Section 11.8. Planning and Implementing Computer, User, and Group Strategies | MCSE Core Required Exams in a Nutshell: The required 70: 290, 291, 293 and 294 Exams (In a Nutshell (OReilly))

11.8. Planning and Implementing Computer, User, and Group Strategies

In the Exam 70-290 Study Guide, I provided a detailed discussion on planning and implementing users, computers, and groups. For Exam 70-294, you are expected to be able to plan a security group strategy, which requires a strong understanding of group types, group scopes, implicit groups, creating groups, setting group membership, and maintaining groupsall of which are discussed in the section of Chapter 2 titled, "Managing Groups in an Active Directory Environment."

Exam 70-294 also expects you to be able to plan a user authentication strategy using smart cards and strict password policies. These policies are critically important for ensuring the security of the network. Smart cards are small card-sized devices that contain memory and/or integrated circuitry for storing digital certificates used in logon authentication. For remote access users, Extensible Authentication Protocol (EAP) is the only authentication protocol you can use.

Using Active Directory Users And Computers, you can require users to use smart cards for authentication by completing the following steps:

Right-clicking the account and then select Properties.
On the Account tab, select Smart Card Is Required For Interactive Logon. This ensures that use of a smart card and reader for logon and authentication is required. This option resets the Password Never Expires option to be enabled.
Click OK.

To use smart cards for authentication, you must install smart card reader devices on computers and set up a smart card to use for user logon. Smart cards contain a user's digital certificate and private key, allowing the user to be authenticated when logging on the network. With smart cards, only enterprise CAs can be used because they have smart card certificates in Active Directory.

As preparation for Exam 70-294, you should also review the section of Chapter 2 titled "Managing User Access and Authentication." Password policies control how passwords are managed, whether they expire, and when they expire. In Group Policy, password policies are stored under Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy.

Account lockout policies control whether and how accounts are locked out if successive invalid passwords are provided. In Group Policy, password policies are stored under Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.

To configure password policy and account policy for domain users, you should configure the related policies using the Default Domain Policy GPO. If you are using the Group Policy Management Console, the Default Domain Policy GPO is accessible when you click the domain name in the console tree. You then need to right-click the Default Domain Policy node and select Edit. If you want only to work with security settings in the Default Domain Policy GPO, you can use the Domain Security Policy console, which is found on the Administrative Tools menu.