>>Cisco >> Cisco CCDA

Cisco Cisco CCDA Certification Exams Training Materials

Pass You Cisco Exam With Only 7 Days Training Or Get Your Money Back!

CCDA Bundle

Save $24.98 Now

$214.96 $189.98

CCDA Exams Included:

Cisco 640-864 Exam
  • Study Guide
  • Audio Exam
  • Preparation Labs
  • Questions & Answers



Cisco Cisco CCDA Exams

640-863 - Designing for Cisco Internetwork Solutions

640-864 - Designing for Cisco Internetwork Solutions Exam (DESGN) v2.1

Creating and Managing User Accounts

Understanding User Accounts

User accounts are required to log on to a Windows NT, Windows 2000, Windows XP and Windows Server 2003 network. User accounts are used for authentication, authorization, and auditing. A user’s account and password are used to authenticate a particular user/person connecting to the network. Authorization deals with controlling access to domain resources. When users have unique user accounts, you can audit which resources are being accessed by a user. In addition to user accounts being used by users to access network resources, user accounts are also used as service accounts for applications.

In Windows Server 2003, local user accounts and domain user accounts are defined. Local user accounts are defined on the local computer. Local user accounts can only access the local computer. Local user accounts have to be authenticated prior to accessing any network resources. These accounts can only access the resources on the computer where they are created. They cannot log on to the domain. The Local Users And Groups utility is used to create local user accounts. Local user accounts on a stand-alone server or XP Professional workstation are saved to the Security Accounts Manager (SAM) database.

Domain user accounts are defined in Active Directory, and are created in the Active Directory Users and Computers (ADUC) utility. Domain user accounts can access resources in the domain.

Default Windows Server 2003 User Accounts

The default users that are installed when you install Windows Server 2003 are built-in user accounts and predefined user account. You cannot delete any default users. You can however change the default accounts.

Built-in user accounts are installed with the Operating System (OS), and applications. Windows Server 2003 has the following three built-in user accounts: LocalSystem, LocalService, and NetworkService.

The LocalSystem built-in user account is a pseudo account that is used for running system processes. Services normally run under this account. Certain services are also allowed to interact with the desktop. LocalSystem grants the Log On As A Service logon right.

The LocalService built-in user account is also a pseudo account. Services running under the LocalService account have the Log On As A Service logon right, and have the Change The System Time and Generate Security Audits privileges as well. A few services under LocalService are Messenger, Remote Registry, Smart Card, Uninterruptible Power Supply and WebClient.

The NetworkService built-in user account is another pseudo account for those services which need logon rights and privileges on the local system and network. These services have the Log On As A Service logon right, and have the Change The System Time and Generate Security Audits privileges. A few services under NetworkService are DNS Client, Performance Logs and Alerts and Remote Procedure Call Locator.

The following predefined user accounts are installed with Windows Server 2003: Administrator, Guest, Support and ASPNET. The predefined user accounts have domain access. They are different from the local accounts.

The Administrator predefined user account supply access to services, files and directories. The Administrator account in Active Directory has domain wide access and privileges. This account cannot be deleted. In a domain, the Administrator account is a member of the Administrators, Domain Admins, Enterprise Admins, Domain Users, Group Policy Creator Owners and Schema Admin groups. When working with domains, the local Administrator account is mainly used when you setup the system. Once the system is installed, administrators are typically made members of the Administrators group. The local Administrator account is then no longer used. You can easily remove administrative rights when administrators are members of the Administrators group. Ensure that the local Administrator account has a secure password. You can also rename the account, and create a fake Administrator account that has no permissions. If the Administrator account’s password is weak, unauthorized individuals might be able to access the domain or system.

The Guest account is normally used for users who need infrequent access. The Guest account is by default disabled when Windows Server 2003 is installed. This account is a member of the Domain Guests and Guests groups. Because the Guest account is a member of the Everyone group, it has access to files and folders. It is recommended to restrict the utilization of the Guest account. You can also rename the Guest account, and you should change the password constantly

The Support account is a member of the HelpServicesGroup and Domain Users groups, and is used by the Help And Support service. Because the account can log on as a batch job, it can execute batch updates.

The ASPNET account is a member of the Domain Users Group, and is used by the .NET framework. It can execute ASP.NET worker processes.

Username and Password Rules/Conventions

When you create a new user, you have to supply a valid username which is in conformance with the Windows 2003 rules for usernames. The Windows 2003 rules for usernames dictate that the username has to be explicitly for the user. The new username has to differ from all other existing usernames and group names. The user name cannot solely contain spaces or periods. It cannot also contain the following characters: / \ [ ] : ; |=,+? < > “ . You should also consider using a naming convention for your usernames.

Password rules are based on the settings defined in password policies. You can define password policies by

  • Enforce Password History. Used to prohibit users from using the identical password when they are specifying a new password. By default, 24 passwords are remembered

  • Maximum Password Age. Indicates the time, in days, that a user can have the identical password. The default setting is 42 days

  • Minimum Password Age. Indicates the time, in days, that a user is required to use the identical password. The default setting is 1 day.

  • Minimum Password Length. Indicates the least number of characters a password has to have. The default setting is 7 characters.

  • Password Must Meet Complexity Requirements. The password in this case has to be at least six characters in length, and cannot include the account name of the user. The password also has to include characters from three of these groups: Numbers, non alphabetic numbers, English uppercase letters, And English Lowercase Letters. The default setting is enabled.

  • Store Passwords Using Reversible Encryption. Indicates if the OS uses reversible encryption when storing the password of the user. The default setting is disabled.

A good password should not be an alteration of the logon name, and should definitely not be the name of the user. It should at least be seven characters in length, and should include two alphabetic characters and a non-alphabetic character.

Creating Users in Active Directory via Active Directory Users and Computers (ADUC)

With Active Directory; the Administrator, Guest and HelpAssistant user accounts are created by default when you create the domain. The Administrator account is by default enabled, and has the full control permission. The Administrator account is a member of the Administrators, Domain Admins, Enterprise Admins, Group Policy Creator Owners and Schema Admin groups. This account cannot be deleted. The Guest account is disabled by default, and is a member of the Guests group and Domain Guests global group. The Guest account can be used by an individual who needs to access the network, who does not have a domain account. The HelpAssistant account is for making a Remote Assistance Connection. This account has limited access privileges. The HelpAssistant account is created and deleted dynamically, based on Remote Assistance requests.

With Active Directory, a user has to be authenticated prior to logging on to the domain. The user account, user logon name and password, and unique security identifier (SID) form the basis of authentication. When a new user is created, a SID is created for the user account on the computer. This occurs automatically. The SID includes the username. When an Administrator performs tasks, the username name is used and not the SID. Windows Server 2003 uses the SID as the user object. This makes it possible for you to rename a user, and still keep the user’s properties as is. You can also use the identical username after deleting an account, when you need to create the account again. The recreated account receives a new SID, and retains none of the properties of the prior account.

A user account is incorporated in the Active Directory user object. When a user logs on to an Active Directory domain, the username and password specified by the user is authenticated by Active Directory.

With Active Directory, the built-in user accounts that can be used to log on with initially are the Administrator account, and Guest Account. The other accounts have to be created. From the Windows 2000 era, Active Directory Users and Computers (ADUC) has been the administrative tool mainly used to manage user accounts, groups, OUs, and policies in domains. You can create domain user accounts in the default Users OU. Alternatively, you can define a different OU for these accounts.

  1. Open Active Directory Users And Computers from the Administrative Tools menu

  2. Right-click the container where you want to create the new user account.

  3. Click New

  4. Click User from the shortcut menu.

  5. When the New Object – User dialog box appears, provide the necessary user information. The First Name, Initial, and Last Name fields are not compulsory. However, if you complete the First Name and Last Name fields, the Full Name field is automatically populated. The Full Name field has to be completed. The information provided in the Full Name field has to be unique in the OU where the user account is created. The information from this field creates user object properties such as common name, distinguished name, name and display Name. The User Logon Name field has to be completed. Here you indicate the username that will be used during logon. You should do so in accordance with your naming convention. The information specified in the User Logon Name field should be unique in Active Directory. The User logon name (pre-Windows 2000) field is automatically populated when you complete the User Logon Name field. Click Next

  6. In the following page, you have to provide a password and specify password polices for the new user account. It is compulsory to enter a password for the new user account. If the User Must Change Password at Next Logon checkbox is enabled, a user is compelled to change their password at next logon. The box becomes unchecked after the password is changed. If you select this option, you cannot select the Password Never Expires checkbox. If you enable the User Cannot Change Password checkbox, the user will be unable to change the password. This setting is typically used for shared accounts. If you enable the Password Never Expires checkbox, the password of the user account never expires. Enabling the Account Is Disabled checkbox disables the account.

The process for creating a user accounts is pretty straightforward. Managing user accounts on the other hand is not as simple.

Managing User Objects with Active Directory Users And Computers (ADUC)

When you right-click a user account object in ADUC, a few options are displayed in the shortcut menu. The options available include copy the account, perform group membership tasks, disable or enable the account, reset the password of the user, move the account to another OU, open the home page of the user, and send the user email. You can delete or rename the user account from this shortcut menu as well. When you select Properties from the menu, 13 different properties tabs are displayed for the user. These tabs are used to manage Active Directory user objects.

The General tab contains information on the user account. It contains the information which you provided when you initially created the user account such as First name, Last Name, and Display name. You can enter information in the Description field and Office field, and user contact information in the Telephone, E-mail, and Web Page URL fields.

You can supply address details for the user on the Address tab. The fields located on this tab are Street Name, P.O. Box, City, State, Zip Code, and Country.

The Account tab contains the logon information provided when the user account was created. You can manage the account of the user from the Accounts tab. The following can be configured from the Account tab

  • A user’s logon name, user principal name (UPN) and UPN suffix

  • The pre-Windows 2000 user logon name

  • Account lockout options

  • Account expire settings

  • The logon hours for the user

  • Specify computers that the user is permitted to log on to

The Account options area holds the following options for user accounts:

  • User must change password at next logon. This option compels the user to change their password at next logon. This option is typically used when the user’s password has to be reset.

  • User cannot change password. This option prohibits the user from changing the password

  • Password never expires. This option overrules the domain’s account policy. Checking this option results in the user’s account not expiring.

  • Store passwords using reversible encryption. This option is usually enabled for users logging on from Apple computers. When enabled, a plain text copy of the user’s password is stored.

  • Account is disabled. When checked, the account is disabled. It has to be enabled in order for it to be used again.

  • Smart card is required for interactive logon. When enabled, a user logs on using a smart card. The user does not provide username and password details, but a PIN number to log on to the system.

  • Account is trusted for delegation. This option is typically enabled for service accounts that have to access resources for certain user accounts. The Account is trusted for delegation option normally remains unchecked.

  • Account is sensitive and cannot be delegated. Checking this option ensures that the account is not delegated by another account. This option should be enabled for guest and temporary accounts.

  • Use DES encryption types for this account. You can check this option to enable DES support for MPPE Standard (40-bit), MPPE Standard (56-bit), MPPE Strong (128-bit), IPSec DES (40-bit), IPSec 56-bit DES and IPSec Triple DES (3DES).

  • Do not require Kerberos preauthentication. When enabled, the account can use a different implementation of the Kerberos protocol.

In addition to the above, the Account tab is also the location where you configure Logon Hour restrictions and Logon Workstation restrictions. Click on the Logon Hours button to configure the time that a user can access the domain. The default setting is that no restrictions are enabled. The Log On To button is where you can set restrictions that force a user to log on only via certain machines.

The Profile tab allows you to configure a user’s profile path, a logon script and a home folder. This is where you enable a user to use a roaming profile. The roaming profile makes it possible for the user to log on to any machine. Users have the same profile when they log on. Roaming profiles reside on shares. A logon script runs when a user logs. The logon script basically configures the environment of the user by allocating network resources. Home folders are specified for users for their own private use.

You can configure a shared network folder using a Universal Naming Convention (UNC) in the Profile path textbox. You enter the name of the logon script in the Logon script textbox. The Home Folder area of the Profile tab has a Local path option and Connect option. Local path is blank by default. This means that the local user profile folder is used for the home folder. If you want a network location to be used for the home folder, you have to enter the drive letter, and share details in the Connect text boxes.

You configure phone numbers for a user on the Telephones tab. You can specify phone numbers in the Home, Pager, Mobile, Fax and IP Phone fields. If a user has more than one number for a phone number type, you can use the Other button alongside each phone number type to specify the additional number.

The Organization tab holds personal information on a user, such as who reports to a particular manager and the department a user belongs to. On this tab, you can specify the title, department, manager and company of a user.

You can configure whether a user can log on using Terminal Services from the Terminal Services Profile tab. This is performed by checking or un-checking the Allow logon to terminal server check box.

The Environment tab is where you configure the Terminal Services startup environment when a user connects to a Terminal Services session. Use the Start the following program at logon option if you want a program to be initiated when a user connects to a Terminal Server. You can also configure the manner in which local devices act at Terminal Services logon.

You manage Terminal Services timeout and reconnection settings from the Sessions tab. You can configure settings for Disconnected sessions, Active session limits and Idle session limits. Configuring Disconnected sessions settings assists in reducing the wastage of resources on the Terminal Server. Wastage occurs when users are disconnected from a Terminal Session, but do not log off. The time duration that a user can remain connected to a Terminal session is configured in Active session limits. You can also specify the time that a session is allowed to be idle.

You can configure remote control settings from the Remote Control tab, by specifying the remote control capacity that is permitted when a user connects by means of Terminal Services. The options that can be configured are:

  • Enable remote control. When enabled, the account is allowed to remotely control the Terminal Services session of another user.

  • Require user’s permission. When enabled, a user has to agree to remote control in order for it to be permitted

  • View the user’s session. This option is useful for troubleshooting purposes. When enabled, an administrator can view the actions of the remote user.

  • Interact with the session. When enabled, it is possible to interact with the remote desktop

You set the remote access permissions for the user from dial-in or VPN connections from the Dial-in tab. You configure whether a user can connect to the Routing and Remote Access Service (RRAS) server for dial-in or VPN features in the Remote Access Permissions section. The options available here are:

  • Allow Access. Checking this option allows the user to connect to the RRAS server

  • Deny Access. Checking this option prevents the user from connecting to the RRAS server

  • Control Access Through Remote Access Policy. When checked, the user will only be able to connect to the RRAS server if a corresponding access policy enables the access.

The Callback Options section of the Dial-in tab is where you configure the manner in which the call should be handled. Options that can be specified are: No Callback, Set by Caller (Routing and Remote Access Service only), and Always Callback to. You can also assign static IP addresses and apply static routes from the Dial-in tab.

You can define group memberships for a user account via the Member Of tab. A user is by default a member of the Domain Users group. The Active Directory Folder column shows the OU path for the group. You can add and remove the user from groups by using the Add button and Remove button.

The Security tab is the location where you manage Active Directory permissions for the user account. When you select a user or group in the Group or user name section, the permissions assigned to the particular group or user is displayed in the Permissions for account operations section. You use the Add and Remove buttons to Add groups and users.

You use the COM+ tab to assign a COM+ partition set for the user. The user then becomes a member of the COM+ partition set. The tab is used for managing distributed applications.

A user’s X.509 certificates are administered from the Published Certificates tab. From this tab, you can add and copy certificates, remove certificates, or examine the certificates of the user.

Creating Users via the Command Line Tools

You can use the dsadd.exe, dsmod.exe, dsget.exe and dsquery.exe command-line tools to create and manage users. The dsadd command is used to create objects in Active Directory. Using the dsass user command, you can create multiple users. You can use the dsmod command to modify the properties of existing objects. Use dsmod user to modify user’s attributes. The dsquery command is used to query Active Directory for objects which match defined criteria. The dsget command is used to display properties of objects in Active Directory.

How to create a local user account

  1. Right-click My Computer. Select Manage from the pop-up menu

  2. Click Local Users And Groups in the console tree

  3. Right-click Users. Select New user from the pop-up menu

  4. When the New User dialog box is displayed, enter the user name, full name and description

  5. Specify a password and the password policies

  6. Click Create to create the new user account

How to configure user account properties

  1. Open Active Directory Users And Computers

  2. Expand the OU in which the user account was created

  3. Open the Properties window of the user account by double-clicking the particular user account

  4. Click the tab that contains the properties you want to configure

  5. Perform the necessary configurations. Click OK.

How to rename a user account

  1. Open Active Directory Users And Computers, and expand the OU in which the user account was created

  2. Right-click the user account you want to rename, and choose Rename from the pop-up menu

  3. Enter the changes in the Rename User dialog box

  4. Click OK

How to change or reset the password of a user

You usually reset the password of a user when a user is unable to remember their password. When you reset a password, reset it to a simple, uncomplicated password. It is also good practice to force the user to change the password at next logon.

  1. Open Active Directory Users And Computers, and expand the OU in which the user account was created

  2. Right-click the user account for which you want to change the password, and choose Reset Password from the pop-up menu

  3. Enter the password details in New Password and Confirm Password

  4. If you want the user to change the password at next logon, enable the User Must Change Password At Next Logon checkbox.

  5. Click OK

How to unlock a user account

Group Policy can lock a user account when a user fails to change an expired password, or when a user surpasses the threshold permitted for entering incorrect logon information.

  1. Open Active Directory Users And Computers, and expand the OU in which the user account was created

  2. Right-click the locked user account, and select Properties from the pop-up menu

  3. Click the Account tab in the user’s properties window

  4. Clear the Account is locked out check box

  5. Click OK

How to disable a user account

You usually disable a user account if you need to deactivate the account for a particular time length. Disabling an account does not permanently delete the account.

  1. Open Active Directory Users And Computers, and expand the OU in which the user account was created

  2. Right-click the user account you want to disable, and choose Disable Account from the pop-up menu

  3. A dialog box is displayed informing you that the particular user has been disabled

  4. Click OK

How to delete a user account

You should only delete a user account when you are absolutely sure that you will not need the account again. When you delete a user account in the domain, it is totally deleted.

  1. Open Active Directory Users And Computers, and expand the OU in which the user account was created

  2. Right-click the user account you want to delete, and choose Delete from the pop-up menu

  3. A message is displayed that needs you to verify that the user should be deleted.

  4. Click OK

How to use the Run As option With ADUC

  1. Right-click Active Directory Users And Computers, and choose Run As from the shortcut menu

  2. When the Run As dialog box is displayed, choose The Following User.

  3. Enter the administrator username and password

  4. Click OK

Troubleshooting User Accounts

A user can be unsuccessful in logging on to the domain for a variety of reasons. The frequent problems with user accounts are because of the user account being locked because of a violation of Group Policy where the user enters the password details incorrectly; and password problems, such as user forgetting the password. The Active Directory Users And Computers (ADUC) utility can be used to troubleshoot user accounts.

Using the ADUC, you can determine whether the account is deleted, disabled, or locked out. You can also check whether the password has expired. Ensure too that the password was specified in the correct case. You can use the ADUC to reset the password for the user account. If a user receives a message stating that the system could not log the user on, check that the user is not attempting to access the domain using a local account. If the global catalog server is unavailable, only those users with administrator privileges would be able to log on. Ensure that the user is attempting to log on to the domain, and that the user is using a domain user account. Confirm too that the client computer is indeed part of the domain that contains the user account. If not, a trust relationship has to exist with the domain which holds the user account.

Copyright 2006-2013 pass4sure.org - All Rights Reserved