1
|
|
2
|
- Establish account naming conventions
- Configure account security policies
- Create and manage accounts, including setting up a new account,
configuring account properties, delegating account management, and
renaming, disabling, and deleting an account
|
3
|
- Create local user profiles, roaming profiles, and mandatory profiles
- Configure client network operating systems to access Windows 2000
Server, and install client operating systems through Remote Installation
Services
|
4
|
- Last name followed by the initial of the first name
- First name initial followed by the last name
- Username based on the position in the organization
- Username based on the function in the organization
|
5
|
- For accounts that handle money, payroll, budgeting, or accounting
transactions, financial auditors typically prefer that accounts are
named for individuals
|
6
|
- Account policies: security measures set up in a group policy, such as
for a domain or local computer
- Account policies particularly focus on:
- Password security
- Account lockout
- Kerberos security
|
7
|
- Use the Group Policy MMC snap-in to set up account policies
|
8
|
|
9
|
- Enforce password history: Enables you to require users to choose new
passwords when they make a password change, because the system can
remember the previously used passwords
- Maximum password age: Permits you to set the maximum time allowed until
a password expires
- Minimum password age: Permits you to specify that a password must be
used a minimum amount of time before it can be changed
|
10
|
- Minimum password length: Enables you to require that passwords are a
minimum length
- Passwords must meet complexity requirements: Enables you to create a
filter of customized password requirements that each account password
must follow
- Store password using reversible encryption for all users in the domain: Enables
passwords to be stored in reversible encrypted format
|
11
|
- Account lockout duration: Permits you to specify in minutes how long the
system will keep an account locked out after reaching the specified
number of unsuccessful log on attempts
- Account lockout threshold: Enables you to set a limit to the number of
unsuccessful tries to log onto an account
|
12
|
- Reset account lockout count after : Enables you to specify the number of
minutes between two consecutive unsuccessful logon attempts to make sure
that the account will not be locked out too soon
|
13
|
- Enforce user logon restrictions: Turns on Kerberos security, which is
the default
- Maximum lifetime for a service ticket: Determines the maximum amount of
time in minutes that a service ticket can be used to continually access
a particular service in one service session
- Maximum lifetime for a user ticket: Determines the maximum amount of
time in hours that a ticket can be used in one continuous session for
access to a computer or domain
|
14
|
- Maximum lifetime for user ticket renewal: Determines the maximum number
of days that the same Kerberos ticket can be renewed each time a user
logs on
- Maximum tolerance for computer clock synchronization: Determines how
long in minutes a client will wait until synchronizing its clock with
that of the server or Active Directory it is accessing
|
15
|
- For a server that does not have the Active Directory implemented, use
the Local Users and Groups MMC snap-in to create accounts
- For a server that employs the Active Directory, use the Active Directory
Users and Computers MMC snap-in to create accounts
|
16
|
|
17
|
|
18
|
|
19
|
|
20
|
- General tab: Modify personal information about the user
- Address tab: Provide street and city address information
- Account tab: Provide account information, such as logon name, plus
configure access restrictions, such as for certain days of the week and
times of day
|
21
|
|
22
|
- Profile tab: Ability to associate a specific profile with an account,
associate a home folder and drive, and associate a logon script
- Logon script: A file that contains a series of commands to run each
time a user logs onto his or her account, such as a command to map a
home drive
|
23
|
|
24
|
- Telephones: Ability to associate telephone contact numbers
- Organization: Provide account holder’s title, department, and other
information
- Member Of: Ability to join this account to one or more groups of users
for easier management
|
25
|
|
26
|
- Dial-in: Controls remote access such as through a modem
- Environment: Ability to configure the startup environment for clients
using terminal services
- Sessions: Configures session parameters, such as timeout limits, for
clients using terminal services
|
27
|
|
28
|
- Remote Control: Configures remote control parameters for the
Administrator to view and manage terminal service client sessions
- Terminal Services Profile: Ability to set up a user profile for a
terminal services client
|
29
|
- To create an OU:
- Click the container in which to create the OU, such as the domain or
another OU
- Click the Create a new organizational unit in the current container
button
- Enter the name of the OU
- Click OK
|
30
|
- To delegate authority:
- Right-click the OU and click Delegate control
- Click Next after the wizard starts
- Click the Add button and specify the accounts, groups, or computers to
have the control
- Click OK and click Next
- Select the tasks to delegate and click Next
- Click Finish
|
31
|
|
32
|
- To locate a particular account in order to maintain it:
- Right-click the domain
- Click Find
- Enter the username or the account holder’s name
- Click Find Now
|
33
|
- Typical account maintenance activities include:
- Disabling an account, such as when a user takes a leave of absence
- Enabling an account, such as when a user returns
- Renaming an account, such as when one user leaves and another user is
hired into the same position
- Moving an account, such as into a different OU
|
34
|
- Typical account maintenance activities include (continued):
- Deleting an account, such as when a user leaves the organization and
there will be no replacement person
- Resetting a password for users who do not remember theirs
- Account auditing to track certain kinds of activity performed by an
account holder
|
35
|
- Logon and logoff activity
- Account modifications through account management tools
- Accesses to files and other objects (for files, folders, and objects
that are set up to be audited)
|
36
|
- Use account auditing sparingly because every audited event is written to
the Security log – you don’t want to overload a server by devoting too
much of its resources to auditing (consult your organization’s
management and financial auditors for advice on what to audit)
|
37
|
- Local user profile: A desktop setup that is associated with one or more
accounts to determine what startup programs are used, additional desktop
icons, and other customizations. A user profile is local to the computer
on which it is stored.
|
38
|
- Roaming profile: Desktop settings that are associated with an account so
that the same settings are employed no matter what computer is used to
access the account (the profile is downloaded to the client)
|
39
|
- Mandatory User Profile: A user profile set up by the server
administrator that is loaded from the server to the client each time the
user logs on; and changes that the user makes to the profile are not
saved
|
40
|
- Hardware Profile: A consistent setup of hardware components associated
with one or more user accounts
|
41
|
|
42
|
- Plan to install Directory Service Client (DSClient) in Windows 95 and
Windows 98 clients
- DSClient enables non-Windows 2000 Clients for:
- Kerberos authentication
- Ability to view objects published in the Windows 2000 Active Directory
|
43
|
- Obtain the DSClient program, Dsclient.exe from the Windows 2000 Server
CD-ROM
- Run this program on Windows 95 and Windows 98 clients
|
44
|
- If the Distributed File System (Dfs) cannot be accessed from a Windows
95 client, run DSClient to install Dfs capability (Dfs client) as well
as the capability to access the Active Directory (DSClient)
|
45
|
- Use the Group Policy snap-in to set up group policies that govern
clients
- Use the System Policy Editor (Poledit.exe) to configure system policies
when running a mixture of Windows NT and Windows 2000 servers
|
46
|
- Windows 2000 Server comes with several templates already set up for
using group policies or system policies
- System.adm is the default group policy for managing Windows 2000
Professional clients
|
47
|
|
48
|
|
49
|
|
50
|
|
51
|
|
52
|
- Remote Installation Services (RIS): Services installed on a Windows 2000
Server that enable you to remotely install Windows 2000 Professional on
one or more client computers
|
53
|
- Purchase the appropriate number of Windows 2000 Professional licenses
- Make sure the Active Directory is implemented and that there are DHCP
and DNS servers on the network
- Create a Windows 2000 Professional operating system image
- Create user accounts for the Windows 2000 Professional clients
|
54
|
- Installing RIS is a two stage process:
- First install RIS using the Control Panel Add/Remove Programs tool
- Configure RIS from the Add/Remove Programs tool
|
55
|
- Configure an existing DHCP server to authorize only specific servers to
provide RIS installations
|
56
|
- Install in one of two ways:
- Using a computer that has a boot-enabled ROM
- Creating a remote boot disk
- Both methods use the Preboot eXecution Environment (PXE):Services that
enable a prospective client to obtain an IP address and to connect to a
RIS server in order to install Windows 2000 Professional
|
57
|
- When installing a client via RIS, first make sure that the client
computer has a NIC that is supported by RIS and that is on the HCL
|
58
|
|
59
|
- Use group policies to create different installation options for
different groups or containers
|
60
|
|
61
|
- Allow: means that the designated capability can be used by the client
accounts
- Don’t care: means that if a policy applies to a parent container, it
also applies to the child containers
- Deny: means that the capability cannot be used by the client accounts
|
62
|
- Preparing a server and domain entail configuring accounts and
configuring client computers
- Before configuring accounts, consult with members of your organization
about naming standards
- Set up account policies before configuring accounts
|
63
|
- After accounts are created, use the account properties capability to
supplement or modify parameters for the accounts, such as time of day
access restrictions
- Configure client computers to access Windows 2000 Server, such as
installing DSClient
|
64
|
- Manage clients by setting up group policies or system policies
- Use RIS to install multiple Windows 2000 Professional clients in order
to reduce your TCO
|