Contents
Overview 1
Introduction to Administering User
Accounts and Groups 2
Windows 2000 Logon Names 3
Using Group Policy to Configure
Account Policies 5
Creating Multiple User Accounts 10
Using Group Policy to Redirect User Data
to a Network Server 15
Lab A: Advanced Administration of
User Accounts 19
Using Universal Groups 30
Setting Up Computers for Mobile Users 34
Lab B: Setting Up Windows 2000
for Mobile Users 38
Best Practices 42
Review 43

Module 7: Advanced
Administration of User
Accounts and Groups
Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only

means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

??1999 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, PowerPoint, and Windows are either registered trademarks or
trademarks of Microsoft Corporation in the U.S.A. and/or other countries.

The names of companies, products, people, characters, and/or data mentioned herein are fictitious
and are in no way intended to represent any real individual, company, product, or event, unless
otherwise noted.

Other product and company names mentioned herein may be the trademarks of their respective
owners.

Project Lead and Instructional Designer: Mark Johnson
Instructional Designers : Aneetinder Chowdhry (NIIT Inc.), Kathryn Yusi
(Independent Contractor)
Lead Program Manager: Ryan Calafato
Program Manager: Joern Wettern (Wettern Network Solutions)
Graphic Artist: Julie Stone (Independent Contractor)
Editing Manager: Tina Tsiakalis
Substantive Editor: Kelly Baker (Write Stuff)
Copy Editor: Wendy Cleary (S&T OnSite)
Online Program Manager: Nikki McCormick
Online Support: Arlo Emerson (MacTemps)

Compact Disc Testing: Data Dimensions, Inc.
Production Support: Arlene Rubin (S&T OnSite)
Manufacturing Manager: Bo Galford
Manufacturing Support: Mimi Dukes (S&T OnSite)
Lead Product Manager, Development Services: Elaine Nuerenberg
Lead Product Manager: Sandy Alto
Group Product Manager: Robert Stewart


Module 7: Advanced Administration of User Accounts and Groups iii

Introduction
This module provides students with the knowledge and skills that they need to
administer user accounts and groups efficiently. Students will learn how to
perform a variety of administrative tasks, including configuring account
policies, creating multiple user accounts, redirecting folders, and setting up
offline folders for mobile users. In addition, students will learn about using
universal groups in a multiple-domain network.
In the two hands-on labs in this module, students will have a chance to
administer user accounts. In the first lab, users will set up account policies and
redirect folders to a network server. In the second lab, students will configure
offline files by using Group Policy.
Materials and Preparation
This section provides you with the materials and preparation needed to teach
this module.
Materials
To teach this module, you need the following materials:
?? Microsoft® PowerPoint® file 1558A_07.ppt.

Preparation

To prepare for this module, you should:
?? Read all the materials for this module.
?? Complete the labs.
?? Study the review questions and prepare alternative answers to discuss.
?? Anticipate questions that students may ask. Write out the questions and
provide the answers.

Presentation:
75 Minutes

Labs:
60 Minutes
iv Module 7: Advanced Administration of User Accounts and Groups

Module Strategy
Use the following strategy to present this module:
?? Introduction to Administering User Accounts and Groups
In this topic, you will introduce the administrative tasks that are continually
performed when administering a multiple-domain network. Mention the
different tasks, but do not go into detail, because they are covered in more
detail in the module topics.
?? Windows 2000 Logon Names
In this topic, you will describe the different types of logon names
(downlevel logon name and user logon name) in a Microsoft Windows®
2000 network. Emphasize that the user logon name is also known as the
user principal name and is the preferred logon name for a Windows 2000
network. Describe the user principal name prefix and suffix and how an
administrator can change the suffix so that the user logon name matches the
user’s e-mail address. Have students log on with their user logon names.
Demonstrate adding a new suffix to Active Directory

™
directory service.
?? Using Group Policy to Configure Account Policies
In this topic, you will explain how to configure account policies by using
Group Policy. First, explain to students that the different types of account
policies to configure are password and account lockout policies. Emphasize
that an administrator can set these account policies only at the domain level.
Then, explain to students how to set password policies and provide the
critical Group Policy password settings to configure. Demonstrate
configuring the settings. Finally, explain to students how to set account
lockout policies. Mention that students must configure all three settings.
Demonstrate configuring the settings.
?? Creating Multiple User Accounts
In this topic, you will explain how to create multiple user accounts in Active
Directory by using bulk import to import data from a file into Active
Directory. Define bulk import if necessary. First, explain to students about
the import process. Emphasize the information that must be included and
the information that should be included. Next, explain how to format a file
so that it can be imported. Use the slide to map the different parts of the
formatted file. Also, map the file to the information in the Create New User
dialog box. Finally, explain how to import the file by using the csvde
command.
?? Using Group Policy to Redirect User Data to a Network Server
In this topic, explain how to redirect four default user folders to a network
server by using Group Policy. First, explain what folder redirection is.
Emphasize that although the folder appears to be stored locally, it is actually
stored on a server. Mention that the information in a redirected folder is
always present for the user, regardless of the computer to which the user
logs on. Then, present information on the four types of folders that an
administrator can redirect and why an administrator would choose to

redirect these folders. Emphasize that an administrator should always
redirect users’ My Documents folders. Finally, explain how to redirect
folders by using Group Policy. Demonstrate the process.
Module 7: Advanced Administration of User Accounts and Groups v

?? Lab A: Advanced Administration of User Accounts
Prepare students for the lab in which they will set up account policies, use
bulk import to create multiple user accounts in Active Directory, and
redirect folders. Make sure that students run the command file for the lab,
and tell them they will work with their partners’ computers. After students
have completed the lab, ask them whether they have any questions.
?? Using Universal Groups
In this topic, you will describe universal security groups and how they are
used to control access to resources in a multiple-domain network. First,
explain how universal groups work. Emphasize that they have open
membership and can be nested in all three security groups. Next, present
information on how universal groups affect replication between global
catalog servers. Emphasize that the membership attribute of universal
groups is in the global catalog and that if one member is added or removed,
the entire group membership is replicated. Finally, present guidelines for
using universal groups. Emphasize that membership should be kept static,
and to this end, that an administrator should use the universal group
strategy. Present the strategy.
?? Setting Up Computers for Mobile Users
In this topic, you will explain how to set up offline files for mobile users.
First, explain how offline files work for mobile users. Emphasize that files
stored on a server are synchronized with files on the user’s hard disk when
the user logs on and logs off. Then, explain what happens when Group
Policy enables computers for offline files. Mention what must be configured
at the shared folder containing the offline files and on the portable

computer. Finally, explain the Group Policy settings to configure for offline
files. Mention that it is better to configure computer settings than user
settings for offline files, because the setting to enable offline files is a
computer setting. Demonstrate the process in Group Policy.
?? Lab B: Setting Up Windows 2000 for Mobile Users
Prepare students for the lab in which they will set up offline files. Make sure
that students run the command file for the lab, and tell them they will work
with their partners’ computers. After students have completed the lab, ask
them whether they have any questions.
?? Best Practices
Present best practices for administering user accounts and groups.

vi Module 7: Advanced Administration of User Accounts and Groups

Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.

The labs in this module are also dependent on the classroom
configuration that is specified in the Customization Information section at the
end of the Classroom Setup Guide for course 1558A, Advanced Administration
for Microsoft Windows 2000.

Lab Setup
The following list describes the setup requirements for the labs in this module.
Setup Requirement 1
The labs in this module require the Log on locally right on domain controllers
to be assigned to the Everyone group. To prepare student computers to meet

this requirement, perform one of the following actions:
?? Run C:\MOC\Win1558A\Labfiles\Lab07\Setup\Lab0701.cmd.
?? Assign the right manually.

Setup Requirement 2
The labs in this module require a Package Handling 1 organizational unit (OU)
and a Package Handling 2 OU. To prepare student computers to meet this
requirement, perform one of the following actions:
?? Run C:\MOC\Win1558A\Labfiles\Lab07\Setup\Lab0701.cmd.
?? Create the OUs manually.

Setup Requirement 3
The labs in this module require a user account called Redirect1 in the
Information Services 1 OU and a user account called Redirect2 in the
Information Services 2 OU. To prepare student computers to meet this
requirement, perform one of the following actions:
?? Run C:\MOC\Win1558A\Labfiles\Lab07\Setup\Lab0701.cmd.
?? Create the user account manually.

Setup Requirement 4
The labs in this module require the C:\MOC\Win1558A\Labfiles\Lab07\Users
folder, shared as Users, to allow students to redirect user folders. To prepare
student computers to meet this requirement, perform one of the following
actions:
?? Run C:\MOC\Win1558A\Labfiles\Lab07\Setup\Lab0701.cmd.
?? Create the folder manually and share it.

Important
Module 7: Advanced Administration of User Accounts and Groups vii


Setup Requirement 5
The labs in this module require the C:\MOC\Win1558A\Labfiles\Lab07\Offline
folder, shared as Offline, to allow students to access offline files. To prepare
student computers to meet this requirement, perform one of the following
actions:
?? Run C:\MOC\Win1558A\Labfiles\Lab07\Setup\Lab0702.cmd.
?? Create the folder manually, and then share it.

Setup Requirement 6
The labs in this module require the West and East OUs in the Domain
Controllers OU to move domain controllers into separate OUs. To prepare
student computers to meet this requirement, perform one of the following
actions:
?? Run C:\MOC\Win1558A\Labfiles\Lab07\Setup\Lab0702.cmd.
?? Create the OUs manually.

Lab Results
Performing the labs in this module introduces the following configuration
change:
?? Students create user accounts in the Package Handling OU.


You can run
C:\MOC\Win1558A\Labfiles\Lab07\Setup\Lab07Rm.cmd to remove all
configuration changes introduced during the labs in the module. Make sure that
students complete both labs to configure account policies back to their defaults.
Use Active Directory Users and Computers to move the domain controllers
back into the Domain Controllers OU.




Important

Module 7: Advanced Administration of User Accounts and Groups 1

Overview
? Introduction to Administering User Accounts and Groups
? Windows 2000 Logon Names
? Using Group Policy to Configure Account Policies
? Creating Multiple User Accounts
? Using Group Policy to Redirect User Data to a Network Server
? Using Universal Groups
? Setting Up Computers for Mobile Users
? Best Practices


After you have set up a Microsoft® Windows® 2000 network, you must perform
ongoing administrative tasks to ensure that all users have the resources that they
need, that changing corporate-wide requirements are met, and that network
security remains intact. You can use Group Policy to perform some of these
administrative tasks centrally. In this way, you can perform the tasks on
multiple computers without having to administer user accounts and
groups individually.
At the end of this module, you will be able to:
?? Identify the administrative tasks used to administer user accounts
and groups.
?? Identify the different types of user logon names.
?? Use Group Policy to configure password restrictions and account
lockout policy.
?? Create multiple user accounts by importing user information from another

database into Active Directory
™
directory service.
?? Use Group Policy to redirect folders from the local hard disks to a
network server.
?? Set up computers for mobile users by configuring offline files.
?? Identify when and how to use universal groups.
?? Apply best practices for performing administrative tasks for user accounts
and groups.

Slide Objective
To prov ide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
about administrative tasks
that you can perform for
user accounts and groups.
Do not go into detail on this
topic, because the content
will be covered in
following topics.
2 Module 7: Advanced Administration of User Accounts and Groups

Introduction to Administering User Accounts and Groups
? Strengthen Network Security by Preventing Unauthorized
Persons from Gaining Access to the Network
? Create Multiple User Accounts in Active Directory
? Control Where Users’ Personal Data Is Stored

? Ensure That Mobile Users Have the Files and Folders
That They Need
? Ensure That Users in a Multiple-Domain Network Can
Gain Access to the Resources
? Strengthen Network Security by Preventing Unauthorized
Persons from Gaining Access to the Network
? Create Multiple User Accounts in Active Directory
? Control Where Users’ Personal Data Is Stored
? Ensure That Mobile Users Have the Files and Folders
That They Need
? Ensure That Users in a Multiple-Domain Network Can
Gain Access to the Resources
Administrative Tasks
Administrative Tasks
Administrative Tasks


Networks are not static. They change in response to the evolving needs of the
organizations that they support. You need to ensure that your network
continually reflects current corporate policy and corporate needs. To
accomplish this, you have to perform a multitude of ongoing administrative
tasks. The administrative tasks that you need to perform include:
?? Strengthening network security by using Group Policy to set account
policies that prevent unauthorized persons from gaining access to
your network.
?? Creating multiple user accounts in Active Directory for new users. You can
create user accounts by using bulk import to import data into Active
Directory from a file containing user data.
?? Controlling where users’ personal data is stored. You can ensure that it is
centrally stored on a network server so that users can always gain access to

their data no matter where they log on and so that you can easily back up
the data.
?? Ensuring that mobile users can gain access to the files and folders that they
need when they are working offline, and that the files that they change when
working offline are copied back to network servers.
?? Ensuring that users in a multiple-domain network can efficiently gain access
to resources without increasing network replication traffic.

Slide Objective
To introduce the more
complex administrative
tasks that an administrator
can perform for user
accounts and groups.
Lead-in
The types of administrative
tasks that you perform
depend on the needs of
your network.
Use this topic as an
overview of the type of
administrative tasks that an
administrator may need
to perform.
Module 7: Advanced Administration of User Accounts and Groups 3

Windows 2000 Logon Names
Downlevel Logon Name
? The Name Must Be Unique
in the Domain

? A User Must Provide the Domain When Logging On
User Logon Name (User Principal Name)
? The Name Must Be Unique in the Entire Active Directory
? A Domain Controller Finds User
Account Information in Global Catalog
? The Suffix Default Is the Root
Domain, But It Can Be Changed
@
@
Prefix
Prefix
Suffix
Suffix


jasmith
jasmith
Log On
Log On
Log On
Domain
Controller
+
+
user name
user name
domain
domain
nwtraders
nwtraders



In a Windows 2000 network, a user can log on with either a downlevel logon
name or a user logon name. Domain controllers can use either of these logon
names to authenticate the logon request.
Downlevel Logon Name
A downlevel logon name is a user account name, such as jasmith. When a user
logs on by using a downlevel logon name, the user must also provide the
domain in which the user account exists, so that the authenticating domain
controller can locate the user account. The user’s downlevel logon name must
be unique within the domain.
If a user connects to a network resource with a different user account than the
one with which he or she logged on, then the user must provide the domain and
downlevel logon name for authentication (for example, nwtraders\jasmith).
If a user logs on to the network from a client computer running a version of
Windows earlier than Windows 2000, then the user must use the downlevel
logon name.
User Logon Name
The user logon name is the preferred logon name for a Windows 2000 network.
This name is also known as a user principal name. A user logon name must be
unique within the domain, the domain tree, and the forest (the entire Active
Directory). When logging on from a computer running Windows 2000, users
should employ their user logon names so that they do not also have to provide
their domains. The authenticating domain controller can find the user’s domain
by searching the global catalog.
Slide Objective
To describe the different
logon names that a user can
use to log on to a
Windows 2000 domain.

Lead-in
In a Windows 2000 network,
there are two different types
of logon names that users
can use.
Delivery Tip
Have students log off by
pressing CTRL+ALT+DEL
to display the Log On to
Windows dialog box. Make
sure that the Log on to box
is displayed, and then have
students type a user logon
name in the User name box
so that they can see
what occurs.

Open Active Directory
Domains and Trusts, and
demonstrate adding a new
user principal name suffix in
the Properties dialog box.
Key Points
There are two parts to a
user logon name, the user
principal name prefix and
the suffix.

You can select a user
principal name suffix in

Active Directory Users and
Computers only if it exists in
Active Directory.

To add a new suffix in
Active Directory Domains
and Trusts, an administrator
must be a member of
the Enterprise Admin
built-in group.
4 Module 7: Advanced Administration of User Accounts and Groups

There are two parts to a user logon name, and they are separated by an @ sign
(for example, ):
?? The user principal name prefix (jasmith).
?? The user principal name suffix (nwtraders.com). By default, the suffix is the
name of the root domain in the network. You can configure additional user
principal name suffixes for users, for example, if you want to create user
logon names that match users’ e-mail addresses.

Additional advantages to user logon names are that:
?? The user logon name does not change when you move a user account to a
different domain, because it is unique within the entire Active Directory.
?? A user logon name can be the same as a user’s e-mail address name,
because it has the same format as a standard e-mail address. You select a
user principal name suffix when creating user account in Active Directory
Users and Computers. If the suffix that you need does not exist in Active
Directory User and Computers, you can add it.
You add a new suffix in Active Directory Domains and Trusts. You add the
suffix in the Properties dialog box for Active Directory Domains and

Trusts. You must be a member of the Enterprise Admins built-in group to
add suffixes in Active Directory Domains and Trusts.


If you create a user account through a means other than by using Active
Directory Users and Computers, you are not limited by the user principal name
suffixes stored in Active Directory. You can define a suffix when you create
the account.

Note
Module 7: Advanced Administration of User Accounts and Groups 5

? Using Group Policy to Configure Account Policies
? What Are Account Policies?
? Configuring Password Policy Settings
? Configuring Account Lockout Policy Settings


In Windows 2000, you can configure account policies that help to prevent
unauthorized persons from logging on to the network and gaining access to
network resources. These enhanced network security measures include setting a
password policy and a user account lockout policy to make it more difficult to
guess a password and then to limit the number of attempts that someone can
make to determine a password. Together these help prevent unauthorized
persons from gaining access to your network.
Slide Objective
To introduce using
Group Policy to configure
account policies.
Lead-in

You configure account
policies to prevent
unauthorized persons from
logging on to the network.
6 Module 7: Advanced Administration of User Accounts and Groups

What Are Account Policies?
Use Account Policies to Prevent Unauthorized Persons From
Gaining Access to the Network
Must Set
Group Policy at
Domain Level
Must Set
Group Policy at
Domain Level
Set Password
Requirements to
Set Password
Set Password
Requirements toRequirements to
Domain controller
does not authenticate
Domain controller
does not authenticate
Domain controller
locks out user account
Domain controller
locks out user account
Set Failed Logon
Attempts Limit to

Set Failed LogonSet Failed Logon
Attempts Limit toAttempts Limit to
Stop brute force
hacking programs
Stop brute force
hacking programs
Stop unlimited logon
attempts
Stop unlimited logon
attempts


You can configure account policies for user accounts to reduce the possibility
of unauthorized persons gaining access to the network. You use Group Policy
to set these account policies at the domain level, because account policies apply
to all users. If you set these policies for a site or an organizational unit (OU),
Windows 2000 ignores the settings. The settings that you configure for the
domain apply to the entire domain, and you cannot block them (stop them) from
applying to an OU in the domain.
The account policy settings that you can configure with Group Policy are:
?? Password settings. Password settings establish restrictions that require users
to periodically change passwords and to use complex passwords. Password
complexity includes the minimum length and the characters to use,
including alphanumeric, symbols, and upper and lower case letters. By
forcing users to use complex passwords, it is more difficult for unauthorized
persons to gain access to your network by using brute force hacking
programs. These programs try to log on repeatedly by providing different
passwords (for example, by attempting to use each word in a dictionary as
the password).
?? Account lockout settings. Account lockout settings lock a user account after

a predetermined number of failed logon attempts. Setting a limit for failed
logon attempts makes it difficult for unauthorized persons to log on by using
applications to determine a password. After a domain controller locks out a
user account, no one can log until the account is unlocked. You can
determine how long the lockout will last.

Slide Objective
To describe which account
policies to configure.
Lead-in
You can use account
policies to prevent
unauthorized users from
gaining access to
your network.
If students do not know what
a brute force hacking
program is, define it.

Mention to students that the
most common password
used is password. This is
why it is important to
implement a password
account policy so that users
have complex passwords.
Key Points
Administrators must set
Group Policy for account
polices at the domain level.

If an administrator sets them
at any other level,
Windows 2000 ignores
the settings.

Setting up password
restrictions and a limit of
failed logon attempts makes
it almost impossible for an
unauthorized person to gain
access to the network.
Module 7: Advanced Administration of User Accounts and Groups 7

Configuring Password Policy Settings
?Password Settings Apply to the Domain
?The Settings to Configure Are:
Group Policy
Action View
Passwords [LONDON.NWTraders.msft
Computer Configuration
Software Settings
Windows Settings
Security Settings
Account Policies
Account Lockout Poli
Kerberos Policy
Local Policies
Allow storage of passwords under reversibl…
Enforce password uniqueness by remem…
Maximum Password Age

Minimum Password Age
Minimum Password Length
Passwords must meet complexity require…
User must logon to change password
Not Configured
24 Passwords
30 Days
30 Days
8 Characters
Enabled
Enabled
Attribute Stored Template Settin
Password Policy
The number of previous passwords
Windows 2000 records
The number of previous passwords
Windows 2000 records


To implement password restrictions in a domain, link the Group Policy object
(GPO) that contains these password settings to the domain. In a multiple-
domain network, you can link the same GPO to each domain container, or you
can use different settings in each domain.
These password settings apply to all user accounts in a domain. Domain
controllers start enforcing the requirements during user authentication after the
GPO is applied to the domain controllers. Note that when you configure
password settings, they do not apply to existing passwords. They apply the next
time that a user changes his or her password, or when you create or reset a user
account. You configure the settings in Group Policy under Password Policy.
The following list describes the password settings to configure:

?? Enforce password uniqueness by remembering. This setting determines the
number of previous passwords for a user account on which Windows 2000
keeps a record. As long as there is a record of a password, a user cannot
reuse it. In a high security network, set this value to 24. In a medium
security network, set this value to 6.
?? Maximum Password Age. This setting forces users to change their
passwords after a specified period of time so that they do not continually use
the same passwords. In a high-security network, set this value to 30 days. In
a medium security network, set the value to 42 days.
?? Minimum Password Length. This setting determines the allowable minimum
length of users’ passwords. In a high security domain, set this to at least
eight characters.
Slide Objective
To explain where to
configure password settings
in Group Policy.
Lead-in
There are several critical
Group Policy password
settings that you
should configure.
Delivery Tip
Demonstrate configuring
the password settings in
Group Policy.
Key Points
Group Policy password
settings apply to all user
accounts in the domain.


When you configure
password settings, they do
not apply to existing
passwords. Domain
controllers enforce the
password requirements
when an administrator
creates a user account or
resets a password, or when
a user changes a password

If there is conflict between
the minimum length of a
password setting and the
length determined by the
complex passwords setting,
the most restrictive
setting prevails.
8 Module 7: Advanced Administration of User Accounts and Groups

?? Passwords must meet complexity requirement. This setting invokes a
Windows 2000 built-in password filter. This filter requires passwords to
comply with complexity rules. These rules include the following:
?? The minimum password length must be six characters. If there are
conflicts between these settings and the password length setting, the
more restrictive setting prevails.
?? The password cannot contain any part of the user’s full name.
?? The password must contain characters from at least three of the
following four categories.
Description Example


English uppercase letters A, B, C, D, … Y, Z
English lowercase letters a, b, c, d, … y, z
Westernized Arabic numerals 0, 1, 2, … 9
Non-alphanumeric characters !, ?, (, …

?? User must logon to change password. This setting forces users to log on to
their accounts before they can change their passwords. This setting also
disables user accounts that have exceeded the maximum password age. Only
an administrator can enable the user account again. This prevents
unauthorized persons from attempting to log on by using unauthorized
user accounts.

To gain access to Password Policy settings, perform the following steps:
1. Open Active Directory User and Computers, create a GPO at the domain
level or select an existing GPO linked to the domain, and then click Edit.
2. In Group Policy, expand Computer Configuration, expand Windows
Settings, expand Security Settings, expand Account Policy, and then
expand Password Policy.

Module 7: Advanced Administration of User Accounts and Groups 9

Configuring Account Lockout Policy Settings
?Account Lockout Policy Settings Apply to Domains
?You Must Configure All Account Lockout Policy Settings
or None
Group Policy
Action View
Account Lockout [LONDON.NWTraders.msft
Computer Configuration

Software Settings
Windows Settings
Security Settings
Account Policies
Password Policy
Account Lockout Policy
Kerberos Policy
Local Policies
Account Lockout Policy
Attribute
Stored Template Settin
Account lockout control
Lockout account for
Reset account lockout count after
5 Invalid logon attempts
Forever
1440 Minutes
The amount of time before the
lockout counter returns to zero
The amount of time before the
lockout counter returns to zero
The failed logon attempts limit
The failed logon attempts limit
The amount of time the lockout is in effect
The amount of time the lockout is in effect


As with password settings, link the GPO for account lockout policy settings
to the domain or domains in the network. These polices apply to all user
accounts in a domain. Domain controllers start enforcing the requirements

during user authentication after the GPO is applied to the domain controllers.
You must configure all three settings to set up an account lockout policy.
The following list describes the account lockout settings to configure:
?? Account lockout count. This setting determines the allowed number of failed
logon attempts before Windows 2000 locks the account. The number of
failed logon attempts should match the security level that your network
requires. In a high security network, set this value to five logon attempts.
?? Lockout account for. This setting determines the amount of time that the
lockout is effective. In a high security network, select Forever. This means
that an administrator must manually unlock the user account. In a medium
security network, set this value to 30 minutes to prevent the effective use of
automated methods to guess a password.
?? Reset account lockout count after. This setting determines the amount of
time after which the counter for failed attempts returns to zero. In a high-
security network, set this value to one day (1440 minutes). In a medium
security network, set this value to 30 minutes.

To gain access to Account Lockout Policy settings, perform the following steps:
1. Open Active Directory User and Computers, create a GPO at the domain
level or select an existing GPO linked to the domain, and then click Edit.
2. In Group Policy, expand Computer Configuration, expand Windows
Settings, expand Security Settings, expand Account Policy, and then
expand Account Lockout Policy.

Slide Objective
To describe how to
configure account
lockout settings.
Lead-in
Account lockout policy

works well with password
policy by limiting the number
of times that a person can
attempt to log on.
Delivery Tip
Demonstrate configuring the
account lockout settings in
Group Policy.
Key Points
An administrator can only
set Group Policy account
lockout settings at the
domain level.

An administrator must
configure all three settings
or none.

The number of logon
attempts allowed should
match the security required
in the network.
10 Module 7: Advanced Administration of User Accounts and Groups

? Creating Multiple User Accounts
? The Importing Process
? Preparing a File for Importing
? Using the csvde Command to Import Data



Windows 2000 provides you with the ability to create multiple user accounts in
Active Directory by importing data from a file. This process is known as bulk
import. Bulk import is the importing of multiple database records into a
database. The advantages of bulk importing are that you do not have to create
multiple user accounts individually, and you do not have to create the file that
you import. You can use an existing file that contains the user information to
create these accounts.
Slide Objective
To introduce the task
of creating multiple
user accounts.
Lead-in
Windows 2000 provides you
with the means to create
multiple user accounts in
Active Directory by
importing data from a file.
Define bulk import if
students do not know what
it means.
Module 7: Advanced Administration of User Accounts and Groups 11

The Importing Process
? Must Include the Path to the User Account’s OU, Object Type,
and Downlevel Logon Name
? Should Include the User Logon Name and Whether the User
Account Is Enabled or Disabled
? Can Include Personal User Information
? Cannot Include a Password
? Must Include the Path to the User Account’s OU, Object Type,

and Downlevel Logon Name
? Should Include the User Logon Name and Whether the User
Account Is Enabled or Disabled
? Can Include Personal User Information
? Cannot Include a Password
For Each User Object, the File:
For Each User Object, the File:For Each User Object, the File:
Active Directory
Active Directory
jasmith
judyl
Comma-delimited
Text File
Comma-delimited
Text File
User Information
User Information


Using the csvde command to import user account data from a file allows you to
create multiple user accounts in Active Directory at the same time.
Bulk import is designed to use an existing file. Typically, an import file comes
from a database application that already contains information about your users,
although it can come from other sources (such as Microsoft Excel or Microsoft
Word). The file that you import must be a text file that uses a comma-delimited
format, also known as a comma-separated value format. Most database
applications can create export files in this format.
The information in the file:
?? Must include the path to the user account in Active Directory, the object
type (user account), and the downlevel logon name.

?? Should include the user logon name (user principal name), because this is
the logon name that Microsoft recommends when a user logs on from a
computer running Windows 2000. You should also include whether the
account is disabled or enabled.
?? Can include personal information, for example telephone numbers or home
addresses. You can include information for most user account properties.
Include as much of this information as possible to provide more items on
which users can search when conducting Active Directory searches.
?? Cannot include passwords. Bulk import leaves the password blank.
However, by default, the first time that users log on, they must change their
passwords. This is not a problem if users log on immediately, but it could be
if users are not going to log on for some time. An unauthorized person needs
to know only the user logon name to gain access to the network, because the
password is blank. If this is the case, disable the user accounts until users
start logging on.

Slide Objective
To describe the process and
the type of data that should
be imported into Active
Directory when using the
csvde command.
Lead-in
Although you can create a
file for the bulk import, it is
faster if you use an existing
file. This file can come from
a variety of sources.
Mention to students that if
users are not going to use

the accounts that they
create immediately,
students should disable
them. This is because these
user accounts have
blank passwords.
Key Points
The file imported must
include the path to the OU
where the user account will
reside, the type of object
being imported, and the
downlevel logon name.

The file being imported
should include the user
logon name and whether the
user accounts are enabled
or disabled.
12 Module 7: Advanced Administration of User Accounts and Groups

Preparing a File for Importing
Create New Object (User)
Create in: nwtraders.msft/Users
First name:
Last name:
Name:
User logon name:
@nwtraders.com
Downlevel logon name:

NWTRADERS\
< Back< Back Next >Next > Cancel
James
Smith
James Smith
jasmith
DN
DN
jasmith
displayName
displayName
userPrincipalName
userPrincipalName
samAccountName
samAccountName
objectClass
objectClass
Attribute line containing the names of the attributes:
DN,objectClass,samAccountName,userPrincipalName,displayName,
userAccountControl
User object line containing values for attributes:
"cn=James Smith,ou=Human Recourses,dc=asia,dc=nwtraders,dc=com",
user,jasmith,,James Smith,512
Attribute line containing the names of the attributes:
DN,objectClass,samAccountName,userPrincipalName,displayName,
userAccountControl
User object line containing values for attributes:
"cn=James Smith,ou=Human Recourses,dc=asia,dc=nwtraders,dc=com",
user,jasmith,,James Smith,512
Format Example

Format Example
Format Example


You must ensure that the file that you are importing is properly formatted in
order for the import to be successful. The file needs to contain the information
necessary to create attributes for the user account. Attributes (also referred to as
properties) are categories of information for Active Directory objects. The
values of these attributes define the characteristics of the object.
Typically, you need to format an export file from a database application. Use an
application that has good editing capabilities, such as Excel or Word, to edit
and format. Then, when you save the file, specify a comma-delimited text file.
Format the file so that it contains:
?? The attribute line. This is the first line of the file. It specifies the name of
each attribute that you want to define for the new user account. The Active
Directory schema defines the attribute names. Note that you can put the
attributes in any order, but you must separate the attributes with commas.
The following is an example of the attribute line:
DN,objectClass,samAccountName,userPrincipalName,displayName,
userAccountControl
?? The user account line. For each user account that you create, the file
contains a line that specifies the value for each attribute in the first
(attribute) line. The following rules apply to the values in a user
account line:
?? The attribute values must follow the sequence of the first line.
?? If a value is missing for an attribute, leave it blank, but include
all commas.
?? If a value contains commas, include the value in quotation marks.
The following is an example of a user account line:
"cn=James Smith,ou=Human Resources,dc=asia,dc=nwtraders,

dc=com",user,jasmith,,James Smith,512

Slide Objective
To describe how to edit and
format a file, and to describe
the relationship between the
attributes provided in the file
and the Create New Object
(User) dialog box.
Lead-in
You need to make sure that
the file you import is
properly formatted;
otherwise, you will not be
successful in creating
user accounts.
Using the slide, map the
attributes to the values.
Delivery Tip
Compare the attribute line
with the boxes in the Create
New Object (User) dialog
box in Active Directory
Users and Computers to
show where information
would be added if students
were using the Create New
Object (User) dialog box.
Key Points
Attributes are categories of

information for Active
Directory objects.

The first line in the file is the
attribute line and includes all
attributes that an
administrator wants to
define for the user account.
The remaining lines are the
user account lines that
provide the values for each
attribute.

Format the file in an
application that has good
editing capabilities, and then
save the file as a comma-
delimited text file
Module 7: Advanced Administration of User Accounts and Groups 13

The following table provides the attributes and values presented in the
previous example.
Attribute Attribute’s value

DN (distinguished name) cn=James Smith,ou=Human Resources,
dc=asia,dc=nwtraders,dc=com
(This specifies the path to the object’s container.)
objectClass user
samAccountName jasmith
userPrincipalName, ,

displayName James Smith
userAccountControl 512 (The value 512 enables, and the value 514 disables,
the user account.)

For more information about distinguished names, see appendix D “LDAP
Names,” on the course 1558A, Advanced Administration for Microsoft
Windows 2000, Student Materials compact disc.

To get list of common attributes and their display names, see
appendix E “Common User Account Attributes,” on the course 1558A,
Advanced Administration for Microsoft Windows 2000, Student Materials
compact disc.

Important
14 Module 7: Advanced Administration of User Accounts and Groups

Using the csvde Command to Import Data
The csvde Command
The csvde Command
The csvde Command
? You Type at the Command Prompt:
csvde –i –f filename
? The csvde Command Provides Status of the Import
? You Should Check Some of the User Accounts to
Verify That They Have the Information That You Want
Them to Have
? You Type at the Command Prompt:
csvde –i –f filename
? The csvde Command Provides Status of the Import
? You Should Check Some of the User Accounts to

Verify That They Have the Information That You Want
Them to Have


After the file is properly formatted, you can use the csvde command to import
the file and to create multiple user accounts in Active Directory.
To import the file, at the command line type:
csvde –i –f filename
In the previous syntax, -i indicates that you are importing a file into Active
Directory, and -f indicates that the next parameter is the name of the file that
you are importing.
The csvde command provides status information on the success or failure of the
process, and it also provides the name of the file to view for detailed error
information. Even if the status information indicates that the process was
successful, check some of the user accounts that you created to ensure that they
have all of the information that you provided.
Slide Objective
To describe how to use the
csvde command to
import data.
Lead-in
After you have correctly
formatted the file, you can
then import it by using the
csvde command.
Mention to students that
after they import the file—
even if the status
information reports
success—they should do

sample checks to make sure
that the user accounts were
created correctly.
Module 7: Advanced Administration of User Accounts and Groups 15

? Using Group Policy to Redirect User Data to a
Network Server
? What Is Folder Redirection?
? User Folders to Redirect
? Using Group Policy to Redirect User Folders


Windows 2000 allows you to redirect user folders, which are part of the user
profile, from users’ local hard disks to a network server. By redirecting these
folders, you can ensure that users’ data is available to them regardless of the
computers to which they log on, and that users’ data is located at a central
location. It is easier to manage and back up centralized data. The folders that
you can redirect are My Documents, Application Data, Desktop, and Start
Menu. Windows 2000 automatically creates these folders and makes them part
of the user profile for each user account.
Slide Objective
To introduce the task of
redirecting user data to a
network server.
Lead-in
Windows 2000 allows you to
use Group Policy to redirect
folders that are part of each
user profile.
16 Module 7: Advanced Administration of User Accounts and Groups


What Is Folder Redirection?
Advantages of Redirection:
? Folders Are Always Available to
Users Regardless of the
Computer Logged on to
? Data Is Centrally Stored for
Ease of Management and
Backup
? Network Traffic Is Generated
Only When Users Gain Access
to Files
? Files Are Not Saved on the
Client Computer
Redirected Personal Folders
Redirected Personal FoldersRedirected Personal Folders
Documents Are Stored on the
Server But Appear to Be
Stored Locally
Documents Are Stored on the
Server But Appear to Be
Stored Locally
My
Documents
My
Documents
My
Documents
My
Documents



When you redirect folders, you change the storage location of folders from the
local hard disk on the user’s computer to a shared folder on a network file
server. After you redirect a folder to a file server, it will still appear to the user
as if it were stored on the local hard disk. You can redirect four folders that are
part of the user profile: My Documents, Application Data, Desktop, and
Start Menu.
The following list describes the advantages of redirecting folders:
?? The data in the folders is available to the user regardless of the client
computer to which the user logs on.
?? The data in the folders is centrally stored, so that the files that they contain
are easier to manage and back up.
?? Network traffic is reduced. When users have roaming user profiles and
folders are not redirected, changes to the data in the folders are copied
between the local computer and the server each time that the user logs on
and logs off. With folder redirection, you can ensure that users’ data is
available to users from any computer to which they log on. Network traffic
is only generated when a user accesses a file.
?? Files in redirected folders, unlike files that are part of a roaming user profile,
are not copied and saved on the computers where the user logs on. This
means that when a user logs on to a client computer, no storage space is
used to store these files, and data that might be confidential does not remain
on a client computer.

Slide Objective
To describe the advantages
of redirecting folders.
Lead-in
Folder redirection allows

you to move the storage
location for user data and
settings to a shared folder
on a server.
Do not go into detail on the
four folders, as they are
covered in the next topic. Be
sure to mention the
advantages of folder
redirection.
Key Points
The four folders are part of
the user profile.

The data stored on the
server appears local to
the user.
Module 7: Advanced Administration of User Accounts and Groups 17

User Folders to Redirect
Folder
FolderFolder
Contains
ContainsContains
Redirect to a server so that
Redirect to a server so thatRedirect to a server so that
My Documents
My Documents
A user’s personal data
A user’s personal data

Start Menu
Start Menu
Folders and shortcuts on
the Start menu
Folders and shortcuts on
the Start menu
Desktop
Desktop
All files and folders a user
places on the desktop
All files and folders a user
places on the desktop
Application
Data
Application
Data
User-specific data stored
by applications
User-specific data stored
by applications
Users can access their data from any computer,
and so that this data can be backed up and
managed centrally
Users can access their data from any computer,
and so that this data can be backed up and
managed centrally
Users’ Start menus are standardized
Users’ Start menus are standardized
Users have the same desktop regardless of the
computer to which they log on

Users have the same desktop regardless of the
computer to which they log on
Applications use the same user-specific data for a
user regardless of the computer to which the user
logs on
Applications use the same user-specific data for a
user regardless of the computer to which the user
logs on


Depending on the needs of users and your network, you may direct all or only a
few of the folders that can be redirected. The following table describes what
each folder contains and provides specific reasons for redirecting the folder.
Folder Contains Redirect to a server so that

My
Documents
The default location where users
store their personal work data. It
is the default location for the File
Open and Save As commands.
Windows 2000 places a My
Document shortcut icon on the
desktop. It also includes the My
Pictures folder where users can
save their graphics.
User data follows users and so
that you are able to back up and
manage this data centrally.
Redirect the folder to reduce the

amount of data saved in the
user profile.
Always redirect the My
Document folder, because it is
important that users are always
able to gain access to their data.
Start Menu Folders and shortcuts on the
Start menu
Users’ Start menus are
standardized. You redirect
multiple users’ Start Menu folders
to the same network location and
then only assign the NTFS file
system Read permission so that
users cannot change their Start
menus content.
Desktop The folder that contains all files,
folders, and shortcuts that a user
places on his or her desktop.
Users’ desktops are standardized.
Use the same strategy that you use
for the Start menu.
Application
Data
User-specific data stored by
applications, such as
configuration files and personal
dictionaries for spell checking.
Applications use the same user-
specific data for a user, regardless

of the computer to which the user
logs on.
Slide Objective
To explain what the four
folders contain and why to
redirect them.
Lead-in
Depending on the needs of
your network, you may
direct all or only a few of the
four folders that can be
redirected.
Key Points
An administrator should
always redirect the My
Document folder for
all users.

You can standardize user
Start menus by redirecting
their Start Menu folders to
the same folder and then
only assigning the NTFS
Read permission so that
users cannot change the
contents of their
Start menus.