MCITP 70-640: Active Directory Accounts

Uploaded by itfreetraining on 17.04.2012

Welcome back to your free Active Directory course. In this video I will look at user
and computer accounts in Windows. Accounts in Windows provide the back bone for security
in a Windows environment. Any account in Windows, whether it's a user
or computer account will have a Sid associated with it. The Sid is a unique number used in
security to uniquely identify the account. Shown here are some examples of some Sid’s.
The short Sid’s are local user accounts and the longer Sid’s are domain Sid’s.
A Sid’s is required as it allows Windows to unique identify a user regardless if the
other attributes about the user were to change. If you take the example of a user account,
if the user were to change their last name Windows could still identify the user account
as belong to the same person because the Sid has not changed.
Sid’s are also used for computer accounts and groups. Sid’s provide the unique value
that is used to identify these groups and computers inside Active Directory and on the
local computer. Once again, if you were to change the name of the group or the computer
name, the Sid associated with the group or computer stays the same.
When troubleshooting Windows and Active Directory, you will see Sid’s appear from time to time
so it is good idea to understand why they are required. If I open RegEdit from the start
menu and navigate down through the registry there is a good example of Sid’s used in
users profiles. A profile in Windows contains all the user
settings, everything from their printer settings to the files on the desktop. By default the
profile is in the users directory on the c drive. The profiles listed here contain the
basic details of each profile. Each profile is in a folder with the name of the folder
as the Sid for that user. The first 3 profiles listed are local profiles.
You can tell this because the Sid’s are very short. If I look inside one of the profiles
listed, notice the key Profile Image Path. This key contains the directory where the
profile is stored. The profile below this with the longer Sid
is the domain administrator. The same principal applies. This folder contains details about
the administrators profile including the folder where the data for the profile is stored.
If the username were to change, for example the user were to change their name, Windows will
still know to find the users profile settings in the old folder. You can see why that when
a user changes their name, the folder name of their profile name does not change.
This is one reason that when a user changes their name I will sometimes create a new user
with the different name and transferred over their settings and documents. This method
ensures settings like the profile folder are set to the new name. If you do decide to take
this approach, make sure there is nothing tied to the old user like certificates. If
there is, I would stick to renaming the account. If you want to change the profile folder as
well, you can change it in the registry here and also rename it in the users folder as
long as they both match Windows will keep using it. If they do not match, Windows will
create a new profile when the user logs in. You should now understand why if a user account
is deleted; if you were to create a new user with the same name they will not have the
same access as the last user. When you create a new user, the new user will have a completely
different Sid from the old user and thus will not have access to any of the data that the
old user had access to. This is why it is common practice in some companies that when
a person leaves their account is disabled. When there replacement is hired, the account
is enabled and the account renamed to the new person. This ensures the new employee
will have all the same access the old employee had.
To demonstrate how a Sid is connected to a user a bit clearer, I will open Windows Explorer
and look at the security for a folder I created on the c drive of this computer. I have disconnected
this computer from the network so it does not have access to a domain controller.
Since the computer can’t access a domain controller, notice that two of the permissions
are listed as the Sid rather than the username. If I now reconnect the computer to the network
and press edit, notice that Windows will contact a domain controller and get the usernames
for the two Sid’s and display the username rather than the Sid’s. This is why you can
easily change usernames in Active Directory without having to worry about the effect it
will have on permissions.
To understand a bit more about how accounts and Sid’s work in Windows, let’s have
a look at the process that happens when a user is authenticated by a Domain Controller
in a domain.
When a user is authenticated by a domain controller an access token is generated for that user.
The access token can then be used to access other resources on the network. Inside the
access token is the users Sid. When this access token is presented to anther system say a
Windows Server, the Sid inside the token can be used by the server to identify who the
token belongs to. The server will then look at its access lists to see if that Sid has
However, as we will see in later videos, good administrators use groups to provide users
access and make administration easier. If this user was a member of the sales group
for example, once again as we have learnt, the sales group has its own Sid. It is a simple
matter of adding the sales group Sid to the users token when it is created.
Now when the token is presented to anther system, the other system checks its
access list. In this case,
the sales group is in the token and on the server local access list so the user will
be given access. You may be asking yourself, what would happen
if the user was removed from the sales group after the token had been generated? The answer
is the user would still have access because the security token contains the Sid for the
sales group. The same applies if the user was added to say the Marketing group after
the token was created. The user would not have access to any of the Marketing files
because the security token does not contain the Sid for the marketing group.
To fix problems like these, the user simply needs to log off and log back on. When they
log back on a new token will be generated with the new security information.
Before I start looking at how to use user accounts in Active Directory, first I want
to look at the naming standards that you will see when using accounts in Windows. The old
naming standard that dates back to Windows NT is domain\UserName. This was based on the
older NetBios naming standard which did not support as many characters as DNS does.
The newer standard supports the same naming format that you would use for an e-mail address.
For example Windows refers to this naming format as user principal name.
In some cases the domain name may be different from the user name used to login. For example,
a lot of companies may use an internal DNS name ending in local rather than com. Active
directory supports any principal name mapped to any user.
Regardless of which system you use, you will need to work out a system of naming that minimizes
the number of naming conflicts. An example is first initial dot last name. Some company
will even go for longer names like first name dot last name or a simpler standard like lastname
first initial.
The longer the login name the less likely you will have two users with the same login.
For example, if Jane and John Doe both worked for the same company, two of the naming standards
here would generate the same login name. In this case an administrator would need to change
one of the logins. A lot of administrators will simply add a number to the end one of
the logins to make them different. When creating a new user, a pre Windows 2000
logon name will automatically be chosen for you. This name will be used by older clients.
Besides Windows systems like Windows 9x and NT, this may also include some older non Microsoft
operating systems. Unless you have any old operating system in most cases you won’t
need to worry about the pre Windows 2000 logon name. The reason I bring it up is that it
is limited to 20 characters. In your naming standard, if you need to use the pre Windows
2000 logon names, consider the 20 character limit when thinking about how your naming
standard will work. This covers the basis of accounts in Windows
and Active Directory. In the next video I will look at how to create a new user account
in Active Directory. Thanks for watching.