1.2.6 User Account Management Facts

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

You can authenticate a user who logs on with a certificate by mapping the certificates to the user account. To map a certificate to a user account

1. Open Active Directory Users and Computers 2. Enable the Advanced view. 3. Right-click the user account, and then choose Name Mappings. 4. Add the certificate to the x.509 tab.

Deprovisioning

Is the process of removing access rights for users when they leave your organization. • If the user will be replaced by another user, disable the existing account. When the new user starts, rename the account, reset the password, and enable the account. This process preserves all of the permissions and other settings associated with the user. • If the user will not be replaced, you can delete the account. Be sure to reassign any permissions to other users, reassign ownership over files, or delete unnecessary files such as the user profile. After a user account has been deleted, all permissions and membership that are associated with that user account are permanently deleted. All permissions and memberships must be recreated manually if you want to duplicate a deleted user account. • Many third-party tools exist that can simplify the deprovisioning process. For example, you can delete the user account and automatically reassign permissions of file ownership with a single step. You can also create your own deprovisoning solution through a programming language to synchronize accounts between databases or applications.

Adding a User Principal Name (UPN) suffix to a forest allow the users who join the forest to use a friendly user-logon name that does not match the domain name.

To add a UPN suffix to a forest: 1. Open Active Directory Domains and Trusts. 2. Right-click Active Directory Domains and Trusts in the Tree window pane, then select Properties. 3. Type the new UPN suffix that you would like to add the forest on the UPN suffixes tab. 4. Click Add 5. Click Ok

To import large amounts of users from a comma-separated value (CSV) file

Use the import-CSV command with the results sent (or piped) to the New-ADUser command.

If you accidentally delete a user account

restore it from backup rather than creating a new one with the same name. Creating a new account with the same name results in a user account with a different SID and will not automatically assume to the permissions and memberships of the previously deleted account.

If you regularly create user accounts with the same settings

you can create a template account. The template account is normal user account with the same settings you need for subsequent accounts. • Copy the account whenever you need to create a new one. • New accounts retain group memberships but not direct permission assignments. • Disable this account to prevent it from being used for logon.

To create another user account similar to an existing user

• Copy existing user account. You will be prompted for a new name and password. Existing account settings and group memberships will be copied to the new account. Permissions will not be copied to the new account.

Configure the logon hours for a user account to allow the account to only be used between specific hours.

• Logon attempts outside of the specified hours will not be allowed. • User who are currently logged on will be allowed to continue working when the logon hours expire. • To log user off when the logon hours pass, configure Group Policy settings to log the user off automatically. -You can configure a list of workstations that a user is allowed to log on to. When configured, logon to other workstations will not be allowed. - The user profile tracks user environment settings, such as program-specific settings, user security settings and desktop settings (including the files, folders, and shortcuts on the desktop).

The Active Directory consolidates a group of cmdlets needed to manage user accounts including

• New-ADUser creates a new Active Directory user. • Get-ADUser displays one or more Active Directory user's properties. • Set-ADUser modifies an Active Directory user. • Enable-ADAccount/Disable-ADAccount enables/disables an Active Directory account. • Search-ADAccount gets Active Directory user, computer, and service accounts. • Unlock-ADAccount unlocks an Active Directory account. • Remove-ADUser removes an Active Directory user.

To use the Active Directory module for Windows Powershell

• Run the Import-Module ActiveDirectory command at the Windows Powershell prompt. • Launch Active Directory Module for Windows Powershell from Start\Administrative Tools.

Keep in mind the following recommendation when managing user accounts (more)

• To reset the user account password, right-click the user object and select Reset Password. • An account which has been locked out because too many incorrect passwords have been entered must be unlocked. To unlock an account, go to the Account tab in the account object's Properties dialog box, and select the Unlock Account box. The Reset Password dialog also gives you the option to unlock a user account. • You can configure an expiration date for temporary user accounts. Once the account is expired, it cannot be used for logon. • If a user will be gone for an extended period of time, disable the account. This prevents the account from being used during the user's absence. Enable the account when the user returns.

Keep in mind the following recommendation when managing user accounts:

• Use Active Directory Users and Computers from a domain controller or workstation with Administrative Tools installed to Configure domain accounts. • To modify properties on multiple user account at once, use the Shift or Ctrl keys to select all users, then edit the necessary properties. Properties such as the logon name or password cannot be modified in this way. • You can move user accounts to add them to the appropriate OUs. Grouping users within OUs allows you to apply group policy settings to groups of users. • When creating a new user account or resetting a forgotten password, a common practice is to reset the user account password, then select User must change password at next logon. This forces the user to reset the password immediately following logon, ensuring that the user will be the only person who knows the password. • Enable the User cannot change password option when you want to maintain control over a Guest, Service, or temporary acccount. For example, many application use service accounts for performing system tasks. The application must be configured with the user account name and password. If you allow changing the user account password for the service account, you would also need to change the password within every application that the uses that account.

What does the user profile tracks

• user environment settings, such as program-specific settings, user security settings and desktop settings (including the files, folders, and shortcuts on the desktop). • By default, the profile is stored on the local computer. A profile will be created on each computer when a user logs on. • To make profile settings consistent across computers, use a roaming user profile (where the profile is saved on a network share). When the user log on, profile settings are copied from the network to the local computer. Changes made on the local computer are saved back to the network share. • To use a roaming profile, edit the user account properties and specify the profile path. To simplify administration, us the %username% variable in the Profile Path. Active Directory replaces %username% with the user logon name.


Ensembles d'études connexes

Marriage, Fam, and Relations (TWU) Ch. 1-7

View Set

Answers to OLI Questions (Cardiovascular unit)

View Set

mental health questions Evolve: Psychobiological Disorders

View Set

ATI Pharmacology End of Chapter 47

View Set

Level 1 Class 1 అ "a" and ఆ "aa" words(padamulu)

View Set

Aveda: The Building blocks of the human body

View Set

AP Spanish V - Tema 1 - Los retos que se enfrentan las familias - Lista #2

View Set