Module 4: Administering User and Group Accounts
Creating User Account Templates |
If you use a template in order to create new user
accounts, the following options will be copied to the new account:
|
|
- User must change password
|
- Hours (domain controller only)
|
- User cannot change password
|
- Logon to (domain controller only)
|
|
- Account (domain controller only)
|
|
|
Note:
- Individual rights and permissions are not copied.
- If you start the template name with a non-alphabetic
character (like "_"), it will always appear at the top of the list in the User
Manager window.
- To copy a User Account, select user --> click Copy in
User Menu --> type new user name --> click add.
Planning an Account Policy |
Default user must change their password the first time
they log on. Consider the following:
- Never allow blank passwords
- Require a minimum length for all passwords
- Medium security network 6-8 characters
- High security network 8-14 characters
- Require users to change their password frequently
- Medium security network 45-90 days
- High security network 14-45 days
- Require users to use different password each time they
change it
- Medium security network 8-12 different passwords
- High security network 12-24 different passwords
- Lock out accounts after multiple failed logon attempts
- Medium security network 5 times
- High security network 3 times
- Require administrator to unlock all locked accounts
- Require that users with restricted logon hours are
disconnected from the network during off hours.
Maintaining Domain Controllers |
- This means making sure that a PDC is always online and that
all copies of the directory database are current.
- PDC maintains the master copy of the domains directory
database.
- The directory database is automatically replicated to all
BDCs in the domain every 5 minutes.
- If PDC goes off-line for any reason, users will still be
able to log on and be validated by the BDC, but you will no longer be able to do any
account administration.
- When a PDC needs to be taken off-line, you need to
perform the following steps:
- Promote BDC to PDC. This will force the PDC to become BDC.
- When original PDC is brought back online, promote it back
to a PDC, which forces the temporary PDC to demote itself to a BDC.
- When a PDC goes offline unexpectedly, you need to
perform the following steps:
- Promote BDC to take the place of the PDC.
- Original PDC is fixed and brought back online, demote it to
a BDC. This will force the temporary PDC to become a BDC.
- Promote the original PDC.
- Resuming Domain Controllers:
You can also promote a BDC to a PDC after the PDC has gone
offline, but the PDC will not automatically be demoted. Also, since the PDC is offline, no
automatic replication of the account database can occur between the two PDCs.
When the original PDC is brought back online, there is
already a PDC in the domain, so it's Net Logon service will fail to start. You will need
to restore the original PDC.
- Synchronizing Domain Controllers:
- You can manually synchronize domain controllers:
- To apply changes made to the domain's directory database
immediately.
- To solve problems related to password mismatches
- To synchronize a specific BDC
- select BDC
- Computer Menu, Synchronize with PDC
- To synchronize with ALL domain controllers
- select PDC
- Computer Menu, Synchronize Entire Domain
- You can do the same from the command line
|