8.8.2 Managing User Account Properties PDF

Preview

Summary

This is the step to step process of viewing and navigating through the Active Directory. This will help a student get through the course...

Description

2/6/2021

TestOut LabSim

8.8.2 Managing User Account Properties Managing User Account Properties 0:01-2:13 Let's take some time to learn about managing user accounts. When managing user accounts, we're going to use Active Directory Users and Computers. Let's go ahead and go to Tools, Active Directory, Users, and Computers. The first thing we're going to do is look at a user in our Research and Development group. We're going to look at this TestOut User right here that we've created. The first thing we're going to do is right-click. If I right-click this user, you can see several command options. We can reset the user's password. We can disable the account. We can enable it if it's disabled. This will switch to enabled. On these other users, if you have a disabled user, you'll actually see a little arrow pointing down that will indicate that it's disabled. Let's go ahead and look at the properties of a user. Click Properties. In the properties dialog, we have several different tabs. Some of these tabs are really just for documentation. Whether or not you need to fill them out depends on the organization you work for. If you do fill them out, then make sure to be consistent and have a standard. The key to managing databases, and in turn active directory user accounts, is to be consistent. For example, if you use an office label, then make sure each user has a value under Office. That way, if you need to search for everyone at a specific office or location, you know your search results will be accurate. If you aren't consistent about adding a value to this field, then you won't be able to trust the search results. Again, all these tabs General, Address, Telephone, and Organizations, are really just used for documentation. It's really up to your organization if you're going to use them or fill them out. Now the tab we want to use the most is actually the Account tab. The Account tab contains quite a few user settings that are important. There's the user's UPN right here which is composed of the logon, the T user, and the UPN suffix at Corp.TestOut.Demo.com. If you have multiple UPN suffixes, then you can select them here. You can change that for the logon name from this dropdown. Remember, from this tab we can also edit logon hours. If we click Logon Hours we can see when this user is permitted to log on to the domain.

Copyright © 2021 TestOut Corporation All rights reserved.

Configuring User Account Logon Options 2:14-3:25 This particular account does not have limited logon hours, as you can see here. However, new users, by default, also don't have limited logon restrictions and are permitted to log on any time which basically looks like this. If you see, the blue is permitted, and the white is not. If we click Logon Denied, then we can select and change those. It's really up to your organization to decide if there should be logon hour restrictions and what those should be. Having logon hour restrictions increases security by assuming that most attacks will occur after hours or on weekends. The Log On To setting that we see right here specifies which computers this account is allowed to use. This setting can be useful if you want to limit certain users to a specific workstation. For example, if you have a temporary employee or intern, then you could limit them to only using one computer. In addition, user accounts, used on public computers such as a kiosk, could be limited to that specific system. However, this option is usually set to All computers. If an account gets locked out, for example; if a user enters too many wrong passwords, then you can unlock the account with the Unlock account checkbox right here. You have to select Apply or OK.

Account Password Options 3:26-4:21 Under Account options, there are several useful options you should be aware of. There's the User must change password at next logon, that's checked right here. Typically, this is used when the account has just been created or when the password has been reset. Below that you can see the User cannot change password option. Again, this is an option that has specific usage such as with the public user account on a kiosk computer.

https://labsimapp.testout.com/v6_0_429/index.html/productviewer/225/8.8.2/157a0588-3552-441e-87a0-e5f3aa7b5c94

1/3

2/6/2021

TestOut LabSim

You don't want users to go ahead and change the password which could possibly keep other users from using that public computer. The Password never expires option, will override the default domain password policy and is typically used only for service accounts. The next option, Store password using reversible encryption, should almost never be used. It's used for backwards compatibility with legacy applications that use NT 4.0. Selecting this option basically uses older, weaker encryption for passwords. So, it's not really needed.

Disable Accounts Option 4:22-5:32 The Account is disable option disables the account. It's just another way you can disable the account. This option's useful when prestaging accounts or creating them before an employee actually starts working, or if an employee goes on vacation or takes a leave of absence. This is good for security and also makes managing accounts much easier. So, instead of completely deleting an account, you can merely disable it which retains all user settings. And when the employee returns you simply deselect this option. You can see here the option account expires. It's normally set to never, but we can use this option if we know the account won't be used after a specific date. For example, if a temporary employee or contractor employee is only contracted for three months, then we could set their account to automatically expire three months after the hire date. This makes our job much easier. Instead of having to remember to manually disable the account, we can make it expire automatically. It also increases security. If we forget to disable this account when the contractor is no longer working for us, then we have the ability to let this kind of take care of that for us. And we don't want an active account that's just enabled that could access the network when we don't want it to.

Profile Tab Options 5:33-7:02 Let's take a look at another tab. So the Profile tab is used to setup logon scripts. If we're using a roaming profile or roaming profiles we would specify the profile path right here. With roaming profiles, the user's profile settings are stored on a server instead of the local machine. This allows the user's desktop environment, including settings, themes, shortcuts, et cetera, to follow them no matter what computer they log onto. One thing to know about roaming profiles is that it increases network load. Roaming profiles include all the user's document folders, which can get very big. It is possible to exclude documents from roaming profiles using group policies, but using roaming profiles still increases network load, and there are better ways to have your documents populate. You could have a network file share. You could maintain access through actual groups. Under the Home folder right here, we can specify the user's home folder location. Most organizations will provide shared network storage for users, and we can specify the location and assign a drive letter here. Here's a little trick. If you have a server and a share available to users, then you can actually type a variable in here to save yourself some time. What you do is type the path to the server and the share. Then type in, so we'll do server, the name of the share, whatever it will be. Then type in percent username percent (\\server\share\%username%). What this does is it automatically creates a folder in that share with the same name as the user name and then assigns the user the appropriate rights to the share. Let's go to the Member Of tab.

Member Of Tab Options 7:03-8:04 This tab is important because it's where we can add groups to a user account. Whatever groups the user is a member of, they'll get the collective rights of all those groups. The Dial-in tab is used only for remote access, which is most likely going to be VPN. The settings here will override any policies that are in the NPS network policy. If we select allow or deny, these will override the NPS network policy. We really only want to change these settings if we have a user that's a member of a group that has access through policies, but we want to exclude them by denying access. It's preferable to control these settings using policies. It's just much easier. The Environment tab is used to set up the remote desktop environment. The Sessions tab controls how remote desktop sessions are handled.

https://labsimapp.testout.com/v6_0_429/index.html/productviewer/225/8.8.2/157a0588-3552-441e-87a0-e5f3aa7b5c94

2/3

2/6/2021

TestOut LabSim

Remote control also has to do with remote desktop and defines whether or not a session can be remote controlled. Remote Desktop Services Profile is used to configure profile settings with remote desktop. Unless you're using remote desktop a lot, you're not going to use these tabs a whole lot.

Summary 8:05-8:23 So, that's it for this demonstration. In this video we covered the different things you can do to manage user accounts. We talked about some of the right-click menu options. We looked at the properties of a user account, and which tabs you can use to perform various management tasks. Remember, the two tabs you'll use most are the Account tab and the Member Of tab. So, be very familiar with those two.

https://labsimapp.testout.com/v6_0_429/index.html/productviewer/225/8.8.2/157a0588-3552-441e-87a0-e5f3aa7b5c94

3/3...