| Objectives This chapter covers the following Microsoft-specified objectives for the "Managing Users, Computers, and Groups" section of the Managing and Maintaining a Microsoft Windows Server 2003 Environment exam: Create and manage user accounts. Create and modify user accounts by using the Active Directory Users and Computers console Create and modify user accounts by using automation Import user accounts A primary function of a network administrator is to create and manage user accounts because user accounts are needed for users to authenticate to the network and to determine what resources the user can access. For a small network, creating and modifying the user accounts one at a time with a management tool is not too time consuming. But on a network with hundreds or thousands of users, it makes sense to use tools that automate the process. If the data about the users exists in some other form, such as a new-hire database, you can create the user accounts by importing them from a compatible file.
Manage local, roaming, and mandatory user profiles The settings for a user's work environment are stored in the user's profile. Any changes the user makes to the environment (Favorites, Start menu items, icons, colors, My Documents, Desktop, local settings, application-specific settings) are saved when the user logs off. The profile is reloaded when the user logs on again. It is important for administrators to know how to manage user profiles so that the users' settings are saved from session to session. If managed properly, this also ensures that the users see the same desktop no matter where they log on.
Create and manage computer accounts in an Active Directory environment Every computer running Windows NT, Windows 2000/2003, or Windows XP that is a member of a domain has a computer account in that domain. The computer account is a security principal, and it can be authenticated and granted permissions to access resources. A computer account is automatically created for each computer running these operating systems when the computer joins the domain.
Troubleshoot user accounts Troubleshoot account lockouts. Troubleshoot issues related to user account properties. With a large group of users, there are sure to be trouble calls every day from users having difficulties with their accounts. One system setting that often results in trouble calls is Account Lockouta user cannot log in because the account has been disabled after too many incorrect passwords were entered. Other problems can arise because of inappropriate settings in the user accounts.
Troubleshoot user-authentication issues Sometimes a user will not be able to log on to the network. This can be caused by simple factors, such as a user error when entering a user ID and password, or by more complex issues such as the computer account being unusable. The network administrator must be able to determine what is causing the problem and to promptly correct the situation.
Troubleshoot computer accounts Diagnose and resolve issues related to computer accounts by using the Active Directory Users and Computers MMC snap-in. Reset computer accounts. When a computer account is operating incorrectly, it may be impossible to log on to the domain from the computer. In this case it is necessary to reset the computer's account and rejoin the computer to the domain. This process reestablishes the secure relationship between the computer and the domain it is a member of.
Outline Introduction | 61 | Creating and Managing User Accounts | 61 | | | Creating and Modifying Local User Accounts | 62 | | | Creating and Modifying User Accounts Using Active Directory Users and Computers | 65 | | | Logging On to a Windows Server 2003 Domain Controller | 69 | | | Using the Active Directory Users and Computers Console | 70 | | | | Creating Domain Accounts | 70 | | | | Creating Domain User Accounts | 72 | | | | Saving Time with User Templates | 79 | | | Creating Accounts Using Automation | 82 | | | | Creating and Modifying User Accounts with Command-Line Tools | 82 | | | | Importing and Exporting User Accounts | 91 | | | Troubleshooting User Accounts | 96 | | | | Troubleshooting Account Lockouts | 96 | | | | Troubleshooting Issues Related to User Account Properties | 98 | | | Using Saved Queries | 100 | Managing Local, Roaming, and Mandatory User Profiles | 103 | | | Creating and Modifying Local User Profiles | 105 | | | Creating and Modifying Roaming User Profiles | 106 | | | Creating and Enforcing Mandatory User Profiles | 108 | Creating and Managing Computer Accounts in an Active Directory Environment | 109 | | | Creating Computer Accounts Using the Active Directory Users and Computers Console | 109 | | | Creating Computer Accounts by Joining the Domain | 110 | | | Troubleshooting Computer Accounts | 112 | | | Troubleshooting Issues Related to Computer Accounts by Using the Active Directory Users and Computers Console | 113 | Chapter Summary | 115 | | | Key Terms | 115 | Apply Your Knowledge | 116 |
Study Strategies In studying this section, be sure to practice all the activities described. Become very familiar with Active Directory Users and Computers, creating user and computer accounts, resetting user and computer accounts, and defining roaming profiles and mandatory profiles. Microsoft is proud of the new command-line directory-management toolsdsquery, dsadd, dsmod, and dsgetso be sure you know what each one is for as well as how to use it. Also be sure you understand pipingsending the output from one command as the input to another. Use both ldifde and csvde, but don't spend hours making them work. Understand what they are for, and get to know the command structure. Work through the exercises until you can explain authoritatively ldifde and csvde to a colleague. You will need access to a Windows Server 2003 domain controller. Many of the tools are new, or they differ from those available in Windows 2000, so don't try to get by with a Windows 2000 domain controller. You don't have to buy Windows Server 2003 to try it out. You can download a free evaluation version (which expires in 180 days) from www.microsoft.com/windowsserver2003/evaluation/trial/default.mspx.
|
