Module 3

Managing Users and Service Accounts

Module Overview
Create and Administer User Accounts Configure User Object Attributes

Automate User Account Creation

Create and Configure Managed Service Accounts

Lesson 1: Create and Administer User Accounts

User Account Create Users with Windows PowerShell

Demonstration: Create a User Object

Name Attributes Account Attributes

User Account Management

User Account
A user account:

Enables authentication of a user with attributes, including a user logon name and password Is a security principal with a security identifier (SID) that can be assigned permissions to resources

A user account can be stored:

In Active Directory, where it enables logon to the domain and can be assigned permissions to resources anywhere in the domain

Domain user accounts are administered with Active Directory snap-ins and commands

In the local SAM database of a member computer, where it enables logon to the local computer and can be assigned permissions to local resources

Local user accounts are administered with the Local Users and Groups snap-in

Create Users with PowerShell

New-ADUser Name <string> [Parameters]

-Name: Name of user to create. If no other parameters are provided, this will also be the SAM Account name. [Parameters]: Parameters may include:

-SAMAccountName: The name with which the user logs on.

-AccountPassword: Used to set the account password. If this is not provided, the password is null and the account disabled. -Enabled: Used to enable the account. If this is not provided, the account is disabled by default. -Path: Used to specify the location where the object should be created. By default, it will be created in the Users container.

Get-Help New-ADUser detailed: Use to get full

explanations of the parameters that can be used.

Demonstration: Create a User Object

In this demonstration, you will learn:
How to create a user

How to configure the properties of a user object

Name Attributes
User logon name (pre-Windows 2000): sAMAccountName

Unique in domain

CONTOSO\Tony.Krijnen

20-character limit

User logon name: userPrincipalName (UPN)

Name + @ + UPN suffix Unique in forest

Tony.Krijnen@contoso.com
Tony Krijnen

Name or Full Name: cn (common name)

Unique in OU so that the relative distinguished name (RDN) is unique in the OU, so that, in turn, the objects distinguished name (distinguishedName attribute) is unique in the forest Krijnen, Tony

Display name: displayName

Exchange global address list (GAL)

Best if unique, but not technically required to be unique

Account Attributes
Logon Hours Log On To

User must change password at next logon

User cannot change password Password never expires

Account is disabled
Store password by using reversible encryption Smart Card is required for interactive logon

Account is trusted for delegation

Account expires

User Account Management

Account Management involves the following tasks:

Renaming a user account

Resetting a user password

Unlocking a user account Disabling or enabling a user account Moving a user account Deleting a user account

Lab A: Create and Administer User Accounts

Exercise 1: Create User Accounts Exercise 2: Administer User Accounts

Logon information
Virtual machine Logon user name Administrative user name Password 6425C-NYC-DC1 Pat.Coleman Pat.Coleman_Admin Pa$$w0rd

Estimated time: 10 minutes

Lab Scenario
You are the administrator of Contoso, Ltd, an online university for adult education. Two new employees have been hired: Chris Mayo and Amy Strande. You must create accounts for these users. After some time, Chris Mayo leaves the organization, and his account must be administered according to the company policy for user account life-cycle management.

Lab Review
In this lab, which attribute can be modified to prompt for

the password when you are creating a user account with Windows PowerShell? password that does not meet the requirements of the domain?

What happens when you create a user account that has a

Lesson 2: Configure User Object Attributes

A Tour of User Attributes View All Attributes

Modify Attributes of Multiple Users

Modify User Attributes by Using Windows PowerShell Demonstration: Create a User Template

Create Users with Templates

A Tour of User Attributes

In this demonstration, you will learn:
How to access the properties of a user

The role of each tab in the user Properties dialog box

View All Attributes

The Attribute Editor tab In Active Directory Users and

Computers, click the View menu, and then select Advanced Features

Modify Attributes of Multiple Users

Procedure for modifying attributes

Select multiple users (for example, by using CTRL+click)

Right-click any one of the selected users, and then click Properties

Attributes that can be modified

General: Description, Office, Telephone Number, Fax, Web page, E-mail Account: UPN suffix, Logon hours, Computer restrictions (logon workstations), all Account options, Account expires Address: Street, P.O. Box, City, State/province, ZIP/Postal Code, Country/region Profile: Profile path, Logon script, Home folder Organization: Job Title, Department, Company, Manager

Modify User Attributes by Using PowerShell

Get-AdUser returns attributes of objects
Get-ADUser UserDN [-parameter value]

UserDN : distinguishedName of the user

Parameter: Name of attribute value: Value for attribute (or use * for all attributes)

Set-ADUser modifies specified attributes

Set-ADUser UserDN [-parameter value]

UserDN : distinguishedName of the user Parameter value: Attribute and value to be modified

Example using both cmdlets together

Get-ADUser Tony.Krijnen | Set-ADUser office "Stockholm"

Demonstration: Create a User Template

In this demonstration, you will learn:
What a template user account is, and why it is useful

How to create a template user account

Create Users with Templates

General tab. No properties are copied Address tab. P.O. box, city, state or province,

ZIP or postal code, and country or region are copied

Note that the street address itself is not copied

Account tab. Logon hours, logon workstations, account

options, and account expiration

home folder path

Profile tab. Profile path, logon script, home drive, and Organization tab. Department, company, and manager Member Of tab. Group membership and primary group

Lab B: Configure User Object Attributes

Exercise 1: Examine User Object Attributes Exercise 2: Manage User Object Attributes

Exercise 3: Create Users from a Template

Logon information
Virtual machine Logon user name Administrative user name Password 6425C-NYC-DC1 Pat.Coleman Pat.Coleman_Admin Pa$$w0rd

Estimated time: 15 minutes

Lab Scenario
You are the administrator of Contoso, Ltd, an online university for adult education. Changes in the Sales department require you to modify attributes of Sales users. Additionally, you decide to make it easier to create new accounts for sales people by preparing a user account template.

Lab Review
What are the options for modifying attributes of new and

existing users?

Lesson 3: Automate User Account Creation

Export Users with CSVDE Import Users with CSVDE

Import Users with LDIFDE

Import Users with Windows PowerShell

Export Users with CSVDE

Export

CSVDE.exe filename.ldf Import Active Directory

CSV (comma-separated value, or comma-delimited text)

Can be edited with simple text editors such as Notepad or Microsoft Office Excel csvde -f filename -d RootDN -p SearchScope -r Filter -l ListOfAttributes RootDN. Start of export (default = domain) SearchScope. Scope of export (Base,OneLevel,Subtree) Filter. Filter within the scope (LDAP query language) ListOfAttributes. Use the LDAP name

CSVDE.exe

Import Users with CSVDE

Export

CSVDE.exe filename.ldf Import Active Directory

CSVDE.exe

csvde i -f filename [-k] i. Importdefault mode is export k. Continue past errors (such as Object Already Exists)

Cannot import passwords, so users are created as disabled

Cannot modify existing users

Import Users with LDIFDE

Export

LDIFDE.exe filename.ldf Import Active Directory

LDAP Data Interchange Format (LDIF) LDIFDE.exe

ldifde [-i] [-f filename] [-k] i. Importdefault mode is export k. Continue past errors (such as Object Already Exists)

Cannot import passwords, so users are created as disabled

Can modify or remove existing users

Import Users with Windows PowerShell

Export

Windows PowerShell filename.csv Import Active Directory

Import-CSV New-ADUser

Import-CSV Users.csv | foreach {New-ADUser SamAccountName $_.SamAccountName -Name $_.Name Surname $_.Surname -GivenName $_.GivenName -Path "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM" AccountPassword (ConvertTo-SecureString -AsPlainText $_.SamAccountName -Force) -Enabled $true}

Lab C: Automate User Account Creation

Exercise 1: Export and Import Users with CSVDE Exercise 2: Import Users with LDIFDE

Exercise 3: Import Users by Using Windows PowerShell

Logon information
Virtual machine Logon user name Administrative user name Password 6425C-NYC-DC1 Pat.Coleman Pat.Coleman_Admin Pa$$w0rd

Estimated time: 10 minutes

Lab Scenario
You are the administrator of Contoso, Ltd., an online

university for adult education. You are hiring several new employees. The Human Resources department has provided you with extracts from their database, in both comma-delimited text format and in LDIF format. You want to import those data files to create user accounts for the new hires.

Lab Review
What scenarios lend themselves to importing users with

CSVDE and LDIFDE?

Lesson 4: Create and Configure Managed Service Accounts

Challenges of Using Standard User Accounts for Services What Is a Managed Service Account?

Configure and Administer Managed Service Accounts

Challenges of Using Standard User Accounts for Services

Challenges to using standard user accounts for services

include:

Extra administration effort to manage the service account password Difficulty in determining where a domain-based account is used as a service account Extra administration effort to mange the SPN

What Is a Managed Service Account?

Used to automate password and SPN management for service accounts used by services and applications

Requires a Windows Server 2008 R2 server installed with:

.NET Framework 3.5.x

Active Directory module for Windows PowerShell Recommended to run with AD DS configured at the Windows Server 2008 R2 functional level Can be used in a Windows Server 2003 or 2008 AD DS environment: With Windows Server 2008 R2 schema updates With Active Directory Management Gateway Service

Configure and Administer Managed Service Accounts

Create a managed service account:
New-ADServiceAccount [-SAMAccountName <String>] [-Path <String>]

Install a managed service account on the host

server:

Install-ADServiceAccount -Identity <ADServiceAccount>

Associate the service account with the intended

service

Lab D: Create and Administer Managed Service Accounts

Exercise: Create and Associate a Managed Service Account

Logon information
Virtual machine Logon user name Administrative user name Password 6425C-NYC-DC1
6425C-NYC-SVR1

Pat.Coleman Pat.Coleman_Admin Administrator Pa$$w0rd

Estimated time: 10 minutes

Lab Scenario
You are a network administrator for Contoso, Ltd. You

have been asked to implement a managed service account for an application that will be installed on NYC-SVR1.

Lab Review
You need to obtain a list of all the managed service

accounts in the domain. Which cmdlet would you use? managed service account?

Which cmdlet can be used to reset the password of a

Module Review and Takeaways

Review Questions Windows Server 2008 R2 Features introduced in this

module