Module 2: Setting Up User Accounts Contents Overview Introduction to User Accounts Requirements for New User Accounts Creating a Domain User Account 10 Setting Password Requirements 11 Lab A: Setting Up User Accounts 12 Setting Properties for User Accounts 16 Lab B: Setting Personal Properties 18 Lab C: Modifying User Accounts 24 Best Practices 26 Review 27 This course is a prerelease course and is based on Microsoft Windows 2000 Beta software Content in the final release of the course may be different than the content included in this prerelease version All labs in the course are to be completed using the Beta version of Microsoft Windows 2000 Advanced Server Information in this document is subject to change without notice The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property  1999 Microsoft Corporation All rights reserved Microsoft, MS-DOS, MS, Windows, Active Directory, PowerPoint, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted Other product and company names mentioned herein may be the trademarks of their respective owners Project Lead/Senior Instructional Designer: Red Johnston Instructional Designers: Tom de Rose (S&T OnSite), Meera Krishna (NIIT (USA) Inc.) Program Manager: Jim Cochran (Volt Computer) Lab Simulations Developers: David Carlile (ArtSource), Tammy Stockton (Write Stuff) Technical Contributor: Kim Ralls Graphic Artist: Julie Stone (Independent Contractor) Editing Manager: Tina Tsiakalis Editors: Wendy Cleary (S&T OnSite), Diana George (S&T OnSite) Online Program Manager: Nikki McCormick Online Support: Tammy Stockton (Write Stuff) Compact Disc Testing: ST Labs Production Support: Rob Heiret, Ismael Marrero, Mary Gutierrez (Wasser) Manufacturing Manager: Bo Galford Manufacturing Support: Mimi Dukes (S&T OnSite) Lead Project Manager, Development Services: Elaine Nuerenberg Lead Product Manager: Sandy Alto Group Product Manager: Robert Stewart Module 2: Setting Up User Accounts iii Introduction Presentation: 60 Minutes Labs: 45 Minutes This module provides students with the knowledge and skills that are necessary to set up new user accounts in an existing network Students learn about the different types of user accounts that they can create Then, the module introduces the requirements for creating new user accounts and the procedure to create new user accounts Finally, the module discusses the various properties that students can set for user accounts.There are three labs in this module In the first lab, students create new user accounts and set passwords for them In the second lab, students set the personal properties for user accounts, and in the third lab, students modify account properties for user accounts Materials and Preparation This section provides you with the materials and preparation needed to teach this module Materials To teach this module, you need the following materials: !" Microsoft® PowerPoint® file 1556A_02.ppt !" Module 2, “Setting Up User Accounts” Preparation To prepare for this module, you should: !" Read all the materials for this module !" Review the Delivery Tips and Key Points for each section and topic !" Complete the three labs !" Study the review questions and prepare alternative answers for discussion !" Anticipate questions that students may ask Write out the questions and provide answers to them iv Module 2: Setting Up User Accounts Module Strategy Use the following strategy to present this module: !" Introduction to User Accounts Provide an overview of the purpose of a user account and how it authenticates a user Then, introduce the different types of user accounts and explain the differences between them !" Requirements for New User Accounts Emphasize the importance of understanding the practices that are in place in the existing network in regard to creating user accounts Explain to students that they must follow the established guidelines to ensure the smooth running of the network To achieve this, they must familiarize themselves with the naming conventions, password requirements, and default account options for user accounts that are in use on the network !" Creating a Domain User Account Demonstrate the procedure to invoke Active Directory Users and Computers to create user accounts Explain the requirements of the various fields in the Create New Object (User) dialog box !" Setting Password Requirements Demonstrate how to set a password and explain the different options in the Create New Object (User) dialog box The labs associated with this module are in a proposed new format Remind students to complete the lab survey on the Student Materials Web page when they have completed the course !" Setting Properties for User Accounts Explain the purpose of specifying personal properties, and instruct the students to work through the exercises in Lab B, “Setting Personal Properties,” where they will set personal properties for some of the user accounts that they created in Lab A After students complete the lab, introduce the account options that they can set to ensure the security of the network Explain the procedure to set account properties, the logon hours for users, the computers from which they can log on, and how to control access to the network from a remote location !" Best Practices Read the Best Practices section before you start the module, and then refer to the appropriate practice as you teach the corresponding module section Then, at the end of the module, summarize all of the best practices for the module Module 2: Setting Up User Accounts v Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on the student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware Important The labs in this module are also dependent on the classroom configuration that is specified in the Customization Information section at the end of the Classroom Setup Guide for course 1556A, Administering Microsoft Windows 2000 Lab Setup The labs in this module require that the Users group have the Log on locally right To prepare the student computers to meet this requirement, from the Trainer Materials compact disc, run the LRights.cmd script on each domain controller in each child domain Lab Results Performing the labs in this module introduces the following configuration changes: !" The assignment of the Log on locally right to the Users group !" The addition of x-user1 in the Users organizational unit (OU) (where x is the first letter of the student’s computer name) !" The addition of x-user2 in the Users OU (where x is the first letter of the student’s computer name) !" The addition of x-user3 in the Users OU (where x is the first letter of the student’s computer name) !" The addition of x-user4 in the Users OU (where x is the first letter of the student’s computer name) !" The addition of x-user5 in the Users OU (where x is the first letter of the student’s computer name) This page intentionally left blank Module 2: Setting Up User Accounts Overview Slide Objective To provide an overview of the module topics and objectives ! ! Creating a Domain User Account ! Setting Password Requirements ! Setting Properties for User Accounts ! In this module, you will learn about Windows 2000 user accounts, which include domain user accounts, local user accounts, and built-in user accounts Requirements for New User Accounts ! Lead-in Introduction to User Accounts Best Practices As an administrator, you need to provide all users with access to various network resources For this purpose, you will create user accounts to identify and authenticate the users so that they can access the network In this module, you will learn about creating user accounts and setting properties for them At the end of this module, you will be able to: !" Describe the role and purpose of user accounts !" Determine the requirements for a new user account !" Create domain user accounts !" Set properties for user accounts !" Apply best practices for setting up user accounts Module 2: Setting Up User Accounts # Introduction to User Accounts Slide Objective To introduce the role and purpose of user accounts Lead-in The types of user accounts that you can create are domain user accounts and local user accounts Windows 2000 provides built-in user accounts to aid in performing administrative tasks or to allow users to gain access to resources Delivery Tip This section provides an introduction to different types of user accounts Prepare students for the topics by providing the following key point information Key Points Domain user accounts allow users to log on to a domain to gain access to network resources Local user accounts allow users to log on only to the local computer and access resources on it Built-in user accounts are provided to perform administrative tasks and gain temporary access to the network ! Domain User Accounts ! Local User Accounts ! Built-in User Accounts A user account provides a user with the ability to log on to the domain to gain access to network resources, or to log on to a local computer to gain access to resources on that computer You will create a user account for each person who uses the network regularly Microsoft® Windows® 2000 provides two types of user accounts: domain user accounts and local user accounts With a domain user account, a user can log on to the domain to gain access to network resources With a local user account, a user can log on to a specific computer to gain access to resources on that computer Windows 2000 also provides built-in user accounts, which you use to perform administrative tasks or to gain access to network resources Module 2: Setting Up User Accounts Domain User Accounts Slide Objective To describe domain user accounts ! Provides Access to Network Resources Lead-in ! Created on a Domain Controller Domain user accounts provide users with access to network resources in a domain Domain Controller Domain Controller Dom ain Use A cc r oun t Domain Domain User Domain User Delivery Tip The time that it takes for replication to occur may prevent a user from logging on immediately by using a newly created user account Key Point Domain user accounts allow users to log on to the domain and gain access to resources anywhere on the network Active Directory Active Directory Network Resources Network Resources Access Access Domain user accounts allow users to log on to a domain and gain access to resources anywhere on the network You create a domain user account on a domain controller During the logon process, the user provides the user name and password The first available domain controller uses this information to validate the user and then replicates the new user account information to all domain controllers in the domain After Windows 2000 replicates the new user account information, any of the domain controllers in the domain tree can authenticate the user during the logon process Also, when the user tries to gain access to a resource on the network, the first available domain controller can revalidate the user Each user account that you create has a unique, non-reusable identifier, called the security identifier (SID) Windows 2000 uses the SID internally to identify the user to the system Important It may take a few minutes to replicate the domain user account information to all of the domain controllers This delay may prevent a user from logging on immediately by using the newly created domain user account By default, replication of Active Directory™ directory service information occurs automatically, every five minutes Module 2: Setting Up User Accounts Local User Accounts Slide Objective To describe local user accounts Lead-in Local user accounts provide users with access to resources on the local computer where you create the user account ! Provides Access to Resources on the Local Computer ! Create Only on Computers That Are Not in a Domain ! Created in the Local Security Database Local User Account Local Security Database Local User Local User Key Point Local user accounts allow users to log on at and gain access to resources only on the computer where you create the local user account Local user accounts allow users to log on and gain access to resources only on the computer where you create the local user account You can create local user accounts on member servers and computers running Windows 2000 Professional, but not on computers that are domain controllers A local user account is used only in a smaller environment such as a workgroup or on stand-alone computers that are not networked When you create a local user account, Windows 2000 does not replicate the local user account information to domain controllers This is why you cannot use local user accounts to gain access to resources on other computers After the local user account is created, the computer uses its local security database to authenticate the local user account, which allows the user to log on to that computer Using the local user account, the user can access resources that are available only on the local computer 14 Module 2: Setting Up User Accounts Exercise 1: Creating Domain User Accounts Scenario: Your company has hired several new employees, and you need to create user accounts for the new employees so that they can log on and access resources in the domain You will be using the table from the previous page to define the accounts Your Tasks: Using Active Directory™ Users and Computers, you will create the new user accounts Task Detail Log on to Windows 2000 as Administrator, start Active Directory Users and Computers, and then go to the Users Folder Log on to Windows 2000 as Administrator (with a password of password) Click the Start button, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers Expand DomainName.Nwtraders.msft (where DomainName is the name of your domain), and then select the Users folder In the Users folder, create a new user named ComputerName One (where ComputerName is the name of your computer) by using the User Account Information table Add First Name, Last Name, and User Logon Name Right-click Users, point to New, and then select User Windows 2000 displays the Create New Object – (User) dialog box In the First name box, type ComputerName (where ComputerName is the name of your computer) In the Last name box, type one In the User logon name box, type x-user1 (where x is the first letter of your computer name, such as v-user1 for Vancouver) In the box next to @nwtraders.msft, select your domain (i.e @DomainName.nwtraders.msft) The box to the right of the User logon name box should read @YourDomain.nwtraders.msft Assign the password from the table to x-user1 Click Next to continue Windows 2000 displays the Create New Object – (User) dialog box, prompting you to supply password options and restrictions In the Password and Confirm password boxes, type the password or leave these boxes blank if you are not assigning a password As you type the password, why asterisks appear instead of characters? This is a security measure that prevents onlookers from viewing the password as you type _ _ Set the Password options from the table for x-user1 Select the User must change password at next logon check box, if appropriate Select the User cannot change password check box, if appropriate Note: In high-security environments, you should assign random initial passwords to user accounts and then require users to change their passwords the next time that they log on This prevents a user account from existing without a password, and after the user logs on and changes the password, only the user knows the password Module 2: Setting Up User Accounts 15 What are the results of selecting both the User must change password at next logon and User cannot change password check boxes? Why? Windows 2000 displays a warning box with the following message: “You cannot check both ‘User must change password at next logon’ and ‘User cannot change password’ for the same user.” The User cannot change password option is cleared The next time that the user attempts to log on, the user would be prompted to change the password and cannot log on until the password has been changed However, Windows 2000 will not allow the user to change the password, so the user would not be able to log on successfully _ _ Under what circumstances would you select the Account disabled check box while you create a new user account? Answers may vary A possible answer is: This account is for a user who has not yet started work at the company _ _ Finish the Create New Object wizard Select Next Verify that the user account options are correct, and then click Finish If anything is incorrect, you can click the Back button to make changes There may be a slight delay while the system creates the account Create the remaining user accounts from the table Complete the steps for the remaining user accounts from the worksheet Close Active Directory Users and Computers, and log off Windows 2000 Close Active Directory Users and Computers, and log off Windows 2000 16 Module 2: Setting Up User Accounts # Setting Properties for User Accounts Slide Objective To introduce setting properties for user accounts Lead-in After you have created a user account, you may need to make changes to the default properties for the user account Delivery Tip This section explains the various properties you can set for user accounts Prepare students for the topics by providing the following key point information Key Points The more information you enter into the account properties, the easier it is to search for the user account in Active Directory It is good practice to set an expiration date for accounts of temporary employees Set user logon hours and the computers from which users can log on to control access to network resources Configure dial-up settings to controls access to the network from a remote location ! Setting Personal Properties ! Setting Account Properties ! Setting Logon Hours ! Setting the Computers from Which Users Can Log On ! Configuring Dial-up Settings A set of default properties is associated with each domain user account that you create You can use the properties that you define for a domain user account to search for users in Active Directory For this reason, you should provide detailed property definitions for each domain user account that you create For example, you can search for a person by a telephone number, office location, manager’s name, or last name After you create a domain user account, you can configure personal and account properties, logon options, and dial-up settings Module 2: Setting Up User Accounts 17 Setting Personal Properties Slide Objective To explain why it is important to complete the personal properties options and to explain how to set personal properties ! Add Personal Information About Users Lead-in ! Use Personal Properties to Search Active Directory You need to complete all of the personal property options so that you can locate user accounts in Active Directory Amy Jones Properties Telephone/Notes Telephone/Notes General Delivery Tip Demonstrate the procedure to open the Properties dialog box by using Active Directory Users and Computers Do not spend a lot of time demonstrating how to enter the properties in this dialog box Ask students how they would use the different properties in their organizations and how the properties would benefit them Active Directory Organization Organization Address Address Account Account Member Of Member Of General General The most common tabs in the Properties dialog box that contain information about each user account are General, Address, Telephone/Notes, and Organization Completing the properties on each of these tabs enables you to locate user accounts in Active Directory For example, if all of the properties on the Address tab are complete, you can locate the user by using the street address The following table describes the four tabs listed above General Use this tab to document the user’s name, description, office location, telephone number, e-mail alias, and home page information Address Use this tab to document the user’s street address, post office box, city, state or province, postal zip code, and country Use this tab to document the user’s home, pager, mobile, fax, and Internet Protocol (IP) telephone numbers, and to add comments Organization You need to provide the values for personal properties so that users and administrators can use Active Directory to locate other user accounts Description Telephone/Notes Key Point Tab Use this tab to document the user’s title, department, company manager, and direct reports To set personal properties, open Active Directory Users and Computers, select the domain, and then click the appropriate folder to view available domain user accounts Right-click the appropriate domain user account, and then click Properties Choose the appropriate tab for the personal properties that you want to enter or change, and then enter values for each property 18 Module 2: Setting Up User Accounts Lab B: Setting Personal Properties Slide Objective To introduce the lab Lead-in In this lab, you will set personal properties for user accounts Delivery Tip Explain the lab objectives Review the lab answers Objectives After completing this lab, you will be able to: !" Modify user account properties Prerequisites Before working on this lab you should have: !" Knowledge about domains !" Knowledge about domain user accounts !" Experience logging on to and off Microsoft® Windows® 2000 Lab Setup To complete this lab, you need the following: !" The following user account information User Account Information First name Last name Title Department ComputerName One Manager Accounting ComputerName Two Lead Training ComputerName Three Manager Customer Support ComputerName Four Manager Training ComputerName Five Lead Accounting Estimated time to complete this lab: 15 minutes Module 2: Setting Up User Accounts 19 Exercise 1: Adding Additional Properties Scenario: You need to enter additional information about your users so that searching for users within Active Directory™ directory service is more intuitive Your company has many employees that reside in different cities, and you would like to be able to search for users by department Your Tasks: In this exercise, you will add the additional properties for each of the employees from the preceding table Task Detail Log on to Windows 2000 as Administrator (with a password of password) Log on to Windows 2000 as Administrator (with a password of password) In the Users folder in Active Directory Users and Computers, open the properties for user ComputerName One (where ComputerName is the name of your computer) Open Active Directory Users and Computers, and maximize the window Expand DomainName.nwtraders.msft, and select the Users folder Right-click ComputerName One (where ComputerName is the name of your computer), and then click Properties What information has been entered for the user? The user information that was entered when the user was created: First Name, Last Name, and Display Name _ _ Enter the additional properties from the table for ComputerName One Click the Organization tab Next to Title, type Manager Next to Department, type Accounting Click OK Add the additional properties for the rest of the users from the table Repeat the preceding steps for the rest of the users until the additional information has been entered Is it a good idea to add the additional information for the user accounts? Why or why not? Yes, adding as much information as possible for the user accounts makes finding them easier and more intuitive Also, other applications that can query Active Directory can use the information (Microsoft Exchange, for example) _ _ Close Active Directory Users and Computers, and log off Windows 2000 Close Active Directory Users and Computers, and log off Windows 2000 20 Module 2: Setting Up User Accounts Setting Account Properties Slide Objective To explain how to set account properties for domain user accounts Lead-in Use the Account tab to set account properties for domain user accounts Judy Lew Properties Judy Lew User User Two User User Three User Four User Five Add members to a Group User SixAdd members to a Group Disable Account Disable Account Reset Password… Reset Password… Move… Move… Open home page Open home page Send mail Send mail Telephone/Notes Organization Member Of Dial-in Account General Address Profile User logon name:1 Judyl nwtraders.msft Downlevel logon name: NWTRADERS\ Logon Hours Logon To Account locked out Account options: All Tasks All Tasks Delete Delete Rename Rename Refresh Refresh Properties Properties Properties User must change password at next logon User cannot change password Password never expires Save password as encrypted clear text Account expires Never Help Help End of: Saturday , OK Delivery Tip Demonstrate how to set properties for domain user accounts Point out the domain user account options that are the same for the Account tab and the Create New Object – (User) dialog boxes May 01, 1999 Cancel Apply Use the Account tab in the Properties dialog box to set options for a domain user account The Account options box provides a number of settings from which you can choose Also, you can use the Account tab to set an expiration date for a user account This is the date on which Windows 2000 will automatically disable the user account To set an account expiration date, open the Properties dialog box, and, on the Account tab, under Account Expires, select the End of option Type the expiration date, and then click OK Module 2: Setting Up User Accounts 21 Setting Logon Hours Slide Objective To explain how to restrict logon hours for a domain user account Logon Hours for Judy Lew 10.12 10.12 12 Lead-in To set logon hours for a domain user account, select the days of the week and time for each day that you not want the user to be able to log on OK Cancel Sunday Monday Tuesday Wednesday Logon Permitted Logon Denied Thursday Friday Saturday Delivery Tip Demonstrate how to change logon hours for a domain user account Key Point Connections to network resources on the domain are not disconnected when the user’s logon hours expire However, the user will not be able to make any new connections Set logon hours to control when a user can log on to the domain Restricting logon hours limits the hours during which users can explore the network By default, Windows 2000 permits access for all hours on all days You may want to allow users to log on only during working hours Setting logon hours reduces the amount of time that the account is open to possible misuse To set logon hours: In the Properties dialog box, on the Account tab, click Logon Hours A blue box indicates that the user can log on during the hour A white box indicates that the user cannot log on To allow or deny access: • Select the rectangles on the days and hours that you want to deny access, click the start time, drag to the end time, and then click Logon Denied • Select the rectangles on the days and hours that you want to allow access, click the start time, drag to the end time, and then click Logon Permitted The days and hours for which you have allowed access are now blue Click OK Note Connections to network resources on the domain are not terminated when the user’s logon hours expire However, the user will not be able to make new connections to other computers in the domain 22 Module 2: Setting Up User Accounts Setting the Computers from Which Users Can Log On Slide Objective To explain how to specify the computers from which a user can log on Lead-in By default, a user can log on to the domain from any computer in the network ? Judy Lew - Logon Workstations User may log on to all workstations Default Default User may log on to these workstations: Enter the computer’s NetBIOS name: Brisbane Add Perth Remove Change Note: the NetBIOS protocol is needed for this feature Close Key Point You can specify the computers from which a user can log on You cannot specify the computers from which a user cannot log on Cancel Setting logon options for a domain user account allows you to control the computers from which a user can log on to the domain By default, each user can log on from all computers in the domain Setting the computers from which a user can log on prevents users from accessing another user’s data that is stored on that user’s computer To specify the computers from which a user can log on, open the Properties dialog box, and, on the Account tab, click Logon To Select the option that specifies the computers from which a user can log on Add the computers from which a user can log on by selecting the names of the computer accounts in Active Directory and clicking the Add button When you are done, click the Close button Note To restrict access to a computer, network basic input/output system (NetBIOS) over Transmission Control Protocol/Internet Protocol (TCP/IP) must be enabled Check with the network administrator about whether this has been done Enabling NetBIOS helps Windows 2000 to determine the computer from which a user logs on Module 2: Setting Up User Accounts 23 Configuring Dial-up Settings Slide Objective User1 Properties To explain why to configure dial-up settings and to show how to so General Address Account Profile Telephones/Notes Organization Dial-in Member Of Environment Timeouts Remote Access Permission (Dial-in or VPN) Allow access Lead-in Deny access User Can Work User Can Work Remotely by Remotely by Using Dial-Up Using Dial-Up Connections Connections You can configure dial-up settings to determine how a user can use dial-up connections to gain access to the network from a remote location Control access through Remote Access Policy Setup Verify Caller-ID: Callback Options No Callback Set by Caller (RAS only) Always Callback to: Assign Static IP Address Apply Static Routes Define routes to enable for this Dial-in connection OK Delivery Tip Demonstrate the procedures to configure dial-up settings for a user account by using Active Directory Users and Computers Key Point Configuring dial-up settings for a user account enables a user to use a dial-up connection to make a connection to a RAS server Static Routes Cancel Apply Configuring dial-up settings for a user account permits you to control how a user connects to the network from a remote location To access the network, the user dials in to a computer running Remote Access Service (RAS) Important In addition to configuring dial-up settings and having RAS on the server to which the user is dialing in, you must set up a dial-up connection for the server on the client computer Set up a dial-up connection by using the Network Connection wizard from Network Connections in My Computer Configure dial-up settings on the Dial-in tab of the Properties dialog box The following table describes the options for setting up a dial-up connection Option Description Allow access, Deny access or Control access through Remote Access Policy The default setting is Control access through Remote Access Policy It allows you to control remote access through a remote access policy that is configured to apply to all users at the same time However, you can override this policy on a per-user basis by selecting the Allow Access or Deny Access option Verify Caller-ID A telephone number that the user must use to dial in In the box, type the telephone number Callback Options The callback method Options include: No Callback The RAS server will not call the user back and the user pays the telephone charges This is the default Set by Caller (RAS only) The user provides the telephone number for the RAS server to call back The organization that owns the RAS server incurs the telephone charges for the session Always Callback to The RAS server uses the specified number to call the user back The user must be at the specified telephone number to make a connection to the server Use this option in a high security environment 24 Module 2: Setting Up User Accounts Lab C: Modifying User Accounts Slide Objective To introduce the lab Lead-in In this lab, you will set restrictions on logon hours, configure account expirations, and test the user accounts that you create Delivery Tip Explain the lab objectives Review the lab answers Ask students if they encountered any problems during the lab Objectives After completing this lab, you will be able to: !" Modify user account properties Prerequisites Before working on this lab you should have: !" Knowledge about domains !" Knowledge about domain user accounts !" Experience logging on to and off Microsoft® Windows® 2000 Lab Setup To complete this lab, you need the following: !" The following user account information User Account Information First name Last name Title Department ComputerName One Manager Accounting ComputerName Two Lead Training ComputerName Three Manager Customer Support ComputerName Four Manager Training ComputerName Five Lead Accounting Estimated time to complete this lab: 15 minutes Module 2: Setting Up User Accounts 25 Exercise 1: Adding Additional Properties Scenario: You need to enter additional information about your users so that searching for users within Active Directory™ directory service is more intuitive Your company has many employees that reside in different cities, and you would like to be able to search for users by department Your Tasks: In this exercise, you will add the additional properties for each of the employees from the preceding table Task Detail Log on to Windows 2000 as Administrator (with a password of password) Log on to Windows 2000 as Administrator (with a password of password) In the Users folder in Active Directory Users and Computers, open the properties for user ComputerName One (where ComputerName is the name of your computer) Open Active Directory Users and Computers, and maximize the window Expand DomainName.nwtraders.msft, and select the Users folder Right-click ComputerName One (where ComputerName is the name of your computer), and then click Properties What information has been entered for the user? The user information that was entered when the user was created: First Name, Last Name, and Display Name _ _ Enter the additional properties from the table for ComputerName One Click the Organization tab Next to Title, type Manager Next to Department, type Accounting Click OK Add the additional properties for the rest of the users from the table Repeat the preceding steps for the rest of the users until the additional information has been entered Is it a good idea to add the additional information for the user accounts? Why or why not? Yes, adding as much information as possible for the user accounts makes finding them easier and more intuitive Also, other applications that can query Active Directory can use the information (Microsoft Exchange, for example) _ _ Close Active Directory Users and Computers, and log off Windows 2000 Close Active Directory Users and Computers, and log off Windows 2000 26 Module 2: Setting Up User Accounts Best Practices Slide Objective To present best practices for creating user accounts Rename the Administrator Account Rename the Administrator Account Lead-in Create a User Account with Administrative Rights Create a User Account with Administrative Rights Review this checklist before you set up user accounts Create a User Account for Non-Administrative Tasks Create a User Account for Non-Administrative Tasks Enable the Guest Account Only in Low Security Networks Enable the Guest Account Only in Low Security Networks Create Random Initial Passwords Create Random Initial Passwords Require New Users to Change Their Passwords Require New Users to Change Their Passwords Set Account Expiration Dates for Temporary Employees Set Account Expiration Dates for Temporary Employees Consider the following best practices for setting up user accounts: !" Rename the built-in Administrator account to provide a greater degree of security Use a name that does not identify it as the Administrator account This makes it more difficult for unauthorized users to break into the Administrator account !" Another method to secure the network is to create a user account for yourself and assign administrator rights to it You should then use this user account to perform administrative tasks !" Create a user account that you use to perform non-administrative tasks Log on by using the user account with administrator rights only when you perform administrative tasks !" Enable the Guest account only in low security networks and always assign a password to it By default, the Guest account is disabled !" Always require new users to change their passwords the first time that they log on This will force users to use unique, private passwords !" For added security on networks, create random initial passwords for all new user accounts by using a combination of letters and numbers Creating a random initial password will help keep the user account secure !" Set user account expiration dates for contract and temporary employees to avoid unauthorized network access when their contracts expire Module 2: Setting Up User Accounts 27 Review Slide Objective To reinforce module objectives by reviewing key points Lead-in The review questions cover some of the key concepts taught in the module Please take a few minutes to answer the questions, and then we will discuss them as a class ! Introduction to User Accounts ! Requirements for New User Accounts ! Creating a Domain User Account ! Setting Password Requirements ! Setting Properties for User Accounts ! Best Practices What different capabilities domain user accounts and local user accounts provide to users? Domain user accounts allow users to log on to a domain from any computer in the network and gain access to resources anywhere in the domain A local user account allows the user to log on and gain access to resources only on the computer where the local user account is created What is the property that needs to be set to enable a Windows 95 user to log on to a Windows 2000 network? The downlevel logon name must be set for the user account The downlevel logon name is the user’s unique logon name that the user uses to log on from versions of Windows other than Windows 2000 What are the options that you can set for a user account to ensure network security? To safeguard network security, you can set account options such as user logon hours, the computers from which users can log on, and expiration dates for user accounts 28 Module 2: Setting Up User Accounts What properties can you set to simplify searching for a user account in Active Directory? You can set personal properties for a user account by providing information such as the user’s office location, telephone number, e-mail alias, address, job title, department name, and so on Which option for new user account passwords must you ensure is set to protect the security of the account? Make sure that you select the User must change password at next logon check box This will ensure that the user is the only person who knows the password An employee from a branch office needs to work at company headquarters for two days As the administrator of the network at company headquarters, what must you to give the employee network access for the duration of the visit? Create a temporary account and provide the employee access to it This page intentionally left blank ... for setting up user accounts Module 2: Setting Up User Accounts # Introduction to User Accounts Slide Objective To introduce the role and purpose of user accounts Lead-in The types of user accounts. .. Directory Users and Computers, and log off Windows 2000 16 Module 2: Setting Up User Accounts # Setting Properties for User Accounts Slide Objective To introduce setting properties for user accounts. .. Up User Accounts Built-in User Accounts Slide Objective To describe built-in user accounts Administrator Administrator ! ! Manages: Manages: $ User accounts and groups $ User accounts and groups