a tree that represents the directory tree. By browsing the folders in this tree, you can select the con-
tainer you want the object moved to, and then click OK to being the move.
When using Active Directory Users and Computers, multiple objects can be selected and moved
to other locations.You can select these objects as you would files in Windows Explorer, by dragging
your mouse over the objects to be moved.You can also select a series of objects by holding down
the Shift key as you click on objects, or select a number of individual objects by holding down the
Ctrl key as you click on them. After selecting the objects to be moved, perform the actions we just
discussed to move them to another container or OU.
Moving Objects with the DSMOVE Command
DSMOVE is used to move objects within a domain, and can be used to rename objects. DSMOVE
is a command-line utility that is used from the command prompt. Providing you don’t need to
move an object to another domain, you can use this tool to move an object to other locations in the
directory tree.The syntax for using this tool is as follows:
DSMOVE UserDN [-newparent ParentDN] -pwd {Password|*}
In using this syntax, several different parameters must be entered for moving the object.The
UserDN parameter specifies the DN of the object being moved.The –newparent switch indicates that
you are using DSMOVE to move an object, and is used with the ParentDN variable to specify the
DN of the new location.
To illustrate how this command is used, let’s say you wanted to move an object called BuddyJ
from the Sales OU in knightware.ca to the Finance OU in the same domain.To move this object,
you would use the following command:
Dsmove CN=BuddyJ,OU=Sales,DC=knightware,DC=ca –newparent
OU=Finance,DC=knightware,DC=ca
426 Chapter 10 • Working with User, Group, and Computer Accounts
Figure 10.41 Move Dialog Box
301_BD_W2k3_10.qxd 5/12/04 12:28 PM Page 426
DSMOVE also provides additional parameters to perform actions such as renaming an object, or
controlling the type of input and output for this command.To review these parameters, refer to the
section on DSMOVE in Chapter 9.
Moving Objects with the MOVETREE Command
MOVETREE is the Active Directory Object Manager tool. In addition to other capabilities, it is a

command-line tool that allows you to move objects to other domains in a forest. By using this tool,
you have the freedom to move a user account, computer account, group, or OU to any location
within the directory, regardless of the domain.
When an object is moved using this tool, it is first copied to the Lost and Found container
before being moved to the destination domain. Objects that can’t be moved remain in this con-
tainer, so you can manage them as needed. Because orphaned data might reside in this domain after
using MOVETREE, you should check this container after performing a move.
A variety of information isn’t moved with this tool.This includes data such as profiles, logon
scripts, and personal information when moving user accounts. Local groups and global groups also
aren’t moved, but membership in these groups remains unaffected so that security involving the
moved objects remains the same.
In addition to the limitations on data associated with accounts, there are also limitations when
MOVETREE is used to move OUs between domains. When an OU is moved, group policies
aren’t affected, as clients will continue to receive these settings from a link to the policy in the orig-
inal domain. In other words, although the OU is now in another domain, clients will connect to the
Group Policy Object (GPO) that is located in the original domain. Because this can cause perfor-
mance issues, it is wise to recreate these policies in the domain where the OU has been moved, and
then delete the GPO in the original domain (which is no longer needed).
As a command-line tool, MOVETREE requires that certain parameters be used to effectively
complete operations.The syntax for MOVETREE is as follows, and the parameters are explained in
Table 10.6.
MoveTree [/start | /continue | /check] [/s SrcDSA] [/d DstDSA]
[/sdn SrcDN] [/ddn DstDN] [/u Domain\Username] [/p Password]
[/quiet]
Table 10.6 Parameters for MOVETREE
Parameter Description
/start Specifies whether to start a move with a /check option, or
with the /startnocheck option, which starts the operation
without a check.
/continue Specifies to continue the move after a failure.

/check Specifies to check the entire tree before moving an object.
/s SrcDSA The SrcDSA variable is used to specify the FQDN of the source
server.
Working with User, Group, and Computer Accounts • Chapter 10 427
Continued
301_BD_W2k3_10.qxd 5/12/04 12:28 PM Page 427
Table 10.6 Parameters for MOVETREE
Parameter Description
/d DstDSA The DstDSA variable is used to specify the FQDN of the desti-
nation server.
/sdn SrcDN The SrcDN variable is used to specify the source subtree’s root
DN.
/ddn DstDN The DstDN variable is used to specify the destination subtree’s
root DN.
/u Domain\Username Specifies the domain and user account to use for the opera-
tion.
/p Password Specifies the password of the account to use for the operation.
/quiet Specifies that quiet mode should be used, suppressing
output.
The Active Directory Object Manager tool isn’t installed with Active Directory, and thereby
isn’t initially available for use. MOVETREE is available as part of the Active Directory Support
Tools on the installation CD, and can be installed through Windows Explorer. By accessing the
Support\Tools folder on the installation CD, right-clicking on SUPTOOLS.MSI, and then
choosing Install from the menu that appears, the Windows Support Tools Setup Wizard will
start. By following the instructions in this wizard, MOVETREE and the other support tools will be
installed.
You can use the following steps to install MOVETREE with AD support tools.
Install MOVETREE with AD Support Tools
1. Insert the Windows Server 2003 Server installation CD into your CD-ROM drive.
2. From the Windows Start menu, select Windows Explorer.

3. When Windows Explorer opens, expand the node representing your CD-ROM drive, and
then expand the Support | Tools folder.
4. When the contents of the Tools folder is displayed in the right pane, right-click on the
SUPTOOLS.MSI file and click Install in the context menu.
5. When the Windows Support Tools Setup Wizard appears, click Next to continue.
6. On the End User License Agreement screen, click I Agree to install these tools, and
then click Next to continue.
7. On the User Information screen, enter your name in the Name field, and the company
you work for in the Organization field. By default, these fields will already be completed
from information acquired from Windows Server 2003 Server. Click Next to continue.
8. On the Destination Directory screen, accept the default settings, and click Install Now
to install the tools.
428 Chapter 10 • Working with User, Group, and Computer Accounts
301_BD_W2k3_10.qxd 5/12/04 12:28 PM Page 428
9. A dialog box will appear showing that files are being copied to the folder specified in the
Destination Directory screen, and being installed on Windows Server 2003. Once com-
pleted, the final screen of the wizard will appear, informing you that the tools were suc-
cessfully installed. Click Finish to exit the wizard and complete the installation process.
Troubleshooting Problems with Accounts
Troubleshooting problems with accounts relies on the same methodologies and practices involved in
troubleshooting other problems in Windows Server 2003. It requires an understanding of functions,
configurations, and limitations. It also requires starting at the simplest possible solution for a problem
and working up to the most complex. For example, if a user’s account wasn’t working, you wouldn’t
start by restoring Active Directory from a previous backup from when the user was able to log on.
You might, however, check to see if the account was disabled or locked out.
It is important that you determine whether the problem exists with the user who’s logging on
from a computer, or with the machine itself.You’ll remember that Active Directory uses both com-
puter and user accounts. If a problem is resulting from the computer account, no user will be able to
perform a certain action from the machine, regardless of what user account is used.
At times, the problems that exist in a computer account might require resetting it. If you want

to reset a computer account, in Active Directory Users and Computers, you can right-click on
the account you want to reset, and then click Reset from the menu that appears. After a moment, a
message box will appear stating that the account was reset.
Another important part of troubleshooting is determining the scope of a problem. Is only one
person experiencing a problem, or are a number of people experiencing the same difficulties? In
doing so, you can determine whether the problem is with a user or computer account, or with a
group of which these members are a part.
The problem might not exist in the user’s account settings, but with DCs in the domain. For
example, if you couldn’t create security principals in Active Directory, the problem could stem from
the fact that the RID Master is unavailable.The DC that has the RID operations master role allo-
cates RIDs used for SIDs. Because SIDs can’t be issued to new user accounts, computer accounts,
and groups, these security principals can’t be created.
You could use the command netdom query fsmo to identify which computers are holding single oper-
ation master roles. Once you’ve identified the DC serving in a particular master role, you could
either repair the machine, or assign the operations master role to another machine. Before going
through all this work, however, you should remember that the reason why others can’t perform such
actions might be because they don’t have the proper rights, privileges, or permissions. In all cases,
remember to start by looking at the simplest possible solution first.
Working with User, Group, and Computer Accounts • Chapter 10 429
301_BD_W2k3_10.qxd 5/12/04 12:28 PM Page 429
301_BD_W2k3_10.qxd 5/12/04 12:28 PM Page 430
Creating User
and Group Strategies
In this chapter:
 Create a password policy for domain users.
 Plan a security group strategy.
 Plan a user authentication strategy.
Introduction
Knowing how to create users and groups and the procedures for moving and managing
them is only half the battle when it comes to effectively using these security objects on

the network.The network administrator must also be able to develop strategies for
authenticating the identity of anyone who uses network resources, and plan how to use
groups most effectively to provide the security and access needed.
In today’s connected world, proof of your identity is often required to ensure that
someone else is not trying to use your identity. It used to be that a username and pass-
word were sufficient to authenticate someone to a network. However, password authen-
tication is only the first step in true authentication of a user’s identity in today’s
environment.You must have a well-defined password policy, which includes account
lockout, password rotation, and other options to ensure limited access to your network.
In this chapter, we develop a password policy for your Windows Server 2003 network.
However, sometimes passwords and password policies are not enough, and we have to
take authentication to the next plateau.
Tools such as biometric devices, token devices, voice identification, and smart cards
are becoming much more mainstream for user authentication as the price continues to
drop and acceptance continues to rise. Smart cards are discussed in a later chapter
“Planning, Implementing, Maintaining Public Key Infrastructure.”
An effective authentication strategy works hand in hand with a security group
strategy.A well-designed group strategy will ensure that users receive only the appropriate
Chapter 11
431
301_BD_W2k3_11.qxd 5/12/04 12:30 PM Page 431
level of access to resources on the network. It will also reduce the workload of the administrator and
make it easier to manage large numbers of users.
Creating a Password Policy for Domain Users
Since they are largely created and managed by end users, passwords have the potential to be the
weakest link in any network security implementation. Since passwords are the “keys to the
kingdom” of any computer system, the database that Windows Server 2003 uses to store password
information will be a common attack vector for anyone attempting to hack your network. Windows
Server 2003 offers several means to secure passwords on your network.A combination of technical
measures, along with a healthy dose of user training and awareness, will go a long way toward pro-

tecting the security of your network systems.
Creating an Extensive Defense Model
In modern computer security, a system administrator needs to create a security plan that uses many
different mechanisms to protect a network from unauthorized access. Rather than relying solely on
a hardware firewall and nothing else, defense in depth would also use strong passwords as well as other
mechanisms on local client PCs, in the event that the firewall is compromised.The idea is to create a
series of security mechanisms so that if one is circumvented, other systems and procedures are in
place to help impede an attacker. Microsoft refers to this practice as an extensive defense model.The
key points of this model are the following:
■
A viable security plan needs to begin and end with user awareness, since a technical mech-
anism is only as effective as the extent to which the users on your network adhere to it.As
an administrator, you need to educate your users about how to best protect their accounts
from unauthorized attacks.
■
Use the system key utility (syskey) on all critical machines on your network.This utility,
discussed later in this chapter, provides additional encryption for password information that
is stored in the Security Accounts Manager (SAM) and Active Directory databases.
■
Educate your users about the potential hazards of selecting the Save My Password feature or
any similar feature on mission-critical applications, such as remote access or VPN clients.
■
If you need to create one or more service accounts for applications to use, make sure that
these accounts have different passwords. Otherwise, compromise of one account might
leave multiple network applications open to attack.
■
If you suspect that a user account has been compromised, change the password immediately.
If possible, consider renaming the account entirely, since it is now a known attack vector.
■
Create a password policy and/or account lockout policy that is appropriate to your organi-

zation’s needs. It’s important to strike a balance between security and usability in designing
these types of account policies.
432 Chapter 11 • Creating User and Group Strategies
301_BD_W2k3_11.qxd 5/12/04 12:30 PM Page 432
Strong Passwords
In discussing security awareness with your user community, one of the most critical issues to con-
sider is that of password strength.A weak password will provide potential attackers with easy access
to your users’ computers, and consequently the rest of your company’s network. Well-formed pass-
words will be significantly more difficult to decipher. Even though password-cracking utilities con-
tinue to evolve and improve, educating your users regarding the importance of strong passwords will
provide additional security for your network’s computing resources.
According to Microsoft, a weak password is one that contains any portion of your name, your
company’s name, or your network logon ID. For example, if a username was assigned as JSmith, and
the user’s password was Smith12!@!, that would be considered a weak password.A password that
contains any complete dictionary word—password, thunder, protocol—is also considered weak. It
should be understood that blank passwords are weak as well.
By comparison, a strong password will not contain any reference to your username, personal
information, company name, or any word found in the dictionary. Strong passwords should also be
at least seven characters long and contain characters from each of the following groups:
■
Uppercase letters A, B, C …
■
Lowercase letters z, y, x …
■
Numeric digits 0, 1, 2, 3, 4, 5, 6, 7, 8, or 9
■
Non-alphanumeric characters !, *, $, }, etc.
Each strong password should be appreciably different from any previous passwords that the user
has created. P!234abc, Q!234abc, and R!234abc, although each meeting the described password cri-
teria, would not be considered strong passwords when viewed as a whole.

System Key Utility
Most password-cracking software used in attacking computer networks attempts to target the SAM
database or the Active Directory database in order to access passwords for user accounts.To secure your
password information, you should use the system key utility (the syskey.exe file itself is located in the
%systemroot%\System32 directory by default) on every critical machine that you administer.This
utility provides additional encryption for password information, which provides an extra line of defense
against would-be attackers.To run the utility, click Start | Run then type syskey and click OK.
Defining a Password Policy
Using Active Directory, you can create a policy to enforce consistent password standards across your
entire organization.The options you can specify include: how often passwords must be changed, the
number of unique passwords a user must use before being able to reuse one, and the complexity
level of passwords that are acceptable on your network. Additionally, you can specify an account
lockout policy that will prevent users from logging on after a specified number of incorrect logon
attempts. In this section, we discuss the steps necessary to enforce password and account lockout
policies on a Windows Server 2003 network.You can use the following steps to create a domain
password policy.
Creating User and Group Strategies • Chapter 11 433
301_BD_W2k3_11.qxd 5/12/04 12:30 PM Page 433
Create a domain password policy
1. From the Windows Server 2003 desktop, open Start | Administrative Tools | Active
Directory Users and Computers. Right-click the domain that you want to set a pass-
word policy for, and select Properties.
2. Select the Group Policy tab, followed by the Default Domain Policy, as shown in
Figure 11.1. Click the Edit button.
3. Navigate to Computer Configuration | Windows Settings | Security Settings |
Account Policies | Password Policy. You’ll see the screen shown in Figure 11.2.
Using password policies, you can configure the following settings:
■
Enforce password history This option allows you to define the number of
unique passwords that Windows will retain.

434 Chapter 11 • Creating User and Group Strategies
Figure 11.1 The Group Policy Tab
Figure 11.2 Configuring Password Policy Settings
301_BD_W2k3_11.qxd 5/12/04 12:30 PM Page 434
■
Maximum password age This setting defines how frequently Windows will
prompt your users to change their passwords.
■
Minimum password age This setting ensures that passwords cannot be changed
until they are more than a certain number of days old.
■
Minimum password length This option dictates the shortest allowable length
that a user’s password can be. Enabling this setting also prevents users from setting a
blank password.
■
Password must meet complexity requirements This policy setting, when
activated, forces any new passwords created on your network to meet the com-
plexity requirements.
■
Store passwords using reversible encryption This option stores a copy of the
user’s password within the Active Directory database using reversible (cleartext)
encryption.This is required for certain message digest functions and authentication
protocols to work properly.This policy is disabled by default and should be
enabled only if you are certain that your environment requires it.
4. For each item that you want to configure, right-click the item and select Properties.In
this case, we’re enforcing a password history of three passwords. In the screen shown in
Figure 11.3, place a check mark next to Define this policy setting, and then enter the
appropriate value.
Modifying a Password Policy
You can modify an existing Windows Server 2003 password policy by navigating to the policy sec-

tion of the appropriate computer or domain and make the changes. New and modified password
policies are only enforced when passwords are changed.Therefore, altering password policy does not
place an immediate burden on users.Typically, users won’t notice the policy change until their pass-
words expire and they are forced to set new ones. If you need to ensure that all passwords are forced
Creating User and Group Strategies • Chapter 11 435
Figure 11.3 Defining the Password History Policy
301_BD_W2k3_11.qxd 5/12/04 12:30 PM Page 435