Windows Server 2012 R2 User Account Management
User Account Management
What is a User Account?
An object in AD DS responsible
for controlling authentication and validation of access to resources,
containing many attributes about a particular user on your network.
Traditional Active Directory Management
Tools
At this stage, it is important to get familiar
with some of the management tools an administrator is likely to come across in
the execution of their daily tasks.
Active
Directory Users and Computers – This tool is typically used
daily to manage Active directory objects such as users, groups, computers and
OUs. Users with expired passwords or locked accounts are common in network set
ups and this tool will help you reset their accounts and get them back up and
running.
Active
Directory Sites and Services – This tool is used to manage
sites, network topology, replication and related services.
Active
Directory Domains and Trusts – Useful tool for managing
trust relationships and forest functional level.
Active
Directory Schema – This tool is not installed by default and
used to manage the schema.
Command
Line Tools – A collection of tools used for basic scripting and
command line management.
New Active Directory Management Tools
The arrival of Windows Server 2012 R2 saw some additional tools added by Microsoft to further extend the
functionality and management of the operating system.
Active
Directory Administrative Centre – A GUI built on Windows
PowerShell with an enhanced interface to perform object management using
task-oriented navigation.
Windows
PowerShell – A command line application like CMD used to create and
manage objects and provides scripting capabilities.
Creating
User Accounts
Before we begin to create
users on our server, some steps are required as by default the tools are not
readily in view. Click start to access the menu and right click on Active
Directory Users and Computers. This will become your most frequently used tool so
it is advisable to pin it to your task bar. Below the menu will be pull up options
where you can choose to pin this tool for easy access.
Active Directory Users and Computers
Launching the tool we just
pinned above will open a very important administrative section of our Windows
Server 2012 operating system.
Here, you would see the domain
you created along with a few other tools such as Builtin, Computers, Domain
Controllers, ForeignSecurityPrincipals, Managed Service Accounts and Users
which are extremely vital to administering resources on your server.
Right clicking on the Users
tab on the left will drop down a menu, from which you can select New > User
to display the object screen as above. You will discover later as we explore
servers further, you can copy an existing user account to inherit permissions
from the account such as access to certain security groups.
Click next to choose a secure
password for the user and notice the tick options; ‘User must change password on next logon’, ‘User cannot change password’, ‘Password
never expires’ and ‘Account disabled’.
User Account Object
Overview
Now that we have a new user
created, let’s take a closer look at the user object itself to get familiar
with some of the properties. Right Click the user we just created, and select
Properties as shown below.
1.
General Tab: More
information about the new user such as first and last name, contact details and
email address created on your Exchange server can be found here.
2.
Address Tab: Further information about the new user
such street number, post code and country can be populated in this tab. Third
party applications like Exclaimer could leverage this for managing company
signatures, something we shall learn about in advanced future lessons.
3.
Member Of Tab: This
tab reveals vital information about the security groups the user belongs to.
Notice you have the ability to add and remove groups specific to each user, to
control the resources they have access to in your server environment.
4.
Organization Tab: You
can further define your new user in this tab with job title, department and
company they work for. Click Apply for any changes made to take effect.
5.
Account Tab: Administrators
will find themselves in this tab a lot. User accounts can be unlocked, password
policy changes and account expiry dates can be set in this interface. User
logon domain and names when a client forgets their credentials are also present
in this tab.
6. Logon Hours: Administrators may
sometimes wish to set up a time frame during the week when users can access the
server. In the Account tab, Click Logon
Hours to display the day days and times when a user can be permitted or
denied logon for security reasons.
7.
Logon To: Another
important and useful security feature is the ability to lock down the
workstations from which a user is allowed to access the server. Click Logon To in the Accounts tab to
add/remove computers designated for a particular user to logon, trying to
access resources from unassigned workstation will see the user authentication
denied.
User Account Administrative Tasks
Server administrators in
active environments will frequently get user related queries when there is a
problem accessing an account. Below, we’ll discuss some of the commonly known
requests and how to administer those tasks.
1.
Copying An Existing User: This
feature comes in handy when you have a new employee starting at a department
with existing users and resource permissions already assigned. Right Click the
user and select Copy from the menu to display the user object as below.
Populate the fields with your
new user credentials including a strong password. Note that all policies from
the existing user will be inherited by the new user.
Double check the summary to
ensure the existing user has been copied and click Finish.
You can confirm the new
account has been created when you check the Member Of properties.
2.
Resetting User Account Password: This
task will most likely be the most requested task from users to their
administrators. Passwords may be set to expire after a period of time or users
may no longer be able to access their emails with the passwords they already
have. In Active Directory services, locate the user and Right Click on their
object > Select Reset Password > Type in new password > Apply.
3.
Disabling An Active User Account:
In
the event an employee leaves the company, administrators usually get a request
from managers to delete the user account.
Bearing in mind that every active
directory object carries a unique identifier, it is best practice to disable
the account, preventing the user from ever logging on until you are 100% sure
the users’ email account for example will no longer be needed.
Right Click on the user in
question and select Disable Account. You
will be prompted to disable the account and proceed with your action. Notice
state of the object when disabled with downward arrow.
You can always re-enable the
account again by right clicking and selecting Enable Account
Next Steps
Congratulations
for making it this far in the course, hopefully your understanding of managing
user accounts on your server has become clearer after practicing these
tutorials.
Join us
again as we dive deeper into Windows Server 2012 R2 configuration for our next
topic in Computer Account Management.Thanks for investing your time with
us.
Written By: www.codexploitcybersecurity.com Twitter: @ixploitsecurity Facebook: https://www.facebook.com/icybersecure
Credits to all organisations and development teams at
Microsoft Corporation
0 Comments:
Post a Comment