Modifying User Accounts and Computer Accounts, MCSE Boot Camp Training get MCSE Boot Camp Certification join MCSE Boot camps

6.3.4 Modifying User Accounts and Computer Accounts

As the nature of you network changes, you may need to modify user accounts and computer accounts. This

may entail changing the account policies, or moving the accounts to another domain. You can use Active

Directory Users and Computers in Administrative Tools to modify user accounts and computer accounts.

To accomplish this, do the following:

ADMINISTRATIVE TOOLS

ACTIVE DIRECTORY USERS AND COMPUTERS

• Open the organizational container that contains the user account or computer account

that you want to modify

• In the Details pane, right-click the user account or computer account that you want to

• On the pop-up menu, click

to display the Properties dialog box

• In the Properties dialog box, modify the properties of the account as required

Using the command line You can also use the

command-line utility to modify the properties of one

or more existing user accounts or computer accounts in Active Directory. The

number of parameters, which allow you to modify any of the properties associated with the user account or

the computer account. The properties associated with user accounts correspond to the various tabs on the

User Account Properties dialog box and are listed in Table 6.2. The properties associate with computer

accounts correspond to the various tabs on the Computer Account Properties dialog box and are listed in

The syntax for modifying a user account with the

command-line utility is:

dsmod user <user_DN ...> [-upn <upn>] [-fn <first_name>] [-mi <initial>]

[-ln <last_name>] [-display <display_name>] [-empid <employee_ID>]

[-pwd (<password> | *)] [-desc <description>] [-office <office>]

[-tel <phone_number] [-email <e-mail_address>]

[-hometel <home_phone_number>] [-pager <pager_number>]

[-mobile <cell_phone_number>] [-fax <fax_number>]

[-iptel <IP_phone_number>] [-webpg <web_page>] [-title <title>]

[-dept <department>] [-company <company>] [-mgr <Manager]

[-hmdir <home_directory] [-hmdrv <drive_letter>:]

[-profile <profile_path] [-loscr <script_path] [-mustchpwd {yes | no}]

[-canchpwd {yes | no}] [-reversiblepwd {yes | no}]

[-pwdneverexpires {yes | no}] [-acctexpires <number_of_days]

[-disabled {yes | no}] [{-s <server> | -d <domain>}] [-u <user_name>]

[-p {<password> | *}] [-c] [-q] [{-uc | -uco | -uci}]

The syntax for modifying a computer account with the

command-line utility is:

dsmod computer <computer_DN ...> [-desc <description>] [-loc <location>]

[-disabled {yes | no}] [-reset] [{-s <server> | -d <domain>}]

[-u <user_name>] [-p{<password> | *}] [-c] [-q] [{-uc | -uco | -uci}]

The parameters for the

command-line utility are discussed in Table 6.4.

TABLE 6.2: The User Account Properties

The name, description, display name, office location,

telephone number, e-mail address, and web page of the

The street address, post office box, city, state/province,

zip/postal code, and country of the user.

The logon name, account options, unlock account, and

account expiration for the user account.

The profile path and home folder for the user account.

The home telephone number, pager, mobile phone number,

fax number, and Internet Protocol (IP) phone number of the

The title of the user, department to which the user is

attached, the manager, and direct reports for the user.

The groups to which the user belongs.

The remote access permissions, callback options, and static

IP address and routes for the user account.

Specifies the starting applications and the client devices to

connect to when the user account is used to logon to Terminal

Terminal Services settings for the user account.

Terminal Services remote control settings for the user

Terminal Services Profile The Terminal Services profile path and the Terminal

Services home folder for the user account.

The COM+ partition set to which the user has membership

TABLE 6.3: The Computer Account Properties

The pre-Windows 2000 computer name, DNS name, role,

and description of the computer.

The name, version, and service pack installed on the

The groups to which the computer belongs.

The physical location of the computer.

The name, office, street address, city, state/province,

country/region, telephone number and fax number of the

administrator responsible for managing the computer.

The remote access permissions, callback options, and static

IP address and routes for the computer account.

TABLE 6.4: The Dsmod Command-line Parameters

Specifies the distinguished names (DNs) of one or

more user accounts to modify.

computer <computer_DN ...>

Specifies the distinguished names (DNs) of one or

more computers to modify.

Sets the user's User Principal Name to the value

Sets the user's first name to the value specified in

Sets the user's initials to the value specified in

Sets the user's surname to the value specified in

-display <display_name>

Sets the user account's display name to the value

-empid <employee_ID>

Sets the user's Employee ID to the value specified in

-pwd {<password> | *}

Resets the password for the user account to the value

is specified, the user

must specify a password when he or she next logs

Sets the computer or user account description to

Sets the user's office location to the value specified

Sets the user's telephone number to the value

-email <e-mail_address>

Sets the user's e-mail address to the value specified

-hometel <home_phone_number>

Sets the user's home telephone number to the value

-pager <pager_number>

Sets the user's pager number to the value specified in

-mobile <cell_phone_number>

Sets the user's cell phone number to the value

Sets the user's fax number to the value specified in

-iptel <IP_phone_number>

Sets the user's IP phone number to the value

Sets the user's web page to the value specified in

Sets the user's title to the value specified in

Sets the user's department to the value specified in

Sets the user's company to the value specified in

Sets the user's manager to the value specified in

-hmdir <home_directory>

Sets the user's home directory to the value specified

-hmdrv <drive_letter>:

Sets the user's home drive letter to the value

-profile <profile_path>

Sets the user's profile path to the value specified in

-loscr <script_path>

Sets the user's logon script path to the value specified

-mustchpwd {yes | no}

, specifies that the user must change his

or her password at the next logon. If

-canchpwd {yes | no}

, specifies that the user can change his or

-reversiblepwd {yes | no}

, specifies that the user's password must

be stored using reversible encryption.

-pwdneverexpires {yes | no}

, specifies that the user's password never

-acctexpires <number_of_days>

Sets the user account to expire in the specified

account expires at the end of the day;

is a positive integer, the account

is a negative integer, the account

expires in the past; and if

", the account never expires.

-disabled {yes | no}

Sets the computer account or user account to

switch is specified or enabled if

switch is specified.

-s <server> | -d <domain>

connects to the domain controller with

connects to a domain controller in the specified

Specifies the user account to use when connecting.

-p{ <password> | * }

specifies the password to be used

with the user account to use when connecting while

specifies that the command prompt the user for

a password when connecting

Sets the command to run in continuous mode. In this

mode, the command reports errors but continues with

the next computer or user account in the argument

list when multiple computer objects are specified in

Sets the command to run in quiet mode. In this mode,

all command output is suppressed to the standard

Specifies that the input from or output to pipe is

formatted in Unicode.

Specifies that the output to pipe or file is formatted in

Specifies that the input to pipe or file is formatted in

only to set the computer

Best Practices for NPS

Updated: March 14, 2008

Applies To: Windows Server 2008, Windows Server 2008 R2

This topic provides best practices for implementing and configuring NPS and is based on recommendations from Microsoft Product Support Services.

Installation

Before installing NPS, do the following:

Install and test each of your network access servers by using local authentication methods before you make them RADIUS clients.
After you install and configure NPS, save the configuration by using the netsh nps export command. Use this command to save the NPS configuration to an XML file every time a configuration change is made.
If you install additional Extensible Authentication Protocol (EAP) types on your NPS server, ensure that you document the server configuration in case you need to rebuild the server or duplicate the configuration on other NPS servers.
If you install additional system health validators (SHVs) on your NPS server, ensure that you document the server configuration in case you need to rebuild the server or duplicate the configuration on other NPS servers.
Do not install Windows Server 2008 on the same partition with another version of Windows Server.
Do not configure a server running NPS or the Routing and Remote Access service as a member of a Windows NT Server 4.0 domain if your user accounts database is stored on a domain controller running Windows Server 2008 in another domain. Doing this will cause Lightweight Directory Access Protocol (LDAP) queries from the NPS server to the domain controller to fail.

Instead, configure your server running NPS or Routing and Remote Access as a member of a Windows Server 2008 domain. An alternative is to configure a server running NPS as a RADIUS proxy server that forwards authentication and accounting requests from the Windows NT Server 4.0 domain to an NPS server in the Windows Server 2008 domain.

Client computer configuration

Following are the best practices for client computer configuration:

Automatically configure all of your domain member 802.1X client computers by using Group Policy.
Automatically configure all of your domain member NAP-capable clients by importing NAP client configuration files into Group Policy.

Authentication

Following are the best practices for authentication:

Use authentication methods, such as Protected Extensible Authentication Protocol (PEAP) and Extensible Authentication Protocol (EAP), that provide authentication types, such as Transport Layer Security (EAP-TLS and PEAP-TLS) and Microsoft Challenge Handshake Authentication Protocol version two (PEAP-MS-CHAP v2), that support the use of certificates for strong authentication. Do not use password-based authentication methods because they are vulnerable to a variety of attacks and are not secure.
Use PEAP, which is required for all Network Access Protection (NAP) enforcement methods. Determine the PEAP authentication types that you want to use, such as PEAP-TLS and PEAP-MS-CHAP v2, and then plan and deploy your public key infrastructure (PKI) to ensure that all computers and users can enroll the certificates required by the authentication types.
Deploy a certification authority (CA) by using Active Directory® Certificate Services (AD CS) if you use strong certificate-based authentication methods that require the use of a server certificate on NPS servers. You can also use your CA to deploy computer certificates to domain member computers and user certificates to members of the Users group in Active Directory.

Security issues

Your NPS server provides authentication, authorization, and accounting for connection attempts to your organization network. You can protect your NPS server and RADIUS messages from unwanted internal and external intrusion.

When you are administering an NPS server remotely, do not send sensitive or confidential data (for example, shared secrets or passwords) over the network in plaintext. There are two recommended methods for remote administration of NPS servers:

Use Remote Desktop Connection to access the NPS server.

When Remote Desktop Connection users log on, they can view only their individual client sessions, which are managed by the server and are independent of each other. In addition, Remote Desktop Connection provides 128-bit encryption between client and server.
Use Internet Protocol security (IPsec) to encrypt confidential data.

If you manage one or more remote NPS servers from a local NPS server by using the NPS Microsoft Management Console (MMC) snap-in, you can use IPsec to encrypt communication between the local NPS server and the remote NPS server.

Accounting

There are two types of accounting, or logging, in NPS:

Event logging for NPS. You can use event logging to record NPS events in the system and security event logs. Recording NPS events to the security event log is a new feature in Windows Server 2008, and much more information is logged for NPS than in previous operating system versions for Internet Authentication Service (IAS). This information is used primarily for auditing and troubleshooting connection attempts.
Logging user authentication and accounting requests. You can log user authentication and accounting requests to log files in text format or database format, or you can log to a stored procedure in a SQL Server 2000, SQL Server 2005, or SQL Server 2008 database. Request logging is used primarily for connection analysis and billing purposes, and is also useful as a security investigation tool, providing you with a method of tracking down activity after an attack.

To make the most effective use of NPS logging:

Turn on logging (initially) for both authentication and accounting records. Modify these selections after you have determined what is appropriate for your environment.
Ensure that event logging is configured with a capacity that is sufficient to maintain your logs.
Back up all log files on a regular basis because they cannot be recreated after they are damaged or deleted.
For billing purposes, use the RADIUS Class attribute to both track usage and simplify the identification of which department or user to charge for usage. Although the automatically generated Class attribute is unique for each request, duplicate records might exist in cases when the reply to the access server is lost and the request is resent. You might need to delete duplicate requests from your logs to accurately track usage.
If you use SQL Server logging, ensure that you store credentials and other connection properties in a secure location. This information is not exported to file when you use the netsh nps export command.
To provide failover and redundancy with SQL Server logging, place two computers running SQL Server on different subnets. Use the SQL Server tools to set up database replication between the two servers. For more information, see SQL Server documentation.

MCSE CCNA Boot Camp Notes :

Exam 70-411: Administering Windows Server 2012

1: Implementing a Group Policy Infrastructure

2: Managing User Desktops with Group Policy

3: Managing User and Service Accounts

4: Maintaining Active Directory Domain Services

5: Configuring and Troubleshooting Domain Name System (DNS)

6: Configuring and Troubleshooting Remote Access

Installation

Client computer configuration

Authentication

Security issues

Accounting