • CSVDE.exe

    Active Directory filename.csv

    • CSV (comma-separated value, or comma-delimited text)


    • Can be edited with simple text editors such as Notepad or
    Microsoft Office Excel

    • CSVDE.exe
    • csvde -f filename -d RootDN -p SearchScope -r Filter -l ListOfAttributes
    • RootDN. Start of export (default = domain)
    • SearchScope. Scope of export (Base,OneLevel,Subtree)
    • Filter. Filter within the scope (LDAP query language)
    • ListOfAttributes. Use the LDAP name
    Demonstration: Importing User Accounts with the
    Comma-Separated Values Data Exchange Tool

    • CSVDE.exe

    filename.csv Active Directory

    Import

    • CSVDE.exe
    • csvde –i -f filename [-k]
    • i. Import–default mode is export
    • k. Continue past errors (such as Object Already Exists)

    • Cannot import passwords, so users are created as


    disabled
    • Cannot modify existing users
    Demonstration: Importing User Accounts with LDIFDE
    Export

    • LDIFDE.exe

    filename.ldf Active Directory

    Import

    • LDAP Data Interchange Format (LDIF)

    • LDIFDE.exe
    • ldifde [-i] [-f filename] [-k]
    • i. Import–default mode is export
    • k. Continue past errors (such as Object Already
    Exists)

    • Cannot import passwords, so users are created as


    disabled
    • Can modify or remove existing users
    Demonstration: Importing User Accounts with
    Windows PowerShell
    Export

    • Windows
    PowerShell

    filename.csv Active Directory

    Import

    • Use the following cmdlets


    • Import-CSV
    • New-ADUser
    Lesson 2: Configuring Password-Policy and
    User-Account Lockout Settings

    • Understanding User-Account Policies


    • Configuring User Account Policies
    • What Are Password Settings Objects?
    • Configuring Password Settings Objects
    Understanding User-Account Policies

    • Set password requirements by using the


    following settings:
    • Enforce password history
    • Maximum password age
    • Minimum password age
    • Minimum password length
    • Password complexity requirements
    • Account lockout duration
    • Account lockout threshold
    Configuring User Account Policies

    • Local Security Policy account settings:


    • Configured with secpol.msc
    • Apply to local user accounts

    • Group Policy account settings


    • Configured with the Group Policy Management
    console
    • Apply to all accounts in AD DS and local accounts on
    computers joined to the domain
    • Can only be applied once, in Default Domain Policy
    • Take precedence over Local Security Policy settings
    What Are Password Settings Objects?

    • You can use fine-grained password policies to


    specify multiple password policies within a single
    domain

    • Fine-grained password policies:


    • Apply only to user objects (or inetOrgPerson objects)
    and global security groups
    • Cannot be applied to an OU directly
    • Do not interfere with custom password filters that you
    might use in the same domain
    Configuring Password Settings Objects

    • Windows Server 2012 provides two tools for


    configuring PSOs
    • Windows PowerShell cmdlets
    • New-ADFineGrainedPasswordPolicy
    • Add-FineGrainedPasswordPolicySubject

    • Active Directory Administrative Center


    • Graphical user interface
    • Uses Windows PowerShell cmdlets to create and manage PSOs
    Lesson 3: Configuring Managed Service Accounts

    • What Are The Challenges Of Using Standard User


    Accounts For Services?
    • What Is A Managed Service Account?
    • Demonstration: Demonstration: Configuring
    Managed Service Accounts by Using Windows
    PowerShell
    • What Are Group Managed Service Accounts?
    What Are the Challenges of Using Standard User
    Accounts For Services?
    • Challenges to using standard user accounts for
    services include:
    • Extra administration effort to manage the service
    account password
    • Difficulty in determining where a domain-based
    account is used as a service account
    • Extra administration effort to mange the SPN
    What Is A Managed Service Account?
    • Use to automate password and SPN
    management for service accounts used by
    services and applications
    • Requires a Windows Server 2008 R2 or Windows Server
    2012 server installed with:
    • .NET Framework 3.5.x
    • Active Directory module for Windows PowerShell

    • Recommended to run with AD DS configured at the


    Windows Server 2008 R2 functional level or higher
    • Can be used in a Windows Server 2003 or 2008 AD DS
    environment:
    • With Windows Server 2008 R2 schema updates
    • With Active Directory Management Gateway Service
    Demonstration: Configuring Managed Service
    Accounts by Using Windows PowerShell
    • In this demonstration, you will see how to:
    • Create the KDS root key for the domain
    • Create and associate a managed service account
    What Are Group Managed Service Accounts?

    • Group managed service accounts extend the


    capability of standard managed service
    accounts by:
    • Enabling an MSA to be used on more than one
    computer in the domain
    • Storing MSA authentication information on domain
    controllers

    • Group MSA requirements:


    • Must have at least one Windows Server 2012 domain
    controller
    • Must have a KDS root key created for the domain
    Lab: Managing User and Service Accounts

    • Exercise 1: Configuring Password-Policy and


    Account-Lockout Settings
    • Exercise 2: Creating and Associating a Managed
    Service Account

    Logon Information
    Virtual machine: 20411B-LON-DC1
    User name: Administrator
    Password: Pa$$w0rd

    Estimated time: 45 minutes


    Lab Scenario

    A. Datum is a global engineering and


    manufacturing company with its head office in
    London, UK. An IT office and data center is located
    in London to support the London office and other
    locations. A. Datum has recently deployed a
    Windows Server 2012 server and client
    infrastructure, and needs to implement changes to
    how user accounts are managed in the
    environment.
    Module Review and Takeaways

    • Review Questions
    • Real-world Issues and Scenarios
    • Tools
    • Common Issues and Troubleshooting Tips

    You might also like