Designing a User and Computer Account Strategy

User and computer accounts represent physical entities within a network infrastructure. Some user accounts also represent specific services that are running on computers. In any case, user and computer accounts play an important role and serve the following purposes:

• Accounts are used to authenticate entities on a network. Users log on to a domain with a user name and password that verifies their identity.

• Accounts are used to grant and deny access to network resources. After an individual has been authenticated, access to network resources can be explicitly granted or denied by granting permissions to an account for a resource.

• Accounts are used to audit actions performed on a network.

When designing a user and computer account strategy, one of the first things that must be determined is who will be responsible for creating and managing user and computer accounts.

At least one trusted individual should be granted the right to create user and computer accounts. You can do this be granting the User Account Creation right to a user. Because creating user and computer accounts poses a security threat, make sure that only trusted individuals are granted this right. Because unused user accounts also pose a security threat, a plan needs to be established that outlines how and when user accounts can be disabled. For example, a policy can be put in place to state that when an employee leaves the organization, that employee's user account is deleted.

Specifying Account Policy Requirements

Account policies contain various settings that control how users can interact on a local computer or on a network. Account policies consist of the following three components (see Figure 4.5):

• Password policy The password policy determines such things as how often users are required to change their password and the password history.

• Account Lockout policy The account lockout policy defines how the system monitors failed log on attempts and the action to take when a certain number of failed log on requests is reached.

• Kerberos policy The Kerberos policy configures settings such as the maximum lifetime for user and service tickets.

Account policies can be applied locally or through a GPO. Within a domain, only one account policy can exist and it must be configured at the domain level (using the default domain policy). Therefore, careful planning as to the account policy settings is required because they affect all computers and user accounts within a domain.

Because account policies are configured at the domain level, this could affect the Active Directory design. If a business requires separate account policies, multiple domains might be required.