Managing User Accounts in Active Directory

Questions and Answers

What is a primary benefit of using Organizational Units (OUs) in Active Directory?

Eliminate the need for security policies

Reduce the number of user accounts

Increase network speed

Create a hierarchical structure for resource access (correct)

Delegation of control allows lower-security users to perform tasks normally reserved for higher-security users.

True

What does permission inheritance in OUs define?

How permissions are transmitted from a parent object to a child object

OUs allow for the delegation of administrative tasks such as resetting user __________.

passwords

Match the following tasks to their descriptions regarding OU management:

Creating user accounts = Manage user identification and access Resetting passwords = Allow users to regain access to accounts Understanding permission inheritance = Define how permissions pass to child objects Managing groups = Control access and organization of users

What is a primary function of user accounts in Active Directory (AD)?

Authenticate users to the network

The built-in Guest account is enabled by default after installation.

False

What should the Administrator account be protected with?

A strong password

User accounts must be _______ throughout the domain.

unique

What can a domain administrator account do?

Have full access to all aspects of the domain

Match the following accounts with their characteristics:

Administrator account = Can be renamed but not deleted Guest account = Disabled by default Domain user accounts = Can be used for log on to any computer in the AD forest Local administrator account = Has full access to local computer resources

Account names in Active Directory are case sensitive.

False

What should be developed when creating user accounts?

A standard naming convention

What is the primary reason to disable a user account?

User has left the company

Passwords are case sensitive by default.

True

What is the purpose of the General Tab in a user account?

Contains descriptive information about the account.

The __________ tab contains information that affects a user’s logon to the domain.

Account

Which of the following fields is NOT mentioned in the General Tab?

Logon Hours

The Member of Tab allows for the addition of new users to the system.

False

What can be used to send an email to a user using the default mail application?

E-mail field in the General Tab.

Match the following account tabs with their primary functions:

General Tab = Contains account descriptive information Account Tab = Contains logon-related information Member of Tab = Lists user group memberships Account options = Defines special logon requirements

Which of the following is NOT a commonly delegated task in OU management?

Change network settings

Permission inheritance means that a child object can inherit permissions from a parent object.

True

What is the primary benefit of using Organizational Units (OUs) in Active Directory?

They create hierarchical structures for easy resource access and delegation.

User account management in Active Directory allows for the ability to reset user passwords and force a password change at the next __________.

logon

Match the following tasks with their descriptions regarding OU tasks:

Create user accounts = Allow new users to access resources Delete user accounts = Remove access for users who no longer need it Reset passwords = Allow users to regain access by changing their passwords Modify group membership = Manage the rights and permissions of groups

What is the maximum number of characters allowed in an account name in Active Directory?

20

The built-in Administrator account can be deleted from the system.

False

What must be done before the Guest account can be used for log on?

It must be enabled.

User accounts must be __________ throughout the domain.

unique

Match the following accounts with their characteristics:

Administrator = Has full access to all aspects of the domain Guest = Disabled by default and has limited access Local Administrator = Full access to all aspects of a single computer Domain Administrator = Full access to all aspects of the forest

What type of account can have a blank password?

Guest account

Account names in Active Directory are case sensitive.

False

What should be done to the Administrator account to enhance security?

Rename it and give it a strong password.

Which of the following is NOT a reason to disable a user account?

The user is transitioning to a different role

By default, only a username is required to create a user account.

True

What information does the General Tab contain?

Descriptive information about the account.

The __________ tab lists the groups the user belongs to.

Member of

What does the Account Tab NOT include?

Display name

Why might a user account be set to expire?

To enforce a time limit on account access.

Match the following features with their respective tabs:

Logon Hours = Account Tab E-mail = General Tab Group memberships = Member of Tab Smart card requirements = Account Tab

Passwords are case insensitive by default.

False

Study Notes

Managing User Accounts

• User accounts provide a method for authentication and store detailed information about a user.
• Windows machines outside of a domain store accounts in the Security Accounts Manager (SAM) database.
• Domain user accounts can logon to any computer in the Active Directory forest.
• The built-in Administrator account has full access to all aspects of the machine or domain.
• The Administrator account should be renamed, given a strong password and used only for administrative operations.
• The Administrator account cannot be deleted, but can be renamed or disabled.
• The Guest account is disabled by default and must be enabled before use.
• The Guest account can have a blank password and should be renamed if used.
• The Guest account has limited access to the machine or domain.
• User accounts must be unique throughout the domain.
• User account names are not case sensitive and can be 1-20 characters including letters, numbers, and special characters (with some exceptions).
• Develop a standard naming convention for user accounts.

Disabling User Accounts

• Reasons for disabling a user account include: a user leaving the company, the account not being ready for use, or the user going on extended leave.

The General Tab

• Contains descriptive information about the user, but does not affect the user's logon, group memberships, rights, or permissions.
• The Display name is the same as the CN on first creation.
• The E-mail address can be used to send an email to the user using the default mail application.
• The Web page field can contain a URL which can be opened by right clicking on the user account.

The Account Tab

• Contains information that affects a user's logon to the domain.
• The User logon name is one of the fields contained within.
• Contains fields for setting Logon Hours, Log On To, Unlocking the account and setting Account options.
• Account options include: Store password using reversible encryption, Smart card is required for interactive logon, Account is sensitive and cannot be delegated, Account Expires.

The Member of Tab

• Lists all of the groups a user belongs to.
• Can be used to change group memberships.

Working with Organizational Units

• Organizational Units provide: Hierarchical structures based on the organizational chart for easy resource access, delegation of administrative authority, and grouping of users and computers to apply administrative and security policies.

OU Delegation of Control

• Delegation of control means those with higher security privileges assign authority to those with lesser security privileges.
• Common delegated tasks include: creating, deleting and managing user accounts, resetting user passwords, forcing password changes at the next logon, reading all user information, creating, deleting and managing groups, and modifying group memberships.

Permission Inheritance in OUs

• Permission inheritance defines how permissions are transmitted from a parent object to a child object.
• All objects in AD are child objects of the domain.
• By default, permissions applied to a parent OU using the Delegation of Control wizard are inherited by all child objects.

Managing User Accounts

• User accounts provide authentication and information about users
• Local accounts are stored in the Security Accounts Manager (SAM) database on local computers
• Accounts created in AD are called "domain user accounts"
• Domain user accounts can log on to any computer in the Active Directory forest

Admin Account Guidelines

• The local administrator account has full access to a computer
• The domain administrator account has full access to the domain
• The domain administrator in the forest root has full access to the forest
• The administrator account should be renamed and a strong password should be used
• The account should only be used for administrative operations
• The account can be renamed or disabled, but not deleted

Guest Account Guidelines

• The guest account is disabled by default after install and must be enabled before use
• The guest account can have a blank password
• The account should be renamed if it is to be used
• The guest account has limited access to a computer or domain

User Account Creation

• User accounts must be unique throughout the domain
• Account names are not case sensitive and are 1 to 20 characters long
• Can use letters, numbers, and special characters (with exceptions)
• A standard naming convention should be developed
• Passwords are complex and case sensitive by default
• Only a logon name is required to create a user account

Disabling User Accounts

• Accounts may be disabled when an employee leaves the company
• Accounts may be disabled when an account is not ready for use
• Accounts may be disabled when an employee is on extended leave

User Account Tabs

• The General Tab contains descriptive information about the account and does not affect logon, memberships, rights or permissions
• The Account Tab contains information related to a user's logon to the domain
• The Member of Tab lists groups the user belongs to and can be used to change group memberships

Working with Organizational Units

• OUs create hierarchical structures based on organization charts, providing easy resource access
• Delegation of administrative authority is made easier with OUs
• OUs group users and computers for assigning administrative and security policies

Delegation of Control

• Delegation of control assigns authority to a person with lesser privileges to perform certain tasks
• Common delegated tasks include user account creation, deletion, and management
• Tasks also include password reset, force password change, reading user information, group creation, deletion, and management
• Users can modify the membership of a group

Permission Inheritance

• Permissions are transmitted from parent to child
• All objects in AD are child objects of the domain
• Permissions applied to the parent OU are inherited by all child objects of that OU

MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

• Chapter 4 - Managing OUs and Active Directory Accounts
• Objectives:
  • Work with organizational units
  • Manage user accounts
  • Manage group accounts
  • Work with computer accounts
  • Automate account management

Description

This quiz covers the important aspects of managing user accounts within a Windows environment, particularly focusing on Active Directory. Questions focus on user authentication, account types, and security best practices for the Administrator and Guest accounts. Enhance your understanding of effective user account management.