In this practice, you will create roaming and preconfigured roaming user profiles and man datory group profiles. You will log on and log off a number of times. Because standard user accounts are not allowed to log on locally to a domain controller, you will begin by adding users to the Print Operators group, so that those users can log on successfully.
Exercise 1: Configure Users to Log On to the Domain Controller
In the real world, you would rarely want users to have permission to log on locally to a domain controller, however, in our one-system test environment, this capability is important. Although there are several ways to achieve this goal, the easiest is to add the Domain Users group to the Print Operators group. The Print Operators group has the right to log on locally.
1. Open Active Directory Users And Computers. 2. In the tree pane, select the Builtin container. 3. Open the Properties of the Print Operators group. 4. Use the Members tab to add Domain Users to the group.
Exercise 2: Create a Profiles Share
1. Create a Profiles folder on the C drive.
2. Right-click the Profiles folder and choose Sharing and Security. 3. Click the Sharing tab.
4. Share the folder with the default share name: Profiles. 5. Click the Permissions button.
6. Select the check box to allow Full Control. 7. Click OK.
Security Alert Windows Server 2003 applies a limited share permission by default when creating a share. Most organizations follow the best practice, which is to allow Full Control as a share permission, and to apply specific permissions to the folder using the Security tab of the folder’s properties dialog box. However, in the event that an administrator has not locked down a resource before sharing it, Windows Server 2003 errs in favor of security, using a share permission that allows Read-Only access.
Exercise 3: Create a User Profile Template
1. Create a user account that will be used solely for creating profile templates. Use the following guidelines when creating the account:
Text Box Name Enter
First Name Profile Last Name Account User Logon Name: Profile User Logon Name (Pre-Windows 2000): Profile
2. Log off of Server01.
3. Log on as the Profile account.
4. Customize the desktop. You might create shortcuts to local or network resources, such as creating a shortcut to the C drive on the desktop.
5. Customize the desktop using the Display application in Control Panel. On the Desktop page of the Display Properties dialog box, you can configure the desktop background and, by clicking Customize Desktop, add the My Documents, My Computer, My Network Places, and Internet Explorer icons to the desktop. 6. Log off as the Profile account.
Exercise 4: Set Up a Preconfigured User Profile
1. Log on as Administrator.
2. Open System Properties from Control Panel, by double-clicking System. 3. Click the Advanced tab.
4. In the User Profiles frame, click Settings. This opens the Copy To dialog box. 5. Select the Profile account’s user profile.
Lesson 3 Managing User Profiles 3-35
6. Click Copy To.
7. In the Copy Profile To frame, type \\server01\profiles\hcarbeck. 8. In the Permitted To Use section, click Change.
9. Type Hank and click OK.
10. Confirm the entries in the Copy To dialog box and click OK.
11. After the profile has copied to the network, click OK twice to close the User Pro- files and System Properties dialog boxes.
12. Open the C:\Profiles folder to verify that the profile folder “Hcarbeck” was created. 13. Open Active Directory Users And Computers and, in the tree pane, select the
Employees OU.
14. Open the properties of Hank Carbeck’s user object. 15. Click the Profile tab.
16. In the Profile Path field, type \\server01\profiles\%username%.
17. Click Apply and confirm that the %Username% variable was replaced by hcarbeck. It is important that the profile path match the actual network path to the profile folder.
18. Click OK.
19. Test the success of the preconfigured roaming user profile by logging off and log ging on with the user name [email protected]. You should see the desk- top modifications that you made while logged on as the Profile account.
Exercise 5: Set Up a Preconfigured, Mandatory Group Profile
1. Log on as Administrator.
2. Open System Properties from Control Panel by double-clicking System. 3. Click the Advanced tab.
4. In the User Profiles frame, click Settings. 5. Select the Profile account’s user profile. 6. Click Copy To.
7. In the Copy Profile To frame type \\server01\profiles\sales. 8. In the Permitted To Use frame, click Change.
9. Type Users and then click OK.
11. After the profile has copied to the network, click OK twice to close the User Pro- files and System Properties dialog boxes.
12. Open the C:\Profiles folder to verify that the profile folder Sales was created. 13. Open Folder Options in Control Panel and, on the View tab, under Advanced Set
tings, ensure that the option, Show Hidden Files And Folders, is selected.
14. Open the C:\Profiles\Sales folder and rename the file Ntuser.dat to Ntuser.man. This makes the profile mandatory.
15. Open Active Directory Users And Computers and, in the tree pane, select the Employees OU.
16. In the details pane, select the following objects by clicking the first and pressing the CTRL key while selecting additional objects: Scott Bishop, Danielle Tiedt, Lor rin Smith-Bates.
17. Click the Action menu and choose Properties.
18. Click the Profile tab, and then select the Profile Path check box. 19. In the Profile Path field, type \\server01\profiles\sales. 20. Click OK.
21. Test the success of the preconfigured roaming user profile by logging off and log ging on with the user name [email protected].
22. Test the mandatory nature of the profile by making a change to the desktop appearance. You will be able to make the change, but the change will not persist to future sessions.
23. Log of the computer, and then log on again as Danielle Tiedt. Because the profile is mandatory, the changes you made in the previous step should not appear.
24. Log off the computer, and log on again as Scott Bishop, with user name
[email protected]. The same desktop should appear.
Lesson Review
The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and try the question again. You can find answers to the questions in the “Questions and Answers” section at the end of this chapter.
1. Describe how a user’s desktop is created when roaming user profiles are not implemented.
Lesson 4 Securing and Troubleshooting Authentication 3-37
2. Arrange, in order, the steps that reflect the creation of a preconfigured roaming user profile. Use all steps provided.
❑ Customize the desktop and user environment.
❑ Log on as a user with sufficient permissions to modify user account properties. ❑ Copy the profile to the network.
❑ Create a user account so that the profile can be created without modifying any user’s current profile.
❑ Log on as the profile account.
❑ Enter the UNC path to the profile in a user’s Profile property sheet. ❑ Log on as a local or domain administrator.
3. How do you make a profile mandatory?
a. Configure the permissions on the folder’s Security property sheet to deny write permission.
b. Configure the permissions on the folders Sharing property sheet to allow only read permission.
c. Modify the attributes of the profile folder to specify the Read Only attribute. d. Rename Ntuser.dat to Ntuser.man.
Lesson Summary
■ Windows Server 2003 provides individual profiles for each user who logs on to the system. Profiles are stored, by default, on the local system in %Systemdrive% \Documents and Settings\%Username%.
■ Roaming profiles require only a shared folder, and the profile path configured in the user object’s properties.
■ Preconfigured profiles are simply profiles that are copied to the profile path before the profile path is configured in the user object.
■ Group profiles must be made mandatory, by renaming Ntuser.dat to Ntuser.man, so that changes made by one user do not affect other users.
Lesson 4: Securing and Troubleshooting Authentication
Once you have configured user objects, and users are authenticating against those accounts, you expose yourself to two additional challenges: security vulnerabilities, which if unaddressed could compromise the integrity of your enterprise network; and social engineering challenges, as you work to make the network, and authentication in general, friendly and reliable for users. Unfortunately, these two dynamics are at odds with each other—the more secure a network, the less usable it becomes. In this lesson, we will address issues related to user authentication. You will learn the impact of domain account policies, including password policies and account lockout policies. You will also learn how to configure auditing for logon-related events, and to perform various authentication-related tasks on user objects.
After this lesson, you will be able to
■ Identify domain account policies and their impact on password requirements and authentication
■ Configure auditing for logon events
■ Modify authentication-related attributes of user objects Estimated lesson time: 15 minutes