Module 7: Advanced Administration of User Accounts and Groups Contents Overview Introduction to Administering User Accounts and Groups Windows 2000 Logon Names Using Group Policy to Configure Account Policies Creating Multiple User Accounts 10 Using Group Policy to Redirect User Data to a Network Server 15 Lab A: Advanced Administration of User Accounts Using Universal Groups 19 30 Setting Up Computers for Mobile Users 34 Lab B: Setting Up Windows 2000 for Mobile Users Best Practices 38 42 Review 43 Information in this document is subject to change without notice The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless oth erwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights coverin g subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property ? ?1999 Microsoft Corporation All rights reserved Microsoft, Active Directory, PowerPoint, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted Other product and company names mentioned herein may be the trademarks of their respective owners Project Lead and Instructional Designer: Mark Johnson Instructional Designers : Aneetinder Chowdhry (NIIT Inc.), Kathryn Yusi (Independent Contractor) Lead Program Manager: Ryan Calafato Program Manager: Joern Wettern (Wettern Network Solutions) Graphic Artist: Julie Stone (Independent Contractor) Editing Manager: Tina Tsiakalis Substantive Editor: Kelly Baker (Write Stuff) Copy Editor: Wendy Cleary (S&T OnSite) Online Program Manager: Nikki McCormick Online Support: Arlo Emerson (MacTemps) Compact Disc Testing: Data Dimensions, Inc Production Support: Arlene Rubin (S&T OnSite) Manufacturing Manager: Bo Galford Manufacturing Support: Mimi Dukes (S&T OnSite) Lead Product Manager, Development Services: Elaine Nuerenberg Lead Product Manager: Sandy Alto Group Product Manager: Robert Stewart Module 7: Advanced Administration of User Accounts and Groups Introduction Presentation: 75 Minutes Labs: 60 Minutes This module provides students with the knowledge and skills that they need to administer user accounts and groups efficiently Students will learn how to perform a variety of administrative tasks, including configuring account policies, creating multiple user accounts, redirecting folders, and setting up offline folders for mobile users In addition, students will learn about using universal groups in a multiple-domain network In the two hands-on labs in this module, students will have a chance to administer user accounts In the first lab, users will set up account policies and redirect folders to a network server In the second lab, students will configure offline files by using Group Policy Materials and Preparation This section provides you with the materials and preparation needed to teach this module Materials To teach this module, you need the following materials: ?? Microsoft® PowerPoint® file 1558A_07.ppt Preparation To prepare for this module, you should: ?? Read all the materials for this module ?? Complete the labs ?? Study the review questions and prepare alternative answers to discuss ?? Anticipate questions that students may ask Write out the questions and provide the answers iii iv Module 7: Advanced Administration of User Accounts and Groups Module Strategy Use the following strategy to present this module: ?? Introduction to Administering User Accounts and Groups In this topic, you will introduce the administrative tasks that are continually performed when administering a multiple-domain network Mention the different tasks, but not go into detail, because they are covered in more detail in the module topics ?? Windows 2000 Logon Names In this topic, you will describe the different types of logon names (downlevel logon name and user logon name) in a Microsoft Windows® 2000 network Emphasize that the user logon name is also known as the user principal name and is the preferred logon name for a Windows 2000 network Describe the user principal name prefix and suffix and how an administrator can change the suffix so that the user logon name matches the user’s e-mail address Have students log on with their user logon names Demonstrate adding a new suffix to Active Directory™ directory service ?? Using Group Policy to Configure Account Policies In this topic, you will explain how to configure account policies by using Group Policy First, explain to students that the different types of account policies to configure are password and account lockout policies Emphasize that an administrator can set these account policies only at the domain level Then, explain to students how to set password policies and provide the critical Group Policy password settings to configure Demonstrate configuring the settings Finally, explain to students how to set account lockout policies Mention that students must configure all three settings Demonstrate configuring the settings ?? Creating Multiple User Accounts In this topic, you will explain how to create multiple user accounts in Active Directory by using bulk import to import data from a file into Active Directory Define bulk import if necessary First, explain to students about the import process Emphasize the information that must be included and the information that should be included Next, explain how to format a file so that it can be imported Use the slide to map the different parts of the formatted file Also, map the file to the information in the Create New User dialog box Finally, explain how to import the file by using the csvde command ?? Using Group Policy to Redirect User Data to a Network Server In this topic, explain how to redirect four default user folders to a network server by using Group Policy First, explain what folder redirection is Emphasize that although the folder appears to be stored locally, it is actually stored on a server Mention that the information in a redirected folder is always present for the user, regardless of the computer to which the user logs on Then, present information on the four types of folders that an administrator can redirect and why an administrator would choose to redirect these folders Emphasize that an administrator should always redirect users’ My Documents folders Finally, explain how to redirect folders by using Group Policy Demonstrate the process Module 7: Advanced Administration of User Accounts and Groups ?? v Lab A: Advanced Administration of User Accounts Prepare students for the lab in which they will set up account policies, use bulk import to create multiple user accounts in Active Directory, and redirect folders Make sure that students run the command file for the lab, and tell them they will work with their partners’ computers After students have completed the lab, ask them whether they have any questions ?? Using Universal Groups In this topic, you will describe universal security groups and how they are used to control access to resources in a multiple-domain network First, explain how universal groups work Emphasize that they have open membership and can be nested in all three security groups Next, present information on how universal groups affect replication between global catalog servers Emphasize that the membership attribute of universal groups is in the global catalog and that if one member is added or removed, the entire group membership is replicated Finally, present guidelines for using universal groups Emphasize that membership should be kept static, and to this end, that an administrator should use the universal group strategy Present the strategy ?? Setting Up Computers for Mobile Users In this topic, you will explain how to set up offline files for mobile users First, explain how offline files work for mobile users Emphasize that files stored on a server are synchronized with files on the user’s hard disk when the user logs on and logs off Then, explain what happens when Group Policy enables computers for offline files Mention what must be configured at the shared folder containing the offline files and on the portable computer Finally, explain the Group Policy settings to configure for offline files Mention that it is better to configure computer settings than user settings for offline files, because the setting to enable offline files is a computer setting Demonstrate the process in Group Policy ?? Lab B: Setting Up Windows 2000 for Mobile Users Prepare students for the lab in which they will set up offline files Make sure that students run the command file for the lab, and tell them they will work with their partners’ computers After students have completed the lab, ask them whether they have any questions ?? Best Practices Present best practices for administering user accounts and groups vi Module 7: Advanced Administration of User Accounts and Groups Customization Information This section identifies the lab setup requirements for a module and the configuration changes that oc cur on student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware Important The labs in this module are also dependent on the classroom configuration that is specified in the Customization Information section at the end of the Classroom Setup Guide for course 1558A, Advanced Administration for Microsoft Windows 2000 Lab Setup The following list describes the setup requirements for the labs in this module Setup Requirement The labs in this module require the Log on locally right on domain controllers to be assigned to the Everyone group To prepare student computers to meet this requirement, perform one of the following actions: ?? Run C:\MOC\Win1558A\Labfiles\Lab07\Setup\Lab0701.cmd ?? Assign the right manually Setup Requirement The labs in this module require a Package Handling organizational unit (OU) and a Package Handling OU To prepare student computers to meet this requirement, perform one of the following actions: ?? Run C:\MOC\Win1558A\Labfiles\Lab07\Setup\Lab0701.cmd ?? Create the OUs manually Setup Requirement The labs in this module require a user account called Redirect1 in the Information Services OU and a user account called Redirect2 in the Information Services OU To prepare student computers to meet this requirement, perform one of the following actions: ?? Run C:\MOC\Win1558A\Labfiles\Lab07\Setup\Lab0701.cmd ?? Create the user account manually Setup Requirement The labs in this module require the C:\MOC\Win1558A\Labfiles\Lab07\Users folder, shared as Users, to allow students to redirect user folders To prepare student computers to meet this requirement, perform one of the following actions: ?? Run C:\MOC\Win1558A\Labfiles\Lab07\Setup\Lab0701.cmd ?? Create the folder manually and share it Module 7: Advanced Administration of User Accounts and Groups vii Setup Requirement The labs in this module require the C:\MOC\Win1558A\Labfiles\Lab07\Offline folder, shared as Offline, to allow students to access offline files To prepare student computers to meet this requirement, perform one of the following actions: ?? Run C:\MOC\Win1558A\Labfiles\Lab07\Setup\Lab0702.cmd ?? Create the folder manually, and then share it Setup Requirement The labs in this module require the West and East OUs in the Domain Controllers OU to move domain controllers into separate OUs To prepare student computers to meet this requirement, perform one of the following actions: ?? Run C:\MOC\Win1558A\Labfiles\Lab07\Setup\Lab0702.cmd ?? Create the OUs manually Lab Results Performing the labs in this module introduces the following configuration change: ?? Students create user accounts in the Package Handling OU Important You can run C:\MOC\Win1558A\Labfiles\Lab07\Setup\Lab07Rm.cmd to remove all configuration changes introduced during the labs in the module Make sure that students complete both labs to configure account policies back to their defaults Use Active Directory Users and Computers to move the domain controllers back into the Domain Controllers OU Module 7: Advanced Administration of User Accounts and Groups Overview Slide Objective To prov ide an overview of the module topics and objectives ? Introduction to Administering User Accounts and Groups Lead-in ? Windows 2000 Logon Names ? Using Group Policy to Configure Account Policies ? Creating Multiple User Accounts ? Using Group Policy to Redirect User Data to a Network Server ? Using Universal Groups ? Setting Up Computers for Mobile Users ? Best Practices In this module, you will learn about administrative tasks that you can perform for user accounts and groups Do not go into detail on this topic, because the content will be covered in following topics After you have set up a Microsoft® Windows ® 2000 network, you must perform ongoing administrative tasks to ensure that all users have the resources that they need, that changing corporate-wide requirements are met, and that network security remains intact You can use Group Policy to perform some of these administrative tasks centrally In this way, you can perform the tasks on multiple computers without having to administer user accounts and groups individually At the end of this module, you will be able to: ?? Identify the administrative tasks used to administer user accounts and groups ?? Identify the different types of user logon names ?? Use Group Policy to configure password restrictions and account lockout policy ?? Create multiple user accounts by importing user information from another database into Active Directory™ directory service ?? Use Group Policy to redirect folders from the local hard disks to a network server ?? Set up computers for mobile users by configuring offline files ?? Identify when and how to use universal groups ?? Apply best practices for performing administrative tasks for user accounts and groups Module 7: Advanced Administration of User Accounts and Groups Introduction to Administering User Accounts and Groups Slide Objective Administrative Tasks Administrative Tasks Tasks To introduce the more complex administrative tasks that an administrator can perform for user accounts and groups ? Strengthen Network Security by Preventing Unauthorized ? Strengthen Network Security by Preventing Unauthorized Persons from Gaining Access to the Network Persons from Gaining Access to the Network ? Create Multiple User Accounts in Active Directory ? Create Multiple User Accounts in Active Directory Lead-in ? Control Where Users’ Personal Data Is Stored ? Control Where Users’ Personal Data Is Stored The types of administrative tasks that you perform depend on the needs of your network ? Ensure That Mobile Users Have the Files and Folders ? Ensure That Mobile Users Have the Files and Folders That They Need That They Need ? Ensure That Users in a Multiple-Domain Network Can ? Ensure That Users in a Multiple-Domain Network Can Gain Access to the Resources Gain Access to the Resources Use this topic as an overview of the type of administrative tasks that an administrator may need to perform Networks are not static They change in response to the evolving needs of the organizations that they support You need to ensure that your network continually reflects current corporate policy and corporate needs To accomplish this, you have to perform a multitude of ongoing administrative tasks The administrative tasks that you need to perform include: ?? Strengthening network security by using Group Policy to set account policies that prevent unauthorized persons from gaining access to your network ?? Creating multiple user accounts in Active Directory for new users You can create user accounts by using bulk import to import data into Active Directory from a file containing user data ?? Controlling where users’ personal data is stored You can ensure that it is centrally stored on a network server so that users can always gain access to their data no matter where they log on and so that you can easily back up the data ?? Ensuring that mobile users can gain access to the files and folders that they need when they are working offline, and that the files that they change when working offline are copied back to network servers ?? Ensuring that users in a multiple-domain network can efficiently gain access to resources without increasing network replication traffic 30 Module 7: Advanced Administration of User Accounts and Groups ? Using Universal Groups Slide Objective To introduce Windows 2000 universal groups Lead-in Universal security groups allow you to assign access to resources in a multidomain network efficiently ? Universal Groups in a Windows 2000 Network ? Universal Groups and Network Replication ? Guidelines for Using Universal Groups Universal security groups enable you to assign access to resources in multiple-domain networks efficiently Unlike the other security groups (global and domain local), universal groups can have members from multiple domains and provide access to resources in multiple domains Universal groups provide controlled access to resources across multiple domains, but if used inefficiently, they can also cause additional replication traffic between domain controllers Module 7: Advanced Administration of User Accounts and Groups 31 Universal Groups in a Windows 2000 Network Slide Objective To describe how universal groups are used to assign permissions Global Group Lead-in Universal groups are more flexible than the other security groups in that they can have members from any domain and can be nested into groups in other domains Resources Permissions Universal Group User Accounts Add Nest Domain Local Group Universal Group Universal Group Universal Group Key Points You can only use universal groups when your domain is running in native mode In native mode, all domain controllers in the network must be running Windows 2000 Server You will have fewer negative repercussions if you use universal groups rather than other security groups to assign permissions in a multiple-domain network The most common use of universal groups is to assign permissions to resources in multiple domains You can only use universal groups when your domain is running in native mode In native mode, all domain controllers in the network must be running Windows 2000 Server The following list provides characteristics of universal groups: ?? They provide you with the ability to assign permissions for resources in any domain ?? They have open membership You can add user accounts, universal groups, and global groups from any domain This allows you to give users access to resources in other domains Windows 2000 does not allow you to add domain local groups to universal groups ?? They can be nested within other groups You can add a universal group to domain local or universal groups in any domain This allows you to give users and groups from other domains access to resources in your domain Windows 2000 does not allow you to add universal groups to global groups Note For information about creating security groups and adding members, see module 3, “Using Groups to Organize User Accounts,” in course 1556A, Administering Microsoft Windows 2000 32 Module 7: Advanced Administration of User Accounts and Groups Universal Groups and Network Replication Slide Objective ? Universal Groups Can Increase Network Traffic ? To introduce the issues related to universal groups and network replication The Replication Issues for Universal Groups Are That: ? Universal groups can affect network replication, because the members list of each universal group is in the global catalog The membership attribute (list of members) is in the global catalog ? Lead-in When membership changes, the entire membership is replicated to all global catalog servers in the network Global Catalog Servers Global Key Points Although universal groups are useful to control access to resources in a multiple-domain environment, they can also increase replication traffic in your network Excessive network traffic can reduce the amount of network bandwidth available, so it is important to use universal groups in a manner that does not create excessive replication traffic When an administrator adds or removes just one member, Active Directory replicates the entire list There is no way to replicate only the one change The replication issues related to universal groups are: The membership attribute (the list of all members) for a universal group is included in the global catalog ?? Unlike the other security groups (global and domain local groups), the membership attribute for universal groups is included in the global catalog Therefore, changes to a universal group’s membership are replicated to all global catalog servers ?? The membership attribute includes a list of all group members When you add or remove a member from a universal group, Windows 2000 replicates the entire membership attribute to all global catalog servers, not just the changes In a geographically distributed network, replication between global catalog servers often occurs over wide-area links Frequent changes to the membership of a universal group may cause excessive network traffic over these slow links This can slow other network tasks, such as connection to servers Because of these replication issues, you should plan universal groups so that replication traffic does not become excessive Module 7: Advanced Administration of User Accounts and Groups 33 Guidelines for Using Universal Groups Slide Objective To list the guidelines to follow when using universal groups Use Universal Groups to Provide Access Use Universal Groups to Provide Access to Resources in Multiple Domains to Resources in Multiple Domains Lead-in To use universal groups in a multiple-domain environment successfully, there are some guidelines that you should follow Keep the Membership of Universal Groups Static to Reduce Keep the Membership of Universal Groups Static to Reduce Network Replication Network Replication Use the Strategy: Use the Strategy: Mention to students that they should follow the strategy presented here whenever they use universal groups To keep universal group membership static, administrators should use the strategy of putting user accounts into global groups, putting these global groups into a universal group, and then assigning permissions to the universal group Membership changes to global groups not change the membership of any universal groups to which they belong and thus not cause replication between global catalog servers G G U U P P Use the following guidelines when implementing universal groups: ?? Use universal groups to provide access to related resources that are located in multiple domains For example, if users need access to corporate shared folders that are on servers in different domains, create a universal group and assign the permissions for the shared folders to the universal group ?? Keep the membership of universal groups relatively static to reduce replication traffic among domain controllers If you not, each time that the membership changes, the membership list will be replicated Therefore, not make users members of a universal group Instead, only include global groups as members of a universal group ?? Use the following universal group strategy to keep the membership static: Key Points The membership of universal groups should be static to reduce replication traffic A A a Put user accounts (A) in a global group (G) in each domain b Then, put the global groups from the different domains in one universal group (U) c Assign permission (P) to the universal group The membership of global groups is not included in the global catalog; only the name of the global group itself is in the global catalog Therefore, if the membership of the global group changes, it does not cause replication between global catalog servers 34 Module 7: Advanced Administration of User Accounts and Groups ? Setting Up Computers for Mobile Users Slide Objective To introduce the task of setting up computers for mobile users ? Offline Files and Mobile Users Lead-in ? Group Policy and Offline Files ? Using Group Policy to Enable and Manage Offline Files You need to ensure that users who have portable computers are able to their jobs when they work offline Offline files allow mobile users to gain access to files on a network server, work on the files when they are disconnected from the network, and then have the file synchronized with the network data the next time that they connect to the network This is possible because offline files are copied to local hard disks, even though they reside on network servers Windows 2000 synchronizes the server original and hard disk copy at designated times, typically when mobile users log off and log on Module 7: Advanced Administration of User Accounts and Groups 35 Offline Files and Mobile Users Slide Objective Mobile User Logs Off Lead-in Local files are synchronized with server files To describe how offline files work for mobile users Windows 2000 allows you to cache files designated as offline files on your computer and work on them when you are disconnected from the network Log off Synchronize Synchronize \\Winnt\Csc \\Winnt\Csc Mobile User Is Disconnected from the Network Mobile user works exclusively with the local file that is cached Mobile User Logs On Local files are synchronized with server files Log on Synchronize Synchronize At the end of the topic, mention the Note to the students Offline files are files stored on a file server that Windows 2000 synchronizes with local files when users log on and log off In this way, mobile users have access to their files even when they are not connected to the network Key Points When a file or folder is marked as being available offline, the following occurs: Offline files are files stored on a file server that Windows 2000 synchronizes with local files when users log on and log off Typically the server copy of the file does not change between the time that the user logs off and logs back on If the file has changed in both locations, Windows 2000 prompts the user to choose which version of the file to keep ?? When a mobile user logs off from the network, Windows 2000 automatically synchronizes the server copy and the copy on the hard disk Any file that is marked as an offline file and that the user worked on during the logon session is copied to the server ?? When disconnected from the network, the mobile user works with the copy of the file in the local cache A cache is reserved portion of the hard disk that Windows 2000 automatically creates By default, the cache is C:\Winnt\Csc for offline files The files in the cache appear to users as if they are located on the server (\\networkserver\sharedfolder\filename) ?? When a user logs on to the network again, any offline file that has been updated on the user’s local computer is copied to the network server, and any file that has been updated on the network server is copied to the user’s local computer If the file has changed in both locations, Windows 2000 prompts the user to choose which version of the file to keep Note If users share a portable computer, all files are stored in the same cache The same NTFS permissions that apply to the server copies apply to the cached copies Therefore, one user does not have access to files that are cached by other users unless he or she has the appropriate permissions 36 Module 7: Advanced Administration of User Accounts and Groups Group Policy and Offline Files Slide Objective Set Manual Caching To explain the way that Group Policy facilitates offline folders Lead-in Group Policy used to Group Policy used to enable offline files enable offline files Using Group Policy, you can enable offline files for computers centrally, rather than enabling this feature at each computer Open Open Users mark files to use offline If students not remember how to set caching at a shared folder, show them Key Points An administrator can use Group Policy to enable computers for offline files Then offline files are enabled on all computers affected by the Group Policy If manual caching is set up at the shared folders, users must mark the files that they want to work on offline To mark a file for offline caching, in Windows Explorer, select the file, and then on the File menu, click Make available offline If automatic caching is set up, users only need to open a file, and Windows 2000 automatically caches it Set Automatic Caching Users open files to use offline To set up offline files, you must configure settings for the folder that contains the files at the server, and you must enable computers for offline folders You can either enable each computer individually, or use Group Policy to enable multiple computers centrally Enabling offline files applies to all computers affected by the Group Policy settings You can also use Group Policy to configure offline files further after they are set up One of two things happens after you enable offline files, depending on how caching is set up at each shared folder that contains offline files: ?? Manual caching is set up at the shared folder Users must mark the files that they want to use offline When a user log off, the files are cached to the user’s portable computer To mark a file for offline caching, in Windows Explorer, select the file, and then, on the File menu, click Make available offline ?? Automatic caching is set up at the shared folder The users only need to open a file in the shared folder for Windows 2000 to cache it For more information about setting up caching at shared folders and enabling offline folders at each computer, see module 10 “Configuring File Resources,” in course 1557A, Installing and Configuring Microsoft Windows 2000 Module 7: Advanced Administration of User Accounts and Groups 37 Using Group Policy to Enable and Manage Offline Files Offline Files Slide Objective ? You Configure Computer Settings Rather Than User Settings ? The Critical Settings to Configure Are: To describe how to use Group Policy to manage offline files Lead-in Group Policy In addition to enabling computers for offline files, you can use Group Policy to manage offline files after they are set up Action View Offline Files [LONDON.NWTraders.msft Policy Computer Configuration Enabled Software Settings Automatic synchronization at logoff Windows Settings Default cache size Administrative Templates Action on server disconnect Windows Components Non-default server disconnect actions System Disable user synchronization of folders and files Network Disable ‘Make Available Offline’ Offline Files Disable user configuration of cache Network and Dial-up Connecti Prevent use of Offline Files folder Printers User Configuration File not cached Delivery Tip Demonstrate configuring Group Policy settings for offline files You can use Group Policy to enable and manage offline files centrally To enable offline files by using Group Policy, you need to use a computer setting To simplify the management of Group Policy settings, it is easier to use only Computer Configuration settings rather than User Configuration settings Key Points Configure the following Group Policy settings for offline files: Although there are many Group Policy settings for administrators to configure, the critical ones are Enabled, Automatic synchronization at log off, and Default cache size Using the Default cache size setting, an administrator can set the percentage of a hard disk that can be used for caching ?? Enabled This setting enables offline files for all computers to which the GPO applies This setting also provides the Make available offline command to users for marking files ?? Automatic synchronization at log off This setting ensures that proper synchronization takes place when a user logs off Select the Full option so that files left partially cached when a user logs off are completed and so that all files marked for offline use are cached on the local hard disk ?? Default cache size This setting defines a maximum percentage of a user’s hard disk that can be used for cached files Enable the default size of 10 percent so that users not run out of space on their portable computers To gain access to offline file settings, perform the following steps: At the appropriate OU in Active Directory Users and Computers, create a new GPO or select an existing GPO, and then click Edit Expand Computer Configuration, expand Administrative Templates, expand Network, and then expand Offline files 38 Module 7: Advanced Administration of User Accounts and Groups Lab B: Setting Up Windows 2000 for Mobile Users Slide Objective To introduce the lab Lead-in In this lab, you will configure offline files Explain the lab objectives Make sure that students run the command file for the lab, and tell them that they will work with their partners’ computers After completing this lab, you will be able to configure offline files for users by using Group Policy Prerequisites Before working on this lab, you must have: ?? Knowledge of how to use offline folders ?? Experience sharing folders Lab Setup To complete this lab, you need the following: ?? A computer running Microsoft® Windows® 2000 Server configured as a domain controller in a child domain of nwtraders.msft ?? A number (1 or 2) assigned by your instructor to be substituted for the variable x in this lab One student in each pair uses number 1, and the other student uses number Write your assigned number here ?? To log on as Administrator@domain.nwtraders.msft (where domain is your domain) with a password of password and run the C:\MOC\Win1558A\Labfiles\Lab07\Setup\Lab0702.cmd command file This command file : ?? Gives the Log on locally right to the Everyone group, if this was not done in a previous lab ?? Creates the West and East organizational units (OUs) in the Domain Controllers OU, if this was not done in a previous lab ?? Creates the C:\MOC\Win1558A\Labfiles\Lab07\Offline folder and shares it as Offline Estimated time to complete this lab: 15 minutes Module 7: Advanced Administration of User Accounts and Groups 39 Exercise Setting Up Offline Files Scenario Some users in your organization take their portable computers with them when they travel and need to be able to access files that are on network servers while they are away from the office These users can decide which files they need to work with, but you need to ensure that their computers are always enabled for offline files and the local copies of offline files are always synchronized with the versions of the files that are on the server Your Tasks Your tasks are to configure a folder for offline access, create a Group Policy object (GPO) to enable offline access, and use offline files ?? move your computer to an OU To Important Complete this procedure only if you did not move your computer to a separate OU in a previous lab Log on as Administrator@domain.nwtraders.msft (where domain is your domain name) Start Active Directories Users and Computers, expand your domain, and then click the Domain Controllers OU In the details pane, right-click your computer, and then click Move Active Directories Users and Computers displays the Move dialog box Expand your domain, expand Domain Controllers, click the West OU if your student number is or the East OU if your student number is 2, and then click OK Close Active Directories Users and Computers Run the C:\MOC\Win1558A\Labfiles\Replicate.cmd command file to force your recent changes to be replicated ?? configure a folder for offline access To While logged on as Administrator@domain.nwtraders.msft, open the C:\MOC\Win1558A\Labfiles\Lab07 folder in Windows Explorer Right-click Offline, and then click Sharing In the Properties dialog box for Offline , click Share this folder, and then click Caching Notice that the folder is configured to allow caching for documents Also notice that the default is manual caching for documents Click OK twice to finish sharing the folder Close Windows Explorer 40 Module 7: Advanced Administration of User Accounts and Groups ?? create a new GPO to enable offline access To Open Active Directories Users and Computers In the console tree, double-click Domain Controllers, and then click the West OU if your student number is or the East OU if your student number is Right-click the OU that you selected in the preceding step, and then click Properties In the Properties dialog box for East or the Properties dialog box for West, on the Group Policy tab, click New Type Offline Files and then press ENTER On the Group Policy tab, with Offline Files selected, click Edit In Group Policy, in the console tree, expand Computer Configuration, expand Administrative Templates, expand Network, and then click Offline Files Configure the policy settings in the following table Policy setting Value Enabled Enabled Automatic synchronization at logoff Full Action on server disconnect Work offline Close Group Policy 10 Click Close 11 Close Active Directory Users and Computers 12 Run the C:\MOC\Win1558A\Labfiles\Replicate.cmd command file to force your recent changes to be replicated ?? use offline files To Important Do not start the following procedure until your partner has finished the previous procedure Restart your computer to ensure that the new policy is applied Log on as Administrator@domain.nwtraders.msft Click the Start button, and then click Run In the Run dialog box, type \\partnerserver\Offline and then click OK In the Offline on partnerserver window, create a new text file and give it your name Right-click the text file that you created, and then click Make Available Offline In the Offline Files wizard, click Next Make sure that Automatically synchronize the Offline Files when I log on and log off my computer is selected, and then click Next Module 7: Advanced Administration of User Accounts and Groups 41 Make sure that Enable Reminders is selected and that Create shortcut to the Offline Files on my desktop is not selected, and then click Finish Windows 2000 synchronizes the files 10 Close the Offline on partnerserver window ?? use offline files To Important Do not start the following procedure until your partner has finished the previous procedure Disconnect the network cable from your computer Click the Start button, and then click Run In the Run dialog box, type \\partnerserver\Offline and then click OK There is a pause while Windows 2000 attempts to access the server After the connection has timed out, Offline Folders appears in the system tray, and the Offline on partnerserver window appears Is the file that you created available? Why or why not? The file that you created is available because you marked it for offline use Close the Offline on partnerserver window Reconnect the network cable Log off 42 Module 7: Advanced Administration of User Accounts and Groups Best Practices Slide Objective To present best practices for administering user accounts and groups centrally Have Users Use Their User Logon Names to Log On Have Users Use Their User Logon Names to Log On Lead-in Review this checklist before you start administering user accounts and groups Disable User Accounts Created At One Time, Until Needed Disable User Accounts Created At One Time, Until Needed Always Redirect My Documents to a Network Server Always Redirect My Documents to a Network Server Use Group Policy to Enable Offline Files Use Group Policy to Enable Offline The following list provides best practices for administering user accounts and groups: ?? Have users use their user logon name (jasmith@nwtraders.com) instead of downlevel logon names when logging on from a client computer running Windows 2000 In this way, users not have to provide the domain name every time they log on ?? When creating multiple user accounts, disable the accounts if users are not going to use them immediately, because the password is blank initially Any unauthorized person with knowledge of the user account name could log on, set a new password, and then gain access to the network ?? Always redirect the My Documents folders This allows users’ personal data to follow them from computer to computer and provides users with easy access to their personal documents It reduces logon and logoff times for roaming users, because files in the My Documents folder are only copied between the client computer and the server when users gain access to files Redirecting My Documents allows you to back up users’ data centrally ?? Use Group Policy to manage offline files for OUs that contain portable computers Then you only need to configure Group Policy settings for offline files once, and can rely on Windows 2000 to continually implement the settings that you have specified In addition, users can easily mark the offline files that they want to cache when appropriate Module 7: Advanced Administration of User Accounts and Groups 43 Review Slide Objective To reinforce module objectives by reviewing key points ? Introduction to Administering User Accounts and Groups Lead-in ? Windows 2000 Logon Names ? Using Group Policy to Configure Account Policies ? Creating Multiple User Accounts ? Using Group Policy to Redirect User Data to a Network Server ? Using Universal Groups ? Setting Up Computers for Mobile Users ? Best Practices The review questions cover some of the key concepts taught in the module Your organization has acquired a small subsidiary, and you want to use Active Directory Users and Computers to create user accounts for the new employees For business reasons, the subsidiary needs to retain its former identity with its customers How you create logon names that match users’ e-mail addresses without changing users’ e-mail addresses? Add a user principal name suffix to Active Directory; that allows you to create logon names that match e-mail addresses You can create user logon names that include this new suffix After a review of your organization’s security needs, your organization’s network has just gone from medium to high security You need to reduce the risk of unauthorized persons gaining access to your network What are some of the things that you can to ensure that unauthorized persons not gain access to documents? Strengthen the account policies of the network Make sure that the failed logon attempts are set to reflect the level of security that your network has and that an administrator must manually unlock a locked account In addition, make sure that the password filter is enabled, the password length is at least eight characters, and that users cannot reuse passwords 44 Module 7: Advanced Administration of User Accounts and Groups It is a few weeks before the beginning of the academic year for your university You need to set up user accounts for first year students so that they can use the computer lab You know that the Admissions Office has data on all new students What you need to do? Ask the Admissions Office to export their student data to a commadelimited text file Edit the file so it can be used for bulk import Then use the csvde command to create user accounts from the file that you edited Because the academic year has not yet started, disable the user accounts after you create them Employees in the Production Department log on at different client computers Each user needs to have their work data available to them at all times What you need to do? Redirect the My Documents folde r to a shared folder on a network server Regardless of where users log on, they can gain access to their documents and their desktops The three domains in your network correspond to different branches of your organization in North America, Asia, and Europe respectively Accountants in the three domains need to gain access to organization documents in all three domains How you set up their access? Put the user accounts of accountants in each domain into a global group Then put the three global groups into one universal group When assigning permissions for the files and folders in the three domains, assign them to the universal group You want to ensure that when mobile users work offline they always have access to the personal files that they save in the My Documents folder Users’ My Documents folders have been redirected to a network server What you need to do? Configure the folder on the server that contains users’ My Document data to be set up for offline files and automatic caching Then, configure the Group Policy settings that enable offline files ... typically when mobile users log off and log on Module 7: Advanced Administration of User Accounts and Groups 35 Offline Files and Mobile Users Slide Objective Mobile User Logs Off Lead-in Local... Settings , expand Security Settings , expand Account Policy, and then expand Account Lockout Policy 10 Module 7: Advanced Administration of User Accounts and Groups ? Creating Multiple User Accounts. .. then provide the target location and path to the location Module 7: Advanced Administration of User Accounts and Groups 19 Lab A: Advanced Administration of User Accounts Slide Objective To introduce