Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
57 Cards in this Set
- Front
- Back
|
AD-DS
|
Active Directory Domain Services
|
|
|
OU
|
Organizational Units
|
|
|
A user Account
|
- Enables Authentication of a user and attributes, including a user logon name and password
- Is a security Principal with a security Identify (SID) that can be assigned permissions to resources |
|
|
A user account can be stored
|
- Active Directory
- SAM database |
|
|
Where are user accounts stored in active directory?
|
In active directory, where in enables logon to the domain and can be assigned permissions to resources anywhere in the domain
- Domain user accounts are administered with Active Directory Snap-In commands |
|
|
Where are user accounts stored in SAM database?
|
In the local SAM database of a member computer, where it enables logon to the local computer and can be assigned permissions to local resources
- Local user accounts are administered with local users and Group Snap ins |
|
|
How do you create a new user with command prompt powershell
|
New-ADUser -Name <string> -SamAccountName <pre-windows 2000 logon name> -Account Password (Read-Host -AsSecurestring "Account Password")
-Enabled $true -Change PasswordAtLogon $true |
|
|
Users Logon name (pre-windows 2000)
|
is, behind the scenes, the sAMAccountName attribute. It is also sometimes called the samid. it must be unique for the entire domain
|
|
|
User Logon Name
|
is the userPrincipleName (UPN) attribute. The UPN consists of a logon name and a UPN suffix which is, by default, the DNS name of the domain in which you create the object. The UPN must be unique for the entire forest. Email address, which must be unique for the whole world, certainly meet the new requirement. Consider using email addresses as UPNs. If your Active Directory name is not the same as your email domain name, you must add the email domain name an available UPN suffix. To do this, open the Active Directory Domains and Trusts Snap-in, right click the root of the snap-in and then click properties
(Microsoft, 2011 p. 3-10) |
|
|
Display Name
|
The display name is te displayName attribute that appears in the Microsoft Exchangeglobal address list (GAL). It can be easier to locat user in the GAL if they aare sorted by last name. Therefore, you can create a namining convention for your organization that specifies that the displayName attribute, although it is certainly eaiser to locate us
(Microsoft, 2011 p. 3-10) |
|
|
Logon Hours
|
Click Logon Hours to configure the hours duing which a user is allowed to log on to the network
(Microsoft, 2011 p. 3-10) |
|
|
Log on To
|
Click Log On To if you want to limit the workstations to which the user can log on. This is called Computer restrictions in other parts of the user interface and corresponds to the userWorkstations attributes. You must have NetBIOS over TCP/IP enabled to use this feature, because it uses the computer name rather than a Media Access Control (MAC) address of its network card to restrict logon.
(Microsoft, 2011 p. 3-10) |
|
|
User Must Change Password At Next Logon
|
Select this check box if you want the user to change the password you have entered the first time he or she logs on. You cannot select this option if you have selected Password never expires. Selecting this option will automatically clear the mutually exclusive User Cannot Change password option.
(Microsoft, 2011 p. 3-10) |
|
|
Password never expires
|
Select this check box if you never want the password to expire. This option will automatically clear the User Must Change Password at Next logon setting, because the two are mutually exclusive. This option is commonly used to manage service account passwords
(Microsoft, 2011 p. 3- 10 - 11) |
|
|
Account Disabled
|
Select this check box to disable the user-account-for example, when creating an object for a newly hired employee who does not yet need access to the network
(Microsoft, 2011 p. 3-11) |
|
|
Store Password Using Reversible Encryption
|
This option, which stores the password in Active Directory without using its powerful, non-reversible encryption hashing algorithm, exist to support applications that require knowledge of the user password. If it is not absolutly required, do not enable this option because it weakens password security significantly. Passwords stored by using reversible encryption are similar to those stored in plain text,
(Microsoft, 2011 p. 3-11) |
|
|
Smart Card required for Interactive Logon
|
Smart Cards are portable, tamper resistant hardware devices that store unique identification information for a user. They are attached to , or inserted into, a system , and they provide an additional, physical identification component to the authentication process.
(Microsoft, 2011 p. 3-11) |
|
|
Account is trusted for Delegation
|
This option enables a service account to impersonate a user to acces network resources on behalf of a user object representing a human being. It is used more often for service accounts in three-tier (or multitier) application infrastructure
(Microsoft, 2011 p. 3-11) |
|
|
Account Expires
|
Use the Account Expires Controls to specify when an Account Expires
(Microsoft, 2011 p. 3-11) |
|
|
Account Management involves ___________ Tasks?
|
- Renaming a user account
- Resetting a user password - Unlocking a user account - Disabling or enabling a user account - Moving a user account - Deleting a user account |
|
|
How do you set account password in powershell?
|
Set-ADAccountPassword -identity 'cn=first last, ou=IT, dc=contoso, dc=com' -reset -NewPassword (convertTo-SecureString -AsPlainRext "Pa$$w0rd2" -Force"
(Microsoft, 2011 p. 3-13) |
|
|
Accounts attributes: The Account Tab
|
These properties include logon names, passwords, and account flags. Many of these attributes can be configured when you create a new user with the Active Directory Users and Computers Snap-In. The account Properties section details the account attributes.
(Microsoft, 2011 p. 3-20) |
|
|
Accounts attributes: General Tab
|
The general tab contains the name properties that are configured when you create a user object, along with the contact information. The address and Telephone tabs provide detailed contact information. The telephone tabs provide detailed contact information. The telephones tab is also where Microsoft chose to put the notes field, which cooresponds to the info attributes and is very useful general-purpose text field that is underused by many enterprises. The organization tab shows the job title, department, company and organizational relationship.
(Microsoft, 2011 p. 3-20) |
|
|
Accounts attributes: Profile Tab
|
Here you can configure the users profile path, logon script, and home folder
(Microsoft, 2011 p. 3-20) |
|
|
Accounts attributes: Group Membership
|
The Members of Tab. YOu can add the user too, and remove the user from groups and change the user primary group. Group membership and the primary group will be discussed in another module
(Microsoft, 2011 p. 3-20) |
|
|
Accounts attributes: Remote Desktop Services
|
The remote desktop services profile, environment, remote control, sessions and personal virtual desktop tabs:
These tabs enable you to configure and manage the user's experience when the user is connected to a remote desktop (Microsoft, 2011 p. 3-20) |
|
|
Accounts attributes: Remote Access - the dial in tab
|
You can enable and configure remote access permissions for a user on the Dial-In_Tab
(Microsoft, 2011 p. 3-20) |
|
|
Accounts attributes: Applications -The COM + tab
|
This tab enables you to assign the user to an Active Directory COM+ partition set. This feature facilitates the management of distributed applications
(Microsoft, 2011 p. 3-20) |
|
|
How can you view the attributes editor?
|
The attributes editor is not available until you enable Advanced Features from the view menu of the Microsoft Management Console
(Microsoft, 2011 p. 3-21) |
|
|
Attributes Editor
|
Allows you to view and edit all attributes of a users object.
(Microsoft, 2011 p. 3-21) |
|
|
What is CSVD
|
is a command-line tool that exports or imports Active Directory objects to or from a conma delimited text file (also known as a comma-separated value text file, or csv file). Comma-delimited files can be created, modified, and opened with familiar tools such as notepad and Microsoft office Excel.
(Microsoft, 2011 p. 3-34) |
|
|
csvd -d
|
RootDN. Specifies the distinguished bane of the container from which the export will begin. The default is the domain itself
(Microsoft, 2011 p. 3-34) |
|
|
csvd -p
|
SearchScope. Specifies the scope of the search relative to the container specified by -d
SearchScope can be either base (this object only), one level (objects within this container), or a subtree (this container and all subcontainers). The default is a subtree (Microsoft, 2011 p. 3-34) |
|
|
csvd -r
|
Filter. Filters the objects returned within the scope configured by -d and -p. Filter is an LDAP quary syntax. You will work with a filter in the lab for this lesson. The LDAP Query syntax is beyond the scope of this course.
(Microsoft, 2011 p. 3-34) |
|
|
csvd -l
|
ListOfAttribues. Specifies the attributes that will be exported. Use the LDAP name for each attribute, separated by a comma, as in
-l DN,objectClass,sAMAccountName,sn,givenName,userPrincipleName (Microsoft, 2011 p. 3-34) |
|
|
csvd -i
|
The -i parameter specifies import mode; without it, the default mode of CSVDE is export. The -f parameter
identifies the filename to import from or export to. (Microsoft, 2011 p. 3-36) |
|
|
csvd -
|
The -k parameter us useful during import operations because it instructs CSVDE to ignore errors, including Object Already Exists
(Microsoft, 2011 p. 3-36) |
|
|
What is LDIFE
|
You can also use LDIFE.exe to import or export Active Directory objects including users. LDIF is a draft internet standard for file format that can be used to perform batch operations against directories that conform to the LDAP standard. LDIF supports both import and export operations and batch operations that modify objects in the directory. The LDIFDE command implements these batch operations by using LDIF files.
(Microsoft, 2011 p. 3-37) |
|
|
ldifde -i
|
import mode (default is export mode)
(Microsoft, 2011 p. 3-38) |
|
|
ldifde -f filename
|
import or export filename
(Microsoft, 2011 p. 3-38) |
|
|
ldifde -s servername
|
The domain controller to bind the Query
(Microsoft, 2011 p. 3-38) |
|
|
ldifde -c From DN toDN
|
Convert Occurrences of FromDN to ToDN. For exampl, this is useful when importing objects from another domain.
(Microsoft, 2011 p. 3-38) |
|
|
ldifde -v
|
Turn on Verbose mode
(Microsoft, 2011 p. 3-38) |
|
|
ldifde -j path
|
log file location
(Microsoft, 2011 p. 3-38) |
|
|
ldifde -?
|
Help
(Microsoft, 2011 p. 3-38) |
|
|
ldifde -d RootDN
|
The root of the LDAP search. The default is the root of the domain
(Microsoft, 2011 p. 3-38) |
|
|
ldifde -r Filter
|
LDAP search filter: The defaut is (objectClass=*), meaning all objects.
(Microsoft, 2011 p. 3-38) |
|
|
ldifde -p SearchScope
|
The scop, or depth of the search. Can be subtree (the container and all child containers), base the immediate child objects of the container only), or onelevel (the container and its immediate chile containers)
(Microsoft, 2011 p. 3-39) |
|
|
ldifde -l list
|
Comma-separated list of attributes to include export for resulting objects. Useful if you want to export a limited number of attributes.
(Microsoft, 2011 p. 3-39) (Microsoft, 2011 p. 3-39) |
|
|
ldifde -o list
|
List of attributes (comma-separated) to omit from export for resulting objects. Useful if you want to export all but a few attributes
(Microsoft, 2011 p. 3-39) |
|
|
ldifde - k
|
Ignore errors and continue process if Constraint violation or Object Already exists errors appear
(Microsoft, 2011 p. 3-39) |
|
|
Import-CSV
|
This cmdlet creates objects from CSV files that can be then piped into other PowerShell cmdlets
(Microsoft, 2011 p. 3-40) |
|
|
New-ADUser
|
This cmdlet is used to create the objects that have been imported from the import CSV cmdlet
(Microsoft, 2011 p. 3-40) |
|
|
What is a managed service account?
|
A managed service account can provide an application with its own unique account, while eliminating the need for an administrator to manually administer the credentials for this account.
(Microsoft, 2011 p. 3-48) |
|
|
Requirements for Managed Service Account
|
- NET Framework 3.5x
- Active Directory module for Windows PowerShell - Windows Server 2008 R2 Functional level (Microsoft, 2011 p. 3-48) |
|
|
Can a managed server be shared between multiple computers?
|
A managed service account cannot be shared between multiple computers or be used in server clusters wher the services is replicated between nodes.
(Microsoft, 2011 p. 3-48) |
|
|
How do you update schema in Windows server 2008
|
1. Run adprep/forestprep at the forest level and run adprep/domainprep at the domain level
2. Deploy a domain controller running Windows Server 2008 R2, Windows server 2008 with Active Directory Management Gateway Service or Windows Server 2003 with Active Directory Management Gateway Service. (Microsoft, 2011 p. 3-49) |
