Scribd
Upload
43 views

WindowsServer ActiveDirectory Module 03

This document summarizes Module 3 of a Microsoft Official Course on managing user and service accounts. The module contains two lessons: 1. Configuring password policy and user account lockout settings, including how to set password requirements, kerberos policies, and using password settings objects to specify multiple password policies. 2. Configuring managed service accounts, including challenges of standard accounts, how managed service accounts automate password and SPN management, and how group managed service accounts enable accounts to be used on multiple computers and store authentication information on domain controllers. The module concludes with a lab scenario where the student will implement new password and lockout policies, including a separate policy for an executive group, and configure a group managed

Uploaded by

Mihai
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
43 views

WindowsServer ActiveDirectory Module 03

This document summarizes Module 3 of a Microsoft Official Course on managing user and service accounts. The module contains two lessons: 1. Configuring password policy and user account lockout settings, including how to set password requirements, kerberos policies, and using password settings objects to specify multiple password policies. 2. Configuring managed service accounts, including challenges of standard accounts, how managed service accounts automate password and SPN management, and how group managed service accounts enable accounts to be used on multiple computers and store authentication information on domain controllers. The module concludes with a lab scenario where the student will implement new password and lockout policies, including a separate policy for an executive group, and configure a group managed

Uploaded by

Mihai
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

Microsoft Official Course

Module 3

Managing User and Service


Accounts
Module Overview

• Configuring Password Policy and User Account


Lockout Settings
• Configuring Managed Service Accounts
Lesson 1: Configuring Password Policy and User
Account Lockout Settings

• User Account Policies


• Kerberos Policies
• Configuring User Account Policies
• What Are Password Settings Objects?
• Configuring PSOs
• Demonstration: Configuring PSOs
• Discussion: Planning Password Policies
User Account Policies

Use the following settings to set password


requirements:
• Enforce password history
• Maximum password age
• Minimum password age
• Minimum password length
• Password complexity requirements
• Account lockout duration
• Account lockout threshold
Kerberos Policies

• Kerberos policy settings determine timing for Kerberos


tickets and other events
Setting Default
Enforce user logon restrictions Enabled

Maximum lifetime for service ticket 600 minutes

Maximum lifetime for user ticket 10 hours

Maximum lifetime for user ticket renewal 7 days

Maximum tolerance for computer clock 5 minutes


synchronization

• Kerberos claims and compound authentication for DAC


requires Windows Server 2012 domain controllers
Configuring User Account Policies

• Local Security Policy account settings:


• Configured with secpol.msc
• Apply to local user accounts

• Group Policy account settings


• Configured with the Group Policy Management
console
• Apply to all accounts in AD DS and local accounts on
computers joined to the domain
• Can only be applied once, in Default Domain Policy
• Take precedence over Local Security Policy settings
What Are Password Settings Objects?

• You can use fine-grained password policies to


specify multiple password policies within a
single domain
• Fine-grained password policies:
• Apply only to user objects (or inetOrgPerson objects)
and global security groups
• Cannot be applied to an OU directly
• Do not interfere with custom password filters that you
might use in the same domain
Configuring PSOs

• Windows Server 2012 provides two tools for


configuring PSOs
• Windows PowerShell cmdlets
• New-ADFineGrainedPasswordPolicy
• Add-FineGrainedPasswordPolicySubject

• Active Directory Administrative Center


• Graphical user interface
• Uses Windows PowerShell cmdlets to create and manage
PSOs
Demonstration: Configuring PSOs

In this demonstration, you will see how to create a


Password Settings Object for the ITAdmins group
Discussion: Planning Password Policies

What password
policies would you
recommend for…?
• Woodgrove Bank

• New account lockout


policy

• Tailspin Toys

• Best practices
Lesson 2: Configuring Managed Service Accounts

• Service Account Overview


• Challenges of Using Standard User Accounts for
Services
• Managed Service Account and Virtual Accounts
• What Are Group Managed Service Accounts?
• Demonstration: Configuring Group Managed
Service Accounts
• Kerberos Delegation and Service Principal Names
Service Account Overview

• Applications need resource access


• Can create domain or local accounts to manage such
access, but can potentially compromise security

• Use Service Accounts Instead


• Local System
• Most privileged, still vulnerable if compromised
• Local Service
• Least privileged, may not have enough permissions to access all
required resources
• Network Service
• Can access network resources with proper credentials
Challenges of Using Standard User Accounts for
Services
• Challenges to using standard user accounts for
services include:
• Extra administration effort to manage the service
account password
• Difficulty in determining where a domain-based account
is used as a service account
• Extra administration effort to mange the SPN
Managed Service Account and Virtual Accounts
• Use managed service accounts to automate password and
SPN management for service accounts used by services
and applications
• Requires a Windows Server 2008 R2 or Windows Server
2012 server installed with:
• .NET Framework 3.5.x
• Active Directory module for Windows PowerShell

• Recommended to run with AD DS configured at the


Windows Server 2008 R2 functional level or higher
• Can be used in a Windows Server 2003 or 2008 AD DS
environment:
• With Windows Server 2008 R2 schema updates
• With Active Directory Management Gateway Service
What Are Group Managed Service Accounts?

• Group managed service accounts extend the


capability of standard managed service
accounts by
• Enabling managed service accounts to be used on
more than one computer in the domain
• Storing managed service accounts authentication
information on domain controllers

• Group managed service cccounts requirements:


• Must have at least one Windows Server 2012 domain
controller
• Must have a KDS root key created for the domain
Demonstration: Configuring Group Managed
Service Accounts
In this demonstration, you will see how to:
• Create the KDS root key for the domain
• Create and associate a managed service account
Kerberos Delegation and Service Principal Names

• Kerberos delegation of authentication


• Services can delegate service tickets issued to them by
the KDC to another service
• Constrained delegation
• Allows administrators to define which services can use
service tickets issued to other services
• SPNs help identify services uniquely
• Windows 2012 allows
• Constrained delegation across domains
• Ability of service administrators to configure constrained
delegation
Lab: Managing User and Service Accounts

• Exercise 1: Configuring Password Policy and


Account Lockout Settings
• Exercise 2: Creating and Associating a Managed
Service Account

Logon Information
Virtual machines: 20411D-LON-DC1
User Name: Adatum\Administrator
Password: Pa$$w0rd

Estimated Time: 45 minutes


Lab Scenario
A. Datum is a global engineering and
manufacturing company with their head office
based in London, United Kingdom. An IT office
and data center are located in London to support
the London location and other locations. A. Datum
has recently deployed a Windows Server 2012
server and client infrastructure.
A. Datum has completed a security review for
passwords and account lockout policies. You need
to implement the recommendations contained in
the report to control password complexity and
length. You also need to configure appropriate
account lockout settings. Part of your password
Lab Scenario

policy configuration will include a specific password


policy you need to assign to the Executive security
group. This group requires a different password
policy than the policy applied at the domain level.
You need to configure a new group managed
service account to support a new Web-based
program. Using a group managed service account
will help maintain the password security
requirements for the account.
Module Review and Takeaways

• Review Question(s)
• Real-world Issues and Scenarios
• Tools
• Common Issues and Troubleshooting Tips

You might also like