Active Directory Organizational Units Quiz

Questions and Answers

Which of the following statements is true regarding user account creation?

User accounts can be created without any information.

Only administrators can create user accounts.

A password is the only requirement for a user account.

A logon name is required to create a user account. (correct)

A user account should be disabled if the user has left the company.

True

What is the purpose of the 'Display name' field in a user account?

It is the same as the CN when the account is first created.

The user account can expire if the account is not ________ before a specific date.

renewed

Match the following account fields with their descriptions:

User logon name = Name used for logging into the domain Account options = Settings that modify user account behavior Log On To = Specifies the computers the user can log on to Unlock account = Feature to regain access to a locked account

What is one of the benefits of using Organizational Units (OUs)?

Establishing hierarchical structures for easy resource access

User accounts created in Active Directory are referred to as local user accounts.

False

What is the main function of user accounts in Active Directory?

User authentication and providing detailed user information.

The built-in __________ account is disabled by default upon installation.

Guest

Which of the following tasks is commonly delegated in Active Directory?

Manage user accounts

Match the following accounts with their characteristics:

Administrator Account = Full access to the domain Guest Account = Disabled by default after install Domain User Account = Used to log on to any computer in the domain Local Administrator Account = Full access to all aspects of a local computer

According to the guidelines, the Administrator account can be deleted after initial configuration.

False

User account names must be __________ throughout the Active Directory domain.

unique

Which condition is NOT a reason for disabling a user account?

The user is attending a training course

A user's display name is the same as their user logon name upon account creation.

False

What is required for an interactive logon if the account has the smart card option enabled?

Smart card

User accounts can store passwords using __________ encryption.

reversible

Match the following user account attributes with their descriptions:

User logon name = Name used to log into the domain Log On To = Computers the user can login to Logon Hours = Hours during which the user is allowed to log on Account options = Settings that determine account behavior and restrictions

What is one of the main benefits of using Organizational Units (OUs)?

Allows for hierarchical organization of resources

Domain user accounts can only log on to their local computer.

False

What is the purpose of permission inheritance in Active Directory?

To transmit permissions from a parent object to its child objects.

The __________ account is disabled by default after installation and must be enabled to be used for log on.

Guest

Match the following types of user accounts with their characteristics:

Built-in Administrator = Has full access to all aspects of the domain Built-in Guest = Disabled by default after installation Domain user account = Can log on to any computer in the Active Directory forest Local administrator = Has full access to a specific computer only

Which of the following tasks is NOT commonly delegated in Active Directory?

Creating computer accounts

User accounts in Active Directory must be __________ throughout the domain.

unique

The Administrator account can be deleted after initial configuration.

False

Which of the following is NOT a reason to disable a user account?

The account is ready to use

A user logon name must be unique throughout the Active Directory domain.

True

What information does the 'E-mail' field in a user account provide?

It can be used to send an E-mail to the user using the default mail application.

Password fields in user accounts are required to be __________.

case sensitive

Match the following user account fields with their descriptions:

Display name = Same as the CN when account is first created Logon Hours = Specifies the times a user can log on Unlock account = Allows an account to be reactivated after being locked out Smart card required = Requires a smart card for interactive logon

What does permission inheritance determine in Active Directory?

How permissions are transmitted from a parent object to a child object

The built-in Guest account can be used for log on without being enabled.

False

What is a common delegated task in Active Directory?

Reset user passwords

User accounts in Active Directory must be ________ throughout the domain.

unique

Match the following accounts with their characteristics:

Administrator = Has full access to all aspects of the domain Guest = Disabled by default after installation Domain User = Can log on to any computer in the Active Directory forest Local Administrator = Has full access to all aspects of a local computer

Which of the following statements is true regarding domain user accounts?

They can log on to any computer in the Active Directory forest

The local administrator account can be deleted after initial configuration.

False

What should be done to the built-in Administrator account for security?

Rename it and give it a strong password

Which of the following is NOT a valid reason for disabling a user account?

User is taking a short vacation

A user logon name must be distinct across the entire Active Directory domain.

True

What does the 'E-mail' field in a user account allow you to do?

Send an E-mail to the user using the default mail application.

The ______ may contain a URL that allows opening a specified webpage.

Web page

Match the following user account features with their descriptions:

Logon Hours = Specifies when a user can log on Unlock account = Allows a locked account to be re-enabled Account options = Defines specific behaviors of the account Store password using reversible encryption = Encrypts the password in a reversible format

What is one reason to use Organizational Units (OUs) in Active Directory?

To allow easy resource access and delegation of authority

The domain administrator account in the forest root domain has limited access compared to a local administrator account.

False

What must user account names be across the Active Directory domain?

unique

The built-in Guest account must be __________ before it can be used for log on.

enabled

Match the following user account characteristics with their description:

Administrator account = Has full access across the domain Local account = Stores accounts in the SAM database Guest account = Has limited access to resources Domain user account = Can log on to any computer in the AD forest

Which of the following is a common task that can be delegated in Active Directory?

Modify group memberships

User accounts created in Active Directory are referred to as local user accounts.

False

What should be done to enhance the security of the built-in Administrator account?

rename and set a strong password

Which of the following is a reason to disable a user account?

The user has left the company

A user logon name must be unique across the entire Active Directory domain.

True

What field can be used to send an email to a user using the default mail application?

E-mail

The user's display name is the same as their __________ when the account is first created.

CN (Common Name)

Match the following user account fields with their descriptions:

Logon Hours = Specifies when the user can log on Unlock account = Allows access if the account is locked out Account options = Settings that affect account behavior Account expires = Indicates if the account has a validity period

What is one function of user accounts in Active Directory?

To provide user authentication to the network

Domain user accounts can log on to any computer in the Active Directory forest.

True

What should be done to the built-in Administrator account for better security?

It should be renamed and given a strong password.

The __________ account in Active Directory is disabled by default and must be enabled before use.

Guest

Match the tasks with their delegation roles:

Create user accounts = Commonly delegated Reset user passwords = Commonly delegated Delete user accounts = Commonly delegated Manage security settings = Not commonly delegated

What determines how permissions are transmitted from a parent object to a child object in Active Directory?

Permission inheritance

User account names in Active Directory are case-sensitive.

False

What is the maximum character length for user account names in Active Directory?

20 characters

Which of the following options is NOT a reason to disable a user account?

The user is going on vacation

Passwords in user accounts can be stored using reversible encryption.

True

What is required for a user account to log on interactively if the smart card option is enabled?

Smart card

The _____ field can be used to send an email to the user using the default mail application.

E-mail

Match the following user account fields with their descriptions:

User logon name = Identifies the user in the domain Logon Hours = Specifies when a user can log on Display name = Visibly displayed name for the user Unlock account = Option to enable a locked account

What is one of the primary functions of user accounts in Active Directory?

Provide user authentication to the network

User accounts can be deleted after initial configuration to improve security.

False

What must be true about user account names in an Active Directory domain?

They must be unique throughout the domain.

The process of transferring permissions from a parent object to a child object in Active Directory is known as __________.

permission inheritance

Match the following user account types with their characteristics:

DOMAINS = Can log on to any computer in the AD forest LOCAL = Stored in the Security Accounts Manager on the local computer GUEST = Disabled by default and has limited access ADMINISTRATOR = Has full access to all aspects of the domain and forest

Which of the following tasks is commonly delegated in Active Directory?

Resetting user passwords

The built-in Guest account has full access to the domain once it is enabled.

False

What is a key guideline for the built-in Administrator account?

It should be renamed and given a strong password.

What information does the 'Web page' field in a user account allow you to do?

Open a specified URL by right-clicking the user account

A user logon name must be unique across the entire Active Directory domain.

True

Name one reason for disabling a user account.

A user has left the company.

A user account can store passwords using __________ encryption.

reversible

Match the following account options with their functions:

Logon Hours = Defines when a user can log on Unlock account = Allows a locked account to be accessed again Account options = Specifies additional security settings Account expires = Sets a date when the account will no longer be valid

What are the two main functions of user accounts in Active Directory?

User authentication and providing user information

The built-in Guest account is enabled by default after installation.

False

What is permission inheritance in Active Directory?

Permission inheritance defines how permissions are transmitted from a parent object to its child objects.

User accounts must be ________ throughout the domain.

unique

Match the following User Account types with their characteristics:

Local Administrator Account = Full access to local machine Domain Administrator Account = Full access to all aspects of the domain Built-in Guest Account = Limited access and disabled by default Domain User Account = Can log on to any computer in the Active Directory forest

Which of the following tasks can be commonly delegated in Active Directory?

Reset user passwords

The domain administrator account has full access to all aspects of the forest.

True

What is a unique characteristic of accounts in Active Directory?

Account names are not case-sensitive.

Which of the following fields contains information that most affects a user’s logon to the domain?

User logon name

A user account should always remain active if the user goes on an extended leave.

False

What is one of the primary functions of user accounts in Active Directory?

To provide a method for user authentication to the network

What is the purpose of the 'E-mail' field in a user account?

To send an email to the user using the default mail application

The field that contains a URL for opening a specified web page is called the __________.

Web page

The built-in Guest account can be used for log on without being enabled.

False

Match the following reasons for disabling a user account:

User has left the company = To prevent unauthorized access The account is not ready to use = To manage user accounts effectively User goes on extended leave = To maintain account security

What describes the concept of permission inheritance in Active Directory?

Permissions are transmitted from a parent object to a child object.

User accounts in Active Directory must have __________ usernames throughout the domain.

unique

Match the following functions with their relevant user accounts in Active Directory:

Administrator account = Full access to all aspects of the domain Guest account = Limited access and disabled by default Domain user account = Can log on to any computer in the AD forest Local administrator account = Full access to all aspects of a local computer

Which of the following tasks is NOT commonly delegated in Active Directory?

Manage cloud storage access

User account names in Active Directory can be case sensitive.

False

What is a recommended practice for securing the built-in Administrator account?

Renaming it and assigning a strong password.

What is one reason to disable a user account?

A user goes on extended leave

A user logon name can be duplicated across different accounts in the same domain.

False

What impact does the 'Display name' field have on user account logon?

None, it does not affect account logon.

User accounts may require ________ encryption to store passwords securely.

reversible

Match the following user account attributes with their descriptions:

Logon Hours = Times when the user can log on User logon name = Unique identifier for account access Unlock account = Allows access after being locked out Account options = Settings affecting account behavior

What is a primary function of user accounts in Active Directory?

Authenticate users to the network

The built-in Guest account has full access to all resources without any restrictions.

False

What should the built-in Administrator account have for security purposes?

A strong password and should be renamed

User account names must be unique throughout the __________.

domain

Match the following user account types with their characteristics:

Administrator = Full access to domain resources Guest = Limited access, must be enabled Domain User = Can log on to any computer in the domain Local User = Access limited to the local machine

What does permission inheritance do in Active Directory?

Transmits permissions from parent objects to child objects

What is a commonly delegated task in Active Directory?

Resetting user passwords

User accounts in Active Directory can be deleted after initial configuration.

False

What information does the 'Log On To' field in a user account specify?

The specific computers or servers the user can log onto

A user's account can be set to expire without any prior notice to the user.

True

Name a reason to disable a user account.

A user has left the company

The account type that requires a smart card for interactive logon is referred to as a __________ account.

smart card

Match the following user account fields with their purposes:

Display name = Identifies the user in the directory E-mail = Used for communication via mail application Logon Hours = Specifies when a user can access their account Unlock account = Restores access to a locked account

What is one primary function of user accounts in Active Directory?

Provide user authentication to the network

The Administrator account can be deleted after initial configuration.

False

What should be done to the built-in Guest account before it can be used for log on?

It must be enabled.

User accounts must be _________ throughout the Active Directory domain.

unique

Match the following tasks with the appropriate level of administrative authority:

Create user accounts = Delegated Modify group membership = Delegated Full access to domain = Domain Administrator Full access to local computer = Local Administrator

Which statement describes permission inheritance in Active Directory?

Permissions applied to a parent object are inherited by all child objects.

User account names in Active Directory are case sensitive.

False

What happens if the Administrator account is used improperly?

It may lead to security vulnerabilities.

What is one reason for disabling a user account?

The account is not ready to use

The user logon name is the same as the display name by default.

False

What must be unique across the entire Active Directory domain?

User logon name

A user account may contain a _______ to open a specific URL.

web page

Match the user account fields with their significance:

User logon name = Identifies the user for logon purposes Logon Hours = Specifies when the user can log on Account Options = Provides various settings related to the account Unlock Account = Allows administration to restore access

What is the primary function of user accounts in Active Directory?

To provide user authentication and detailed user information

The built-in Guest account is enabled by default upon installation.

False

What must be unique throughout the Active Directory domain?

User accounts

User accounts created in Active Directory are referred to as __________ user accounts.

domain

Match the following tasks with the corresponding administrative level:

Manage user accounts = Domain Administrator Reset user passwords = Delegated User Read user information = Delegated User Create and delete groups = Domain Administrator

Which of the following statements about permission inheritance is true?

Permissions are inherited by default from the parent object.

What should be done to strengthen the security of the built-in Administrator account?

Rename it and set a strong password

Administrator accounts can be deleted after the initial configuration.

False

What is required to create a user account by default?

Logon name only

A user account can expire if the account is not disabled before a specific date.

True

Name one reason for disabling a user account.

A user has left the company

The _______ field allows you to send an email to the user using the default mail application.

E-mail

Match the following account features with their descriptions:

Logon Hours = Specifies when a user can log on Unlock account = Restores access to a locked user account Smart card is required for interactive logon = Requires physical authentication device for access Account options = Settings that determine account functionality

What is one function of user accounts in Active Directory?

Provide a method for user authentication to the network

The built-in Administrator account in Active Directory can be deleted after installation.

False

What must user account names be throughout the Active Directory domain?

unique

The Guest account is __________ by default after installation and must be enabled before it can be used for log on.

disabled

Match the following tasks with their corresponding authorities in Active Directory:

Create user accounts = Domain Administrator Reset user passwords = Delegated User Read user information = Authenticated User Manage groups = Delegated User

Which of the following describes permission inheritance in Active Directory?

Permissions applied to a parent OU are inherited by child objects

A local administrator account has limited access compared to a domain administrator account.

True

What should be done to enhance the security of the built-in Administrator account?

Rename it and set a strong password

What is required for creating a user account by default?

Only a logon name

A user account should be kept active even if the user is on extended leave.

False

What field in a user account allows sending an email to the user?

E-mail

An account may __________ if it is not used before a specific date.

expire

Match the following user account options with their descriptions:

Display name = Same as the CN when account is first created Logon Hours = Defines the times a user can log on Unlock account = Option to reactivate the user account Smart card = Required for interactive logon if enabled

What is one of the main functions of user accounts in Active Directory?

To provide detailed information about a user

The built-in Guest account has full access to a computer or domain.

False

What should be done to the Administrator account to enhance security?

Rename and set a strong password

User accounts created in Active Directory are referred to as __________ accounts.

domain user

Match the following user accounts to their characteristics:

Local Administrator = Full access to all aspects of a computer Domain Administrator = Full access to all aspects of the domain Guest Account = Limited access, must be enabled to use Domain User Account = Can log on to any computer in the AD forest

Which task is NOT commonly delegated in Active Directory?

Log on to computers

Permission inheritance allows child objects to inherit permissions from their parent object.

True

What must be true about user account names in an Active Directory domain?

They must be unique

Which of the following is a reason to disable a user account?

The user has left the company

Passwords are case insensitive by default.

False

What information does the 'Web page' field in a user account allow you to do?

Open a specified URL by right-clicking the user account

User logon names must be unique throughout the ________ domain.

Active Directory

Match the following account options with their descriptions:

Store password using reversible encryption = Allows the password to be viewed in its original format Account expires = Specifies a date when the account will no longer be active Unlock account = Restores access to a locked user account Smart card is required for interactive logon = Requires a physical card for user authentication

What is the primary function of user accounts in Active Directory?

Provide user authentication and detailed information about a user

The Guest account in Active Directory is enabled by default upon installation.

False

What is one major benefit of using Organizational Units (OUs) in Active Directory?

Enables hierarchical structure for easy resource access

Permissions applied to the parent OU are inherited by all child objects by __________.

default

Match the following user account types with their characteristics:

Local Administrator = Has full access to a computer Domain Administrator = Has full access to the domain Guest Account = Disabled by default after installation Domain User Account = Can log on to computers in the AD forest

Which task is NOT commonly delegated in Active Directory?

Access kernel memory

Usernames in Active Directory are case sensitive.

False

What is a recommended security practice for the built-in Administrator account?

Rename the account and set a strong password

Which of the following is a reason to disable a user account?

A user goes on extended leave

User logon names are not case sensitive.

False

What field in a user account contains the information that primarily affects a user's logon to the domain?

User logon name

The __________ contains descriptive information about the user account, such as the user's e-mail address.

display name

Match the following user account fields with their purposes:

Display name = Same as CN when account is first created E-mail = Used to send an E-mail to the user Web page = Contains a URL for accessing a website Logon Hours = Defines when a user can log on to the system

Which of the following is a benefit of using Organizational Units (OUs)?

Allow easy resource access based on an organizational structure

The built-in Administrator account can be deleted after initial setup.

False

What must user account names be across the Active Directory domain?

Unique

The built-in Guest account is disabled by default and must be __________ before it can be used for log on.

enabled

Match the following user account types with their characteristics:

Administrator = Full access to the domain Guest = Limited access to the domain Domain user account = Can log on to any computer in the Active Directory forest Local administrator account = Full access to all aspects of a computer

Which of the following tasks is commonly delegated in Active Directory?

Create and manage user accounts

User accounts in Active Directory do not have to be unique.

False

What is the main purpose of permission inheritance in Active Directory?

To transfer permissions from a parent object to child objects

Which of the following fields can a user interact with to open a specific URL by right-clicking their account?

Web Page

A user account in Active Directory can expire if it is not renewed before a specified date.

True

What information does 'Log On To' provide in a user account?

It specifies the computers or servers the user is permitted to log on to.

A user account can be disabled if the user goes on ________ leave.

extended

Match the following account options with their descriptions:

Store password using reversible encryption = Allows a password to be retrieved in its original form Smart card is required for interactive logon = Authentication method requiring a physical card Account is sensitive and cannot be delegated = Prevents permission assignment to other users Account expires = User account becomes inactive after a specific date

What is one of the main functions of user accounts in Active Directory?

To authenticate users to the network

The built-in Administrator account can be deleted after initial configuration.

False

What must user account names be across the Active Directory domain?

Unique

The Guest account is __________ by default after installation and must be enabled before it can be used.

disabled

Match the following tasks with their respective descriptions:

Create user accounts = Allows an administrator to add new users Reset user passwords = Enables a user to regain access to their account Manage groups = Involves organizing users for policy applications Force password change = Requires users to update their passwords at next login

Which of the following is a primary benefit of using Organizational Units (OUs)?

To create a hierarchical structure for resource access

Domain user accounts can only log on to their local computer.

False

What should be done to enhance security for the built-in Administrator account?

Rename the account and use a strong password

What must be true of a user logon name in Active Directory?

It must be unique throughout the Active Directory domain.

A user can logon to any computer in the network if their account has unlocked status.

True

What is one reason for disabling a user account?

The user has left the company.

The ______ field in a user account can be used to send an email to the user.

E-mail

Match the following account options with their descriptions:

Smart card is required for interactive logon = Requires additional security during logon Account options = Settings that affect account behavior Logon Hours = Specifies when the user can log on Unlock account = Resets the lock status of a user account

What is a benefit of using Organizational Units (OUs) in Active Directory?

They simplify the delegation of administrative authority.

The built-in Guest account must be enabled before it can be used for log on.

True

What are the two main functions of user accounts in Active Directory?

User authentication and providing detailed information about a user.

User accounts must be unique throughout the __________.

domain

Match the following tasks with their descriptions:

Create user accounts = Establish new user identities Reset user passwords = Allow users to regain access Modify group membership = Change users within specific groups Manage computer access = Control device login permissions

Which of the following statements about the Administrator account is true?

The Administrator account should be renamed and secured with a strong password.

User accounts created in Active Directory are referred to as 'local user accounts'.

False

What happens to permissions applied to a parent OU in Active Directory?

They are inherited by all child objects of that OU.

What is required by default for creating a user account?

Logon name only

A user’s display name is not automatically set to be the same as their user logon name upon account creation.

False

List one reason for disabling a user account.

A user has left the company

The field that can be used to open a specified URL by right-clicking the user account is called the ________.

Web page

Match the following user account fields with their descriptions:

Logon Hours = Specifies when a user can log on Account options = Defines specific restrictions for the account Smart card required = Necessary for interactive logon Unlock account = Used to permit access after being locked out

What is the primary purpose of organizational units (OUs) in Active Directory?

To create hierarchical structures for resource access and management

The built-in Administrator account can be deleted after initial configuration.

False

What are two primary functions of user accounts in Active Directory?

User authentication and providing detailed user information.

User accounts created in Active Directory are known as ________ user accounts.

domain

Match the following account types with their features:

Administrator Account = Full access to all aspects of the domain Guest Account = Disabled by default after installation Domain User Account = Can log on to any computer in the Active Directory forest Local Administrator Account = Full access to all aspects of a local computer

Which of the following best describes permission inheritance in Active Directory?

Permissions from parent objects are automatically passed to child objects.

User accounts must be case sensitive and unique throughout the domain.

False

A user account in Active Directory should have a unique name that is between ________ and ________ characters long.

1, 20

What is the purpose of permission inheritance in Active Directory?

To transmit permissions from a parent object to a child object

The built-in Guest account has full access to a computer or domain.

False

What must user account names be in Active Directory?

Unique throughout the domain

An account created in Active Directory is referred to as a __________.

domain user account

Match the following user account types with their access level:

Local Administrator = Full access to the computer Domain Administrator = Full access to the domain Guest = Limited access Domain User = Access to network resources based on permissions

Which of the following tasks is commonly delegated in Active Directory?

Create, delete, and manage user accounts

User accounts in Active Directory can include special characters in their names.

True

What is required to create a user account by default?

Only a logon name

What is typically required for the built-in Administrator account for security?

It should be renamed and given a strong password

A user account must always be active for a user to log in.

False

What is the purpose of the 'Web page' field in a user account?

To contain a URL that can be opened by right-clicking the user account.

A user account can be disabled if a user goes on ______________ leave.

extended

Match the following account options with their purposes:

Unlock account = Restores access to a locked account Logon Hours = Specifies when a user can log in Account options = Determines settings like password handling Store password using reversible encryption = Allows for password recovery

What is one of the fields that does NOT affect a user's account logon or permissions?

Display name

A password is required to be case insensitive for user accounts.

False

Name one reason why a user account might be disabled.

The user has left the company.

The field that can be used to send an E-mail to the user is the ________ field.

E-mail

Match the user account attributes to their descriptions:

User logon name = The unique name required for account access Logon Hours = Specifies the times the account can be used Smart card option = Enables secure authentication for logon Account expires = Indicates when the account will no longer be valid

What is one main function of user accounts in Active Directory?

Authenticate users to the network

The built-in Guest account must be enabled before it can be used for log on.

True

What should be done to enhance the security of the built-in Administrator account?

Rename it and set a strong password.

User accounts must be __________ throughout the Active Directory domain.

unique

Match the following user account types with their characteristics:

Local Administrator = Full access to all aspects of a computer Domain Administrator = Full access to all aspects of the domain Built-in Guest Account = Disabled by default Domain User Account = Can log on to computers in the Active Directory forest

Which permission is NOT inherited by child objects in an Organizational Unit?

Group membership modification

User accounts in Active Directory can contain special characters in their names.

True

What is the primary role of permission inheritance in Active Directory?

To automatically transfer permissions from parent objects to child objects.

What is a reason to disable a user account?

The account is not ready to use

User logon names must be unique throughout the Active Directory domain.

True

What must be stored using reversible encryption in a user account?

password

The _____ is used to send an E-mail to the user using the default mail application.

E-mail

Match the following user account attributes with their definitions:

Display name = The name displayed in user lists Logon hours = The specified hours during which the user can log on Account options = Settings that dictate the account’s behavior Unlock account = Restoring access to a locked user account

What is a primary function of user accounts in Active Directory?

To provide authentication to the network

The built-in Administrator account can be deleted in Active Directory.

False

What should be done to enhance the security of the built-in Administrator account?

It should be renamed and given a strong password.

In Active Directory, user accounts must be __________ throughout the domain.

unique

Match the following account types with their characteristics:

Administrator account = Full access to all aspects of the domain Guest account = Disabled by default and must be enabled Domain user account = Can log on to any computer in the Active Directory forest Local administrator account = Full access to a single computer

Which user account can have a blank password?

Guest account

User accounts in Active Directory are case sensitive.

False

Describe one benefit of using Organizational Units (OUs).

They allow for the delegation of administrative authority.

Which option is a reason for disabling a user account?

The account is not ready to use

Passwords are not case sensitive by default.

False

What is the purpose of the 'Web page' field in a user account?

To specify a URL that can be accessed by right-clicking the user account.

User logon names must be __________ throughout the Active Directory domain.

unique

Match the following user account attributes with their descriptions:

Display name = Used for identification purposes in the system E-mail = Allows sending an email using the default mail application Logon Hours = Specifies the times during which a user can log in Smart card = Required for interactive logon if selected for the user account

What purpose do Organizational Units (OUs) serve in Active Directory?

To allow easy resource access through hierarchical structures

The built-in Guest account can be used for log on without any configuration.

False

What is one limitation of the built-in Guest account?

Limited access to resources

A user account must be __________ throughout the Active Directory domain.

unique

Match the following main functions of user accounts with their descriptions:

User authentication = Verifies identity within the network User information = Stores personal and contact details of the user

Which of the following is a common delegated task in Active Directory management?

Resetting user passwords

Domain user accounts can frequently log on to any computer within the Active Directory forest.

True

What guidelines should be followed regarding the built-in Administrator account?

Rename and use a strong password

Study Notes

Organizational Units (OUs)

• OUs are hierarchical structures that mirror an organization's chart, enabling easy resource access.
• They facilitate the delegation of administrative authority, grouping users and computers for tailored security policies.
• The Delegation of Control Wizard allows assigning specific tasks to users with lower security privileges, such as managing user accounts, resetting passwords, or managing groups.
• Permissions applied to a parent OU are inherited by all child objects within that OU.

User Accounts

• User accounts in Active Directory (AD) serve as a primary authentication method for network access.
• They also store detailed information about each user.
• Domain user accounts can log on to any computer within the Active Directory forest.

Built-in Accounts

• The Local Administrator account has full control over a specific computer.
• The Domain Administrator account has full control over an entire domain.
• The Forest Root Domain Administrator account has complete control over the entire forest.
• It is crucial to rename and secure the Administrator account with a strong password.
• The Administrator account should only be used for administrative tasks and can be renamed or disabled but not deleted.
• The Guest account is disabled by default but can be enabled for limited access.
• It's recommended to rename the Guest account if it's used.

User Account Creation

• User accounts must be unique within the domain.
• Account names are not case-sensitive and can be 1 to 20 characters long, containing letters, numbers, and specific special characters.
• A standard naming convention should be established.
• Strong, case-sensitive passwords are recommended by default.
• Only a logon name is required to create a user account.

Disabling User Accounts

• Reasons for disabling a user account include:
  • An employee leaving the company.
  • An account not yet ready for use.
  • An employee's extended leave.

User Account Information

• Account Information Tab: Contains descriptive details about the account.

  • Display Name: Defaults to the same as the Common Name (CN) during initial account creation.
  • E-mail: Allows sending emails to the user through the default mail application.
  • Web Page: Accepts a URL and permits opening the specified website by right-clicking the user account.

• Account Tab: Contains information affecting a user's domain logon.

  • User Logon Name: The user's login name.
  • Log On Hours: Specifies allowed logon times.
  • Log On To: Determines eligible logon locations.
  • Unlock Account: Re-enables a locked account.
  • Account options:
    • Store password using reversible encryption
    • Smart card is required for interactive logon
    • Account is sensitive and cannot be delegated
    • Account expires

• Member Of Tab: Lists groups the user belongs to, allowing modification of group memberships.

Organizational Units (OUs)

• OUs allow for hierarchical structures within Active Directory, mirroring an organization's chart.
• This simplifies resource access and administration.
• OUs facilitate delegation of administrative authority to manage users and computers.
• Examples of delegated tasks include creating and deleting user accounts, resetting passwords, and modifying group memberships.
• Permissions can be inherited down from parent OUs to child objects by default.

User Accounts

• User accounts serve for authentication and provide detailed user information.
• Accounts created within AD are called "domain user accounts".
• Domain user accounts can typically access any computer within the forest.

Built-in Accounts

• The local administrator account has full control over a specific computer.
• The domain administrator account holds full control over the entire domain.
• The forest root domain administrator account possesses complete control over the forest.
• The built-in Guest account is disabled by default, but can be enabled for limited access.

Creating User Accounts

• User account names must be unique within the domain.
• Account names are case-insensitive and limited to 1-20 characters, including letters, numbers, and certain special characters.
• Complex passwords are required by default and are case-sensitive.
• User account creation typically only requires a logon name.

Disabling User Accounts

• Reasons to disable user accounts include:
  • Employee departure
  • Account preparation
  • Extended leave.

User Account Attributes

• Account tab: contains descriptive information without affecting login, group memberships, rights, or permissions.
  • Display name: matches the CN (common name) upon creation.
  • Email: allows sending email to the user using the default application.
  • Web page: holds a URL that can be opened directly.
• Account tab: mainly affects user login to the domain.
  • User logon name: used for login.
  • Logon hours: restricts login times.
  • Log On To: specifies allowed login locations.
  • Unlock account: enables a locked account.
  • Account options:
    • Store password using reversible encryption.
    • Smart card is required for interactive login.
    • Account is sensitive and cannot be delegated.
    • Account expires.
• Member Of tab: displays the groups the user belongs to and allows group membership changes.

Organizational Units (OUs)

• OUs allow for hierarchical structures based on an organizational chart.
• This makes resource access easier.
• OUs enable delegation of administrative authority.
• Grouping users and computers allows for the application of administrative and security policies.
• Delegation of control can be applied to tasks like creating, deleting, and managing user accounts and groups.
• Permission inheritance allows permissions set on a parent object to be passed down to child objects.

User Accounts

• User accounts are a key component of Active Directory (AD).
• Two primary functions: user authentication to the network and storing detailed information about the user.
• Domain user accounts are created in AD and are typically able to log on to any computer within the Active Directory forest.

Administrator Account

• The administrator account has full access to the system it's associated with (local or domain).
• Strong passwords and responsible usage are crucial for security.
• Renaming or disabling is recommended, but deletion is not advised.

Guest Account

• Disabled by default; must be enabled for logon.
• Limited access to computers or domains.
• Should be renamed if used.

User Account Creation Considerations

• Unique user names are essential across the domain.
• Account names are not case sensitive, and have a character limit of 1-20.
• Use letters, numbers, and special characters (with limited exceptions).
• Establish a standard naming convention for accounts.
• Complex passwords are required by default.

Reasons to Disable User Accounts

• An employee leaving the company.
• When an account is not ready for use.
• When a user goes on extended leave.

Key Fields in User Account Properties

• Account contains information about the user's logon, group memberships, rights, and permissions.
  • This includes the user logon name, logon hours, logon restrictions, account lockout status, and options like smart card requirements and account expiration.
• Profile contains descriptive information about the user.
  • This includes the display name (same as CN initially), email address, and a web page URL.

Group Memberships

• Lists the groups a user belongs to.
• Allows modification of group memberships.

Organizational Units (OUs)

• OUs can be used to create hierarchical structures based on an organizational chart, which can help administrators easily access resources.
• OUs can be used for assigning administrative and security policies to groups of users and computers.
• OUs can be used for delegating administrative tasks, such as:
  • Creating, deleting, and managing user accounts
  • Resetting user passwords
  • Reading user information
  • Creating, deleting, and managing groups
  • Modifying group membership
• Permission inheritance allows permissions set on a parent OU to be automatically inherited by all child objects in that OU.

User Accounts

• User accounts in Active Directory (AD) are used for authenticating users to the network and storing user information.
• User accounts created in AD are called "domain user accounts" and can typically access any computer in the domain.
• The built-in Administrator account has full access to all aspects of a computer or domain.
• The built-in Guest account is disabled by default and has limited access.

Creating User Accounts

• User account names must be unique within a domain.
• Account names are not case-sensitive and can be up to 20 characters long.
• Use a consistent naming convention for user accounts.
• By default, complex passwords are required, and passwords are case-sensitive.

Disabling User Accounts

• Accounts can be disabled if a user leaves the company, the account is not ready for use, or a user is on extended leave.

User Account Information

• Account tab contains general information about the user account.
  • Display Name: same as the common name (CN) when the account is created.
  • Email: for sending emails to the user using the default email application.
  • Web Page: can contain a URL that can be opened by right-clicking the user account.
• Account tab also contains information about the user's logon:
  • User logon name: the username used to log in.
  • Logon Hours: specifies when the user is allowed to log in.
  • Log On To: specifies which computers the user is allowed to log on to.
  • Unlock account: enables or disables the user account.
  • Account options: includes settings such as password storage, smart card requirements, and account sensitivity.
• Member Of tab lists the groups the user belongs to and allows administrators to change group memberships.

Organizational Units (OUs)

• Create hierarchical structures that mirror an organization's chart, facilitating easy resource access.
• Facilitate delegation of administrative authority.
• Group users and computers, enabling the application of specific administrative and security policies.
• Enable delegation of control: Individuals with higher security privileges can grant authority to those with lower privileges to perform specific tasks, such as managing user accounts, resetting passwords, and modifying group memberships.

Permissions and Inheritance

• Permissions are inherited from parent objects to child objects within Active Directory (AD).
• All objects in AD are descendants of the domain, inheriting permissions from their parent OUs.
• The Delegation of Control Wizard allows applying permissions to parent OUs, which are then inherited by all their child objects.

User Accounts

• User accounts in AD serve two main functions:
  • Authenticate users to the network.
  • Store detailed user information.
• Windows machines outside a domain store accounts in the local Security Accounts Manager (SAM) database.
• Accounts created in AD are "domain user accounts" and can typically log onto any computer within the Active Directory forest.

Built-in Accounts (Administrator and Guest)

• Administrator Account:
  • Local administrators have full control over a single computer, while domain administrators have full control over the entire domain.
  • The forest root domain administrator has full access to the entire forest.
  • It's recommended to rename and apply strong passwords to Administrator accounts.
  • Only use Administrator accounts for administrative tasks.
  • Administrator accounts can be renamed or disabled, but not deleted.
• Guest Account:
  • Disabled by default and requires enabling for login.
  • May have a blank password.
  • Rename if used.
  • Offers limited access to the computer or domain.

Creating User Accounts

• Considerations:
  • Account names must be unique within the domain.
  • Names are not case-sensitive and can be 1 to 20 characters long, using letters, numbers, and some special characters.
  • Implement a standardized naming convention.
  • Password complexity and case-sensitivity are enforced by default.
  • By default, only a logon name is required to create a user account.

Disabling User Accounts

• Reasons for disabling an account:
  • Employee departure.
  • Account not ready for use.
  • Extended leave of absence.

User Account Properties

• General Tab:
  • Contains descriptive information without affecting login, group memberships, or permissions.
  • Important fields:
    • Display name: Matches the common name (CN) at creation.
    • Email: Allows sending emails to the user through the default mail application.
    • Web page: Stores a URL, allowing access by right-clicking the account.
• Account Tab:
  • Controls user's access to the domain.
  • Key fields:
    • User logon name.
    • Logon hours.
    • Allowed logon locations.
    • Account unlocking.
    • Account options (password storage, smart card requirements, delegation restrictions, account expiration).
• Member Of Tab:
  • Lists the user's group affiliations.
  • Enables modification of group memberships.

Benefits of Using Organizational Units (OUs)

• Create hierarchical structures based on organizational charts for easy access to resources.
• Delegate administrative authority.
• Group users and computers for managing administrative and security policies.
• Delegate control by letting those with higher security privileges authorize those with less privileges to perform specific tasks.

Common Delegated Tasks

• Create, delete, and manage user accounts.
• Reset user passwords and force password changes at the next logon.
• Read all user information.
• Create, delete, and manage groups.
• Modify group membership.

Permission Inheritance

• Permissions are passed from parent objects to child objects.
• All objects in Active Directory (AD) are child objects of the domain.
• Permissions applied to the parent OU using the Delegation of Control Wizard are inherited by all child objects within that OU.

User Account Functions

• Provide user authentication for the network.
• Provide detailed information about a user.
• Created in AD are referred to as "domain user accounts."
• Domain user accounts can typically logon to any computer within the Active Directory forest.

Guidelines for Administrator Account

• The local administrator account has full access to all aspects of a computer.
• The domain administrator account has full access to all aspects of the domain.
• The domain administrator account in the forest root domain has full access to all aspects of the forest.
• The administrator account should be renamed and assigned a strong password.
• The administrator account should only be used for administrative operations.
• The administrator account can be renamed or disabled but not deleted.

Guidelines for Guest Account

• The guest account is disabled by default after installation and must be enabled before it can be used for logon.
• The guest account can have a blank password.
• The guest account should be renamed if it is to be used.
• The guest account has limited access to a computer or domain.

Considerations When Creating User Accounts

• User accounts must be unique within the domain.
• Account names are not case-sensitive and can be between 1 and 20 characters long.
• Use letters, numbers, and special characters (with some exceptions).
• Develop a standard naming convention.
• Complex passwords are required by default, and passwords are case-sensitive.
• Only a logon name is required by default to create a user account.

Reasons to Disable a User Account

• A user leaves the company.
• The account is not yet ready to use.
• A user is on extended leave.

Account Information Tab

• Contains descriptive information that does not affect the user's account logon, group memberships, rights, or permissions.
• Fields worth mentioning:
  • Display name: is the same as the CN when the account is first created.
  • E-mail: can be used to send emails to the user using the default mail application.
  • Web page: can contain a URL and allows you to open the specified URL by right-clicking the user account.

Account Options Tab

• Contains the information that most affects a user's logon to the domain.
• Fields worth mentioning:
  • User logon name.
  • Logon Hours.
  • Log On To.
  • Unlock account.
  • Account options:
    • Store password using reversible encryption.
    • Smart card is required for interactive logon.
    • Account is sensitive and cannot be delegated.
    • Account expires.

Group Membership Tab

• Lists the groups that the user belongs to.
• Allows you to change group memberships.

Organizational Units (OUs)

• Hierarchical Structures: OUs mirror an organization's chart, streamlining resource access.
• Delegation of Authority: Control and administration tasks can be delegated to specific users within OUs.
• Group Management: Assign security policies and manage users and computers.
• Permission Inheritance: Permissions cascade from parent to child objects within an OU, simplifying management.

User Accounts

• Authentication & Information: User accounts authenticate access to the network and store user details.
• Domain vs Local: Domain user accounts, created within Active Directory, provide access to computers within the entire domain.
• Local Administrator Account: Full control over the specific computer.
• Domain Administrator Account: Complete control over the entire domain.
• Built-in Administrator Account: Rename, secure with a strong password, and only use for administrative tasks.
• Built-in Guest Account: Enabled for limited access, best to rename if used.
• User Account Creation Guidelines: Unique within the domain, 1-20 characters (letters, numbers, special characters), implement a standard naming convention, strong passwords are required by default.

Account Management

• Disabling Accounts: Temporarily remove access for reasons such as employee departure, unfinished accounts, or extended leaves.
• Account Information: Descriptive information about a user is stored in the account, including their name, email, web page, and logon details.
• Account Options: Determine the user's access, including logon hours, allowed computers, unlock status, password encryption, required authentication methods, and account expiration.
• Group Membership: Manage a user's group affiliations, which grants additional rights and permissions.

Organizational Units (OUs)

• Hierarchical Structure: OUs allow you to organize users and computers in a tree-like structure, mirroring your organization's chart. This makes resource access easier to manage.
• Delegation of Authority: Assign administrative tasks to specific users based on security levels.
• Group Management: Group users and computers together for applying security policies.
• Delegation of Control: Higher-privileged users can grant specific permissions to lower-privileged users for tasks like user account creation, password resets, group management.
• Permission Inheritance: Permissions set at the parent OU level are inherited by all its child objects within the domain.
• Default Permissions: Permissions are generally applied using the Delegation of Control Wizard, but can be customized.

User Accounts

• Authentication: User accounts allow network access and provide a mechanism for verifying identity.
• Account Information: User profiles contain detailed information about a user.
• Security Accounts Manager (SAM): Windows machines not joined to a domain store user accounts locally using the SAM database.
• Domain User Accounts: Accounts created in Active Directory can access computers within the forest.
• Built-in Accounts:
  • Administrator:
    • Full access to the computer or domain.
    • Rename and set a strong password.
    • Should only be used for administrative tasks.
  • Guest:
    • Disabled by default.
    • Must be enabled to allow login.
    • Can have a blank password.
    • Limited access to the computer or domain.
  • User Account Creation:
    • Uniqueness: Usernames must be unique throughout the domain.
    • Naming Convention: Develop a standard for naming user accounts.
    • Default Settings: Accounts require complex, case-sensitive passwords.
    • Account Disabling: Disable accounts when users leave the company, are on extended leave or inactive.

User Account Details

• Account Settings:
  • Display Name: Same as the Common Name (CN) when the account is created.
  • Email: Used for sending emails via the default mail application.
  • Web Page: Stores a URL that can be opened by right-clicking the user account.
• Logon Information:
  • User Logon Name: The username used to log in.
  • Logon Hours: Restricts access to the network to specific times.
  • Log On To: Defines which computers the user can access.
  • Account Options: Controls account behavior like password encryption, smart card requirements, and account sensitivity levels.
• Group Membership:
  • Group List: Lists all groups the user belongs to.
  • Membership Management: Used to change group memberships.

Organizational Units (OUs)

• OUs allow for hierarchical structures based on organizational charts, making resource access easier.
• OUs facilitate delegation of administrative authority, grouping users and computers for assigning policies.
• Delegation of control allows users with higher privileges to grant authority to those with lesser privileges for specific tasks.
• Common delegated tasks include:
  • Creating, deleting, and managing user accounts.
  • Resetting user passwords and forcing password changes.
  • Reading all user information.
  • Creating, deleting, and managing groups.
  • Modifying group membership.
• Permission inheritance defines how permissions are passed down from parent objects to child objects.
• All objects in Active Directory (AD) are child objects of the domain.
• Permissions applied to a parent OU through the Delegation of Control Wizard are inherited by all child objects within that OU.

User Accounts in AD

• User accounts in AD serve two main purposes:
  • Provide a method for user authentication to the network.
  • Provide detailed information about a user.
• Computers not part of a domain store accounts in the Security Accounts Manager (SAM) database on the local machine.
• Accounts created in AD are called "domain user accounts" and can typically log on to any computer in the AD forest.

Built-in Accounts

• Administrator Account:
  • Local administrator account has full access to all aspects of a computer.
  • Domain administrator account has full access to all aspects of the domain.
  • Domain administrator in the forest root domain has full access to the entire forest.
  • Should be renamed and assigned a strong password.
  • Only used for administrative operations.
  • Can be renamed or disabled but not deleted.
• Guest Account:
  • Disabled by default and needs to be enabled for logon.
  • Can have a blank password.
  • Should be renamed if used.
  • Has limited access to a computer or domain.

Creating User Accounts

• User accounts must be unique within the domain.
• Account names are not case sensitive and can be 1-20 characters long, using letters, numbers, and special characters (with exceptions).
• A standard naming convention should be established.
• Complex passwords are required by default.
• Only a logon name is needed to create an account.

Disabling User Accounts

• Reasons to disable a user account include:
  • User leaving the company.
  • Account not ready for use.
  • User going on extended leave.

Account Information

• Account Information:

  • Provides descriptive information about the account without affecting logon, group memberships, rights, or permissions.
  • Display Name: Same as the CN (Common Name) when the account is created.
  • E-mail: Can be used to send emails to the user using the default mail application.
  • Web Page: Can contain a URL to open by right-clicking the user account.

• Account Options:

  • User Logon Name: Used for logon to the domain.
  • Logon Hours: Restricts logon times.
  • Log On To: Defines the specific computers the account can log on to.
  • Unlock Account: Enables or disables account logon.
  • Account Options: Set options such as:
    • Storing passwords using reversible encryption.
    • Requiring a smart card for interactive logon.
    • Marking the account as sensitive and not delegable.
    • Setting account expiration date.

• Group Membership:

  • Lists groups the user is part of.
  • Can be used to manage group memberships.

Organizational Units (OUs)

• OUs allow the creation of hierarchical structures based on an organizational chart.
• OUs aid in easy resource access by grouping users and computers.
• Administrative authority and security policies can be delegated within OUs.
• Common delegated tasks include managing user accounts, resetting passwords, and modifying group memberships.

Permission Inheritance

• Permissions applied to a parent OU are inherited by all child objects within that OU.
• All objects in Active Directory (AD) are child objects of the domain.

User Accounts

• User accounts function as a method for user authentication and provide detailed user information.
• Domain user accounts can log on to any computer within the Active Directory forest.

Built-in Accounts: Administrator

• Local administrator accounts have full access to a computer.
• Domain administrator accounts have full access to the entire domain.
• The domain administrator account in the forest root domain has complete control over the forest.
• Administrator accounts should be renamed and protected with strong passwords.
• These accounts should only be used for administrative tasks.
• Administrator accounts can be renamed or disabled, but not deleted.

Built-in Accounts: Guest

• Guest accounts are disabled by default and must be enabled for logon.
• Guest accounts can have blank passwords and should be renamed if used.
• Guest accounts have limited access to a computer or domain.

User Account Creation Considerations

• User accounts must be unique within the domain.
• Account names are case-insensitive and can range from 1 to 20 characters.
• Account names can use letters, numbers, and special characters (with exceptions).
• A standard naming convention should be developed.
• Complex passwords are required by default and passwords are case-sensitive.
• Only a logon name is required to create a user account.

Reasons to Disable a User Account

• A user may have left the company.
• An account may not be ready for use.
• A user may be on extended leave.

Account Information: Description Tab

• Contains descriptive information about the account, but does not affect user logon, group memberships, rights, or permissions.
• Displays account name, email address, and optional web page URL.

Account Information: Account Tab

• Contains information that affects user logon to the domain.
• Includes user logon name, logon hours, logon permissions, account lockout settings, and password options.

Account Information: Member Of Tab

• Lists the groups the user belongs to.
• Allows modification of group memberships.

Organizational Units

• Organizational units (OUs) can be used to create hierarchical structures based on an organizational chart.
• OUs enable easy resource access by organizing users and computers.
• Delegation of administrative authority can be implemented with OUs by assigning rights to specific individuals.
• Permission inheritance allows permissions set on a parent OU to be inherited by all child objects.

User Accounts

• User accounts in Active Directory (AD) provide user authentication to the network and store detailed information about users.
• Windows machines not part of a domain store accounts in the Security Accounts Manager (SAM) database.
• Domain user accounts in AD can log on to any computer in the Active Directory forest.
• Built-in Administrator accounts have full access to a computer or domain.
• Built-in Guest accounts have limited access, are disabled by default, and can be renamed or enabled.

Creating User Accounts

• User accounts must be unique within a domain.
• Account names can be up to 20 characters long and include letters, numbers, and special characters.
• Strong passwords are recommended and should be case sensitive.
• User accounts may need to be disabled if an employee leaves the company, the account is not ready for use, or an employee goes on extended leave.

User Account Information

• User accounts have attributes that store information like their display name, email address, web page, and logon information.
• User logon name, logon hours, logon permissions, account options, and account expiration are key attributes.
• User groups can be managed within the user account to control permissions.

Organizational Units (OUs)

• OUs allow for the creation of hierarchical structures mirroring an organization's chart, which simplifies resource access.
• OUs facilitate delegation of administrative authority by grouping users and computers.
• Delegated tasks include:
  • User account creation, deletion, and management
  • User password resets and forced changes
  • User information access
  • Group creation, deletion, and management
  • Group membership modifications
• Permission inheritance in Active Directory (AD) allows permissions to be passed down from parent objects to child objects.
• By default, permissions set at the parent OU level are inherited by all child objects within that OU.

User Accounts in AD

• User accounts serve two primary purposes in AD:
  • Network authentication
  • User information storage
• Non-domain computers store accounts in the Security Accounts Manager (SAM) database.
• Accounts created in AD are called "domain user accounts" and allow access to any computer within the forest.

Built-in Administrator and Guest Accounts

• Administrator accounts:
  • Local administrators have full access to a computer; domain administrators have full access to the domain.
  • The forest root domain administrator has full access to the entire forest.
  • Administrators should be renamed, have strong passwords, and used only for administrative tasks.
  • Administrator accounts cannot be deleted, but can be renamed or disabled.
• Guest accounts:
  • Disabled by default and must be enabled for login.
  • Can have blank passwords.
  • Should be renamed if used.
  • Offer limited access to computers or domains.

Creating User Accounts

• User accounts must be unique within the domain.
• Account names are not case-sensitive, can be up to 20 characters long, and can include letters, numbers, and special characters (with some exceptions).
• A standard naming convention is recommended.
• Strong, complex passwords are required by default.
• Only a logon name is required when creating a user account.

Disabling User Accounts

• Reasons for disabling user accounts include:
  • User leaving the company
  • Account not ready for use
  • User on extended leave

Account Information

• Attribute Tab:
  • Contains descriptive information that doesn't affect login, groups, rights, or permissions.
  • Notable fields include:
    • Display name (same as CN initially)
    • Email (for sending emails using the default application)
    • Web page (for storing a URL, allowing the URL to be opened with a right-click)
• Account Tab:
  • Affects user login to the domain.
  • Notable fields include:
    • User logon name
    • Logon hours
    • Logon to
    • Unlock account
    • Account options (e.g., password encryption, smartcard requirement, account sensitivity)
• Member Of Tab:
  • Lists the user's groups.
  • Allows for changing group memberships.

Organizational Units (OUs)

• Organizational Units (OUs) are containers within Active Directory (AD) that allow for the creation of hierarchical structures based on an organizational chart.
• OUs make managing resources easier by simplifying the process of assigning administrative and security policies to groups of users and computers.
• Allow for delegation of control, where individuals with higher security privileges can assign authority to perform specific tasks to those with lower privilege levels.
• Common delegated tasks include managing user accounts, resetting passwords, and managing groups.
• Permissions assigned to an OU are inherited by all objects within that OU, utilizing permission inheritance.
• By default, all objects in AD are child objects of the domain.

User Accounts in AD

• Primary functions of user accounts in AD are user authentication and storing detailed user information.
• User accounts created in AD called "domain user accounts" can log onto any computer within the Active Directory forest.
• Windows machines that are not part of a domain store their accounts in the Security Accounts Manager (SAM) database on the local computer.

Built-in Administrator and Guest Accounts

• The local administrator account has full control over a single computer, while the domain administrator account has full control over the entire domain.
• Rename and assign a strong password to the administrator account for security.
• The domain administrator account in the forest root domain has full access to all aspects of the forest.
• The administrator account should only be used for administrative operations.
• The administrator account can be renamed or disabled, but not deleted.
• The Guest account is disabled by default and must be enabled before it can be used for logon.
• It can have a blank password.
• Recommend renaming the Guest account if it is to be used.
• The Guest account has limited access to a computer or domain.

Creating a User Account in AD

• When creating user accounts, note that they must be unique throughout the domain.
• Account names are not case-sensitive, can have 1-20 characters, and allow letters, numbers, and some special characters.
• Develop a standardized naming convention for user accounts.
• By default, complex passwords are required, and passwords are case-sensitive.
• Only a logon name is required to create a user account by default.

When To Disable a User Account

• If a user leaves the company.
• If the account is not yet ready for use.
• When a user goes on extended leave.

Key Account Fields

• Account
  • Contains descriptive information that does not affect the user's logon, group memberships, rights, or permissions.
  • Fields worth mentioning are the Display name (same as the CN) and Email (used for sending email via the default mail application).
• Logon
  • Contains information that directly affects a user's logon to the domain.
  • Fields worth mentioning are the User logon name , Logon hours, Log On To, Unlock account, and Account options.
  • Account options include Store password using reversible encryption, Smart card is required for interactive logon, the Account is sensitive, and cannot be delegated, and Account expires.
• Group Memberships
  • Lists groups the user belongs to.
  • This section can be used to change group memberships.

Organizational Units (OUs)

• Create hierarchical structures based on an organizational chart, allowing easy access to resources.
• Delegate administrative authority to control user accounts and security policies.
• Group users and computers for assigning administrative and security policies.
• Permissions applied to the parent OU are inherited by all child objects of that OU.

User Accounts

• Provide authentication to the network and store user information.
• Domain user accounts can log on to any computer in the Active Directory forest.
• Local administrator accounts have full access to a specific computer, while domain administrator accounts have full access to the entire domain.
• The forest root domain administrator account has full access to the entire forest.
• Administrator accounts should be renamed, have strong passwords, and only be used for administrative operations.
• Guest accounts are disabled by default and have limited access.
• User accounts must be unique throughout the domain, with names up to 20 characters long.
• Develop a standard naming convention for user accounts.
• Complex passwords are typically required and case sensitive.
• Disable user accounts when they leave the company, aren't ready for use, or for extended leave.

User Account Information

• Account tab:
  • Contains descriptive information about the account, but doesn't affect logon, group memberships, rights, or permissions.
  • Includes fields like:
    • Display name: Same as the Common Name (CN) when the account is first created.
    • E-mail: Can be used to send emails to the user using the default mail application.
    • Web page: Contains a URL that can be opened by right-clicking the user account.
• Account tab:
  • Contains information affecting the user’s domain logon, including:
    • User logon name
    • Logon Hours
    • Log On To
    • Unlock account
    • Account options like:
      • Storing password using reversible encryption
      • Requiring a smart card for interactive logon
      • Account is sensitive and cannot be delegated
      • Account expiration
• Member Of tab:
  • Lists groups the user belongs to.
  • Allows changing group memberships.

Organizational Units (OUs)

• OUs allow for hierarchical structuring based on organizational charts.
• OUs simplify resource access.
• OUs enable delegation of administrative authority.
• OUs provide a mechanism for grouping users and computers for applying administrative and security policies.

Delegation of Control

• A user with higher security privileges can delegate authority to a user with fewer privileges for specific tasks.
• Tasks commonly delegated include:
  • Creating, deleting, and managing user accounts
  • Resetting user passwords and enforcing password changes
  • Reading user information
  • Creating, deleting, and managing groups
  • Modifying group memberships
• Permission inheritance determines how permissions are passed down from parent objects to child objects.
• All objects in Active Directory (AD) are child objects of the domain.
• Permissions applied to a parent OU using the Delegation of Control Wizard are inherited by all child objects within that OU.

User Accounts in AD

• User accounts serve two primary purposes:
  • Authenticating users to the network
  • Providing detailed information about users
• Windows machines not part of a domain store accounts in the Security Accounts Manager (SAM) database on the local computer.
• User accounts created in AD are termed "domain user accounts."
• These accounts typically allow login to any computer within the Active Directory forest.

Built-in Accounts

• Administrator Account:
  • Local administrator account has full control over a computer, while the domain administrator account has full control over the domain.
  • The domain administrator account in the forest root domain has full access to the entire forest.
  • Rename the administrator account and assign a strong password.
  • Only use the administrator account for administrative tasks.
  • The administrator account can be renamed or disabled but not deleted.
• Guest Account:
  • Disabled by default after installation.
  • Must be enabled for login.
  • Can have a blank password.
  • Should be renamed if used.
  • Has limited access to a computer or domain.

User Account Creation Guidelines

• User accounts must be unique within the entire domain.
• Account names are not case-sensitive and can be 1 to 20 characters in length, including letters, numbers, and special characters (with some exceptions).
• Implement a standardized naming convention.
• Complex passwords are required by default, and passwords are case-sensitive.
• Only a logon name is needed to create a user account by default.

Disabling User Accounts

• Reasons for disabling a user account:
  • User leaves the company.
  • Account is not ready for use.
  • User goes on extended leave.

User Account Fields

• General Information (Descriptive):

  • Display name: Matches the CN when the account is created.
  • Email: Allows sending emails to the user using the default mail application.
  • Web page: Contains a URL and allows opening the specified URL by right-clicking the user account.

• Account Information (Affects Login):

  • User logon name:
  • Logon hours:
  • Log on to:
  • Unlock account:
  • Account options:
    • Store password using reversible encryption
    • Smart card is required for interactive logon
    • Account is sensitive and cannot be delegated
    • Account expires

• Group Membership:

  • Lists the groups the user belongs to.
  • Allows changing group memberships.

Organizational Units (OUs)

• Offer hierarchical structures aligned with an organization's chart for efficient resource access.
• Enable delegation of administrative authority for managing users and computers.
• Facilitate grouping users and computers to assign specific policies.
• Allow delegation of control, where a higher-privileged user grants specific task permissions to a lower-privileged user.
• Common delegated tasks include creating, deleting, and managing user accounts, resetting passwords, and modifying group memberships.

Permission Inheritance

• Permissions set on a parent OU are inherited by all its child objects within Active Directory (AD).
• This enables easy policy application to groups of users or computers within an OU structure.

User Accounts in AD

• Provide authentication for network access.
• Store detailed user information.
• Domain user accounts can access any computer within the AD forest.
• Windows machines not part of a domain use the Security Accounts Manager (SAM) database for local account storage.

Built-in Accounts: Administrator & Guest

• Administrator:
  • Has full access to the computer or domain.
  • Should be renamed, assigned a complex password, and used sparingly for administrative tasks.
  • Can be renamed or disabled but not deleted.
• Guest:
  • Disabled by default after installation and needs enabling for use.
  • Can have a blank password and should be renamed if used.
  • Has limited access to the computer or domain.

Creating User Accounts

• Account names must be unique within the domain.
• Account names are not case-sensitive and can be 1-20 characters long, using letters, numbers, and special characters (with exceptions).
• Standard naming conventions should be implemented.
• By default, complex passwords are required and case-sensitive.

Disabling User Accounts

• Possible reasons include:
  • User leaving the company.
  • Account not ready for use.
  • User on extended leave.

User Account Fields

• Account Information:
  • Provides descriptive details about the user account.
  • Includes fields like Display Name, Email, and Web Page.
• Account Options:
  • Crucial for user logon and access control.
  • Includes fields like User logon name, logon hours, logon restrictions, and account expiry.
• Group Membership:
  • Displays groups the user belongs to.
  • Allows for adjusting group memberships.

Organizational Units (OUs)

• Allow administrators to create hierarchical structures based on an organizational chart for easy resource access.
• Facilitate delegation of administrative authority by grouping users and computers, enabling the assignment of administrative and security policies.
• Enable delegation of control, permitting individuals with higher security privileges to assign authority to those with lesser privileges for specific tasks.
• Common delegated tasks include:
  • Creating, deleting, and managing user accounts
  • Resetting user passwords and forcing password changes at the next logon
  • Reading all user information
  • Creating, deleting, and managing groups
  • Modifying group memberships
• Permission inheritance in OUs determines how permissions are passed from parent to child objects.
• All objects within Active Directory (AD) are child objects of the domain.
• Permissions applied to the parent OU using the Delegation of Control Wizard are inherited by all child objects within that OU.

User Accounts in AD

• User accounts serve two primary functions in AD:
  • Providing a method for user authentication to the network
  • Providing detailed information about a user
• Windows machines outside a domain store accounts in the Security Accounts Manager (SAM) database on the local computer.
• User accounts created in AD are called "domain user accounts."
• These accounts can typically log on to any computer within the Active Directory forest.

Built-in Accounts

• Administrator Account:
  • The local administrator account has full access to all aspects of a computer, while the domain administrator account has full access to all aspects of the domain.
  • The domain administrator account in the forest root domain has full access to all aspects of the forest.
  • The Administrator account should be renamed and assigned a strong password.
  • It should only be used during administrative operations.
  • The Administrator account can be renamed or disabled but not deleted.
• Guest Account:
  • The Guest account is disabled by default after installation and must be enabled before it can be used for logon.
  • It can have a blank password.
  • It should be renamed if used.
  • The Guest account has limited access to a computer or domain.

Creating User Accounts in AD

• Consider these factors when creating a user account in an AD domain:
  • User accounts must be unique across the entire domain.
  • Account names are not case-sensitive and can be 1 to 20 characters long.
  • Account names can include letters, numbers, and special characters (with some exceptions).
  • Develop a standard naming convention.
  • Complex passwords are required by default, and passwords are case-sensitive.
  • Only a logon name is required to create a user account by default.

Disabling User Accounts

• Reasons to disable a user account:
  • A user has left the company.
  • The account is not yet ready for use.
  • A user is on extended leave.

User Account Properties

• Account tab:
  • Contains descriptive information about the account but does not affect the user's account logon, group memberships, rights, or permissions.
  • Fields worth noting:
    • Display name: Same as the Common Name (CN) when the account is first created.
    • E-mail: Can be used to send an email to the user using the default mail application.
    • Web page: Can contain a URL, allowing you to open the specified URL by right-clicking the user account.
• Account tab (continued):
  • Contains information that primarily affects a user's domain logon.
  • Important fields:
    • User logon name: The name used to log in.
    • Logon Hours: Specifies when the account is allowed to log on.
    • Log On To: Determines which computers the user can log on.
    • Unlock account: Enables or disables the account.
    • Account options: Provides settings such as:
      • Store password using reversible encryption: Allows the password to be stored in a way that it can be retrieved.
      • Smart card is required for interactive logon: Requires the use of a smart card for login.
      • Account is sensitive and cannot be delegated: Prevents the delegation of the account.
      • Account expires: Sets an expiration date for the account.
• Member Of tab:
  • Lists groups the user belongs to.
  • Can be used to change group memberships.

Organizational Units (OUs)

• OUs allow for hierarchical structures, reflecting an organization's chart, enabling easier resource access.
• Delegate administrative authority, group users and computers, and assign security policies.
• Delegation of control: users with higher security privileges can assign tasks to lower-privilege users.
• Common delegated tasks:
  • Create, delete, and manage user accounts.
  • Reset user passwords and force password changes.
  • Read all user information.
  • Create, delete, and manage groups.
  • Modify group membership.
• Permission inheritance: permissions flow from parent objects to child objects.
• The default inheritance behavior applies permissions to all child objects within a specific OU.

User Accounts in Active Directory (AD)

• User accounts in AD serve two main functions:
  • User authentication to the network.
  • Providing detailed information about a user.
• Domain user accounts can log on to any computer within the Active Directory forest.
• The built-in Administrator account:
  • The local administrator account has full control over a single computer.
  • The domain administrator account has full control over the entire domain.
  • The forest root domain administrator has full control over the entire forest.
  • Rename and implement strong passwords for the Administrator account.
  • Use the Administrator account only for administrative tasks.
  • Disable the Administrator account instead of deleting it.
• The built-in Guest account:
  • Disabled by default and requires enabling for login.
  • Allows for a blank password.
  • Rename the Guest account before use.
  • Has limited access to a computer or domain.

Creating User Accounts in AD

• User names must be unique across the domain.
• Account names can be up to 20 characters, including letters, numbers, and some special characters.
• Use a standardized naming convention.
• By default, complex passwords are required, and they are case sensitive.
• Only the logon name is required to create a user account.

Reasons to Disable User Accounts

• Former employees.
• Accounts in preparation for use.
• Extended leaves of absence.

User Account Attributes

• Account tab:
  • "Display name" matches the Common Name (CN) on initial account creation.
  • "E-mail" allows sending emails using the default mail application.
  • "Web page" stores a URL and allows opening it by right-clicking the user account.
• Account tab:
  • "User logon name" is used for logging in.
  • "Logon Hours" sets allowable login times.
  • "Log On To" specifies allowed login computers.
  • "Unlock account" enables account login.
  • "Account options" include:
    • Storing passwords with reversible encryption.
    • Requiring a smart card for interactive login.
    • Marking the account as sensitive, preventing delegation.
    • Account expiration settings.
• Member Of tab:
  • Displays the groups a user belongs to.
  • Allows for modifying group memberships.

Organizational Units (OUs)

• Hierarchical structure: Enables easy resource access by mirroring the organizational chart.
• Delegation of administration: Groups users and computers to assign administrative and security policies.
• Delegation of control: Higher-privileged users can grant specific tasks to lower-privileged users.
  • Examples:
    • Managing user accounts
    • Resetting passwords
    • Modifying group memberships
• Permission Inheritance: Permissions set on the parent OU are automatically inherited by its child objects.

User Accounts

• Primary Functions:
  • User authentication for network access
  • Storing detailed user information
• Domain User Accounts: Created within Active Directory, allowing access to any computer in the forest.
• Built-in Administrator Account:
  • Has full access to the respective computer or domain.
  • Should be renamed, given a strong password, and used only for administrative tasks.
  • Can be renamed or disabled but not deleted.
• Built-in Guest Account:
  • Disabled by default, must be enabled for logon.
  • Can have a blank password, should be renamed if used.
  • Has limited access to the computer or domain.

Creating User Accounts

• Uniqueness: Account names must be unique across the domain.
• Naming Conventions:
  • Case-insensitive, 1-20 characters
  • Use letters, numbers, and special characters (with exceptions).
  • Establish standardized naming practices.
• Password Requirements:
  • Complex passwords, case-sensitive by default.
  • Logon name is the only required field initially.

Disabling User Accounts

• Reasons:
  • Employee leaving the company.
  • Account not ready for use.
  • Extended leave.

User Account Information

• Account Information: Description, does not affect logon, memberships, rights, or permissions.
  • Display name: Same as the CN when initially created.
  • E-mail: Used for sending emails to the user.
  • Web page: Contains a URL for website access.
• Account Options: Affects user's logon to the domain.
  • Logon name: The user's unique identification.
  • Logon hours: Restrict logon times.
  • Logon to: Specifies allowed computers for logon.
  • Unlock account: Unlocks a user account.
  • Account Options:
    • Store password reversibly: Allows administrators to retrieve passwords.
    • Smart card required: Requires a smart card for logon.
    • Account is sensitive: Prevents delegation of access to the account.
    • Account expires: Automatically disables the account after a defined period.
• Group Memberships: Lists all groups the user is a member of.
  • Can be used to modify group memberships.

Organizational Units (OUs)

• OUs provide a hierarchical structure for organizing users and computers in Active Directory (AD).
• They facilitate resource access by reflecting organizational charts.
• Administrative authority can be delegated within OUs, allowing users with specific privileges to manage resources.
• Common delegated tasks include user account management, password resets, and group management.

Permission Inheritance

• Permissions set at a parent OU automatically apply to all child objects within that OU.
• This ensures consistent access control throughout a domain.

User Accounts

• User accounts in AD serve two main purposes:
  • Authentication: Users authenticate with the network using their account credentials.
  • Information Storage: Accounts store user details like name, email, and contact information.
• Domain user accounts offer broader network access compared to local user accounts.

Built-in Accounts

• Administrator Account:
  • Provides full control over the computer (local) or domain (domain administrator).
  • Should be renamed, secured with a strong password, and only used for administrative tasks.
• Guest Account:
  • Disabled by default and offers limited access to the system or domain.
  • Can be enabled and used for temporary guest access.

User Account Creation

• When creating new user accounts, ensure:
  • Uniqueness: Account names must be unique within the domain.
  • Naming Convention: Develop a standard naming convention for clarity and easy identification.
  • Password Complexity: By default, complex passwords and case sensitivity are enforced.

Disabling User Accounts

• Reasons for disabling accounts:
  • Employee departure from the company.
  • Temporary account inactivity (e.g., extended leave).

User Account Properties

• Account Information:
  • This section contains descriptive details about the user, including display name and email address.
• Account Logon:
  • Controls access options, logon hours, and account restrictions.
• Group Membership:
  • Lists the groups a user is a member of.
  • Allows for managing group memberships.

Organizational Units (OUs)

• Hierarchical structure based on organizational chart for easy resource access.
• Delegate administrative authority.
• Group users and computers for assigning administrative and security policies.
• Delegation of control: A person with higher security privileges assigns authority to a person with lesser privileges for specific tasks.
  • Create, delete, and manage user accounts.
  • Reset user passwords and force password change at next login.
  • Read all user information.
  • Create, delete, and manage groups.
  • Modify group memberships.
• Permission inheritance: Permissions are passed from parent object to child objects.
  • All objects in Active Directory (AD) are child objects of the domain.
• Delegation of Control Wizard permissions applied to a parent OU are inherited by child objects.

User Accounts

• Two main functions in AD:
  • User authentication to the network.
  • User information storage.
• Accounts on Windows machines not part of a domain are stored in the local Security Accounts Manager (SAM) database.
• User accounts created in AD are called “domain user accounts”.
• Domain user accounts can usually log on to any computer in the Active Directory forest.
• Built-in Administrator account:
  • Local Administrator account has full computer access.
  • Domain Administrator account has full domain access.
  • Forest root domain Administrator account has full forest access.
  • Rename and set a strong password.
  • Use only for administrative operations.
  • Can be renamed or disabled but not deleted.
• Built-in Guest account:
  • Disabled by default after install.
  • Enabled before it can be used to log in.
  • Can have a blank password.
  • Rename if it is to be used.
  • Limited access to a computer or domain.
• Creating a user account in AD:
  • User accounts must be unique throughout the domain.
  • Account names are not case sensitive, 1-20 characters long, allowing letters, numbers, and special characters (with exceptions).
  • Develop a standard naming convention.
  • Complex passwords and case sensitivity are required by default.
  • Only a logon name is required.
• Reasons to disable a user account:
  • User has left the company.
  • Account is not ready to use.
  • User is on extended leave.

User Account Fields

• General Tab: Descriptive information that does not affect user logon, group memberships, rights, or permissions.
  • Display name: Same as Common Name (CN) when account is created.
  • E-mail: Send email to user using default mail application.
  • Web page: Contains URL and allows opening the specified URL by right-clicking the user account.
• Account Tab: Contains information that affects user domain logon.
  • User logon name: Used for logon.
  • Logon Hours: Restrict access to specific hours.
  • Log On To: Restrict access to specific computers.
  • Unlock Account: Unlock a locked account.
  • Account options:
    • Store password using reversible encryption: Password can be retrieved.
    • Smart card is required for interactive logon:
    • Account is sensitive and cannot be delegated:
  • Account expires: Set an expiration date for the account.
• Member Of Tab: Lists groups that the user belongs to.
  • Used to change group memberships.

Organizational Units (OUs)

• Hierarchical Structure: OUs allow users, computers, and devices to be organized in a tree-like hierarchy, mirroring the organization's structure. This facilitates easy resource access and management.
• Administrative Delegation: Different levels of administrative authority can be granted through OUs, enabling delegation of tasks and responsibility.
• Security Policies: OUs simplify the implementation of security policies by grouping users and computers together, allowing for consistent application of access control and security rules.
• Common Delegated Tasks: Administrators can assign tasks like creating, deleting, and managing user accounts, managing group memberships, and resetting passwords through OUs.
• Permission Inheritance: Permissions set on a parent OU are automatically inherited by its child OUs. This streamlines administration and ensures consistent security throughout the organizational hierarchy.

User Accounts in Active Directory (AD)

• Authentication: User accounts provide a secure method for users to authenticate to the network, verifying their identity and granting access.
• User Information: AD stores comprehensive information about each user, including contact details, group memberships, and access rights.
• Domain User Accounts: Accounts created in AD are called "domain user accounts," offering access to any computer within the AD forest.
• Built-in Administrator Account: This account holds full administrative privileges within the domain and should be renamed, secured with a strong password, and used only for administrative tasks. Renaming or disabling this account is possible, but deletion is not permitted.
• Built-in Guest Account: The guest account is disabled by default and offers limited access to the computer or domain. It can be renamed and enabled for specific purposes.
• Creating User Accounts: When creating user accounts, adhere to unique names throughout the domain, avoid case-sensitive naming, and utilize a standard naming convention.
• Disabling User Accounts: Disable accounts for users who have left the company, are on extended leave, or whose account is not yet ready for use.
• Account Information: Several fields within a user account provide descriptive and operational information, including:
  • Display Name: Matches the Common Name (CN) when the account is first created.
  • Email: Enables email communication with the user using the default mail application.
  • Web Page: Stores a URL, allowing access to the specified website by right-clicking the user account.
• Account Options: The "Account" tab within AD allows management of several settings including:
  • User Logon Name: The unique identifier for the user account.
  • Logon Hours: Restricts access to specific time periods.
  • Log On To: Specifies allowed computers for logon.
  • Unlock Account: Allows unlocking a locked account.
  • Account Options: Contains settings for password complexity, account expiration, and sensitivity.
• Group Membership: The "Member Of" tab lists all groups the user belongs to. This tab can be utilized for managing group memberships, assigning permissions, and controlling access levels.

Description

Test your knowledge on Organizational Units (OUs) and user accounts within Active Directory. This quiz covers the functions and hierarchy of OUs, the delegation of control, and the roles of built-in accounts like Local and Domain Administrators. Assess your understanding of network access and security management in an organizational setting.