Task 5.1: Creating User Accounts

To provide as much security as possible while creating user accounts, administrators take advantage of user account templates to establish a minimum baseline of permission required for each role in the enterprise. Only after this baseline is found to lack sufficient privilege will an administrator increase the level of privilege by granting only the additional permissions necessary for the worker to perform the tasks required of their role.

Further, the placement of the user account in the proper organizational unit (OU) within Active Directory (AD) implements user-based security controls by Group Policy Object (GPO). GPOs can be applied at the AD site, domain, or OU level.

Scenario

You are an administrator in an AD environment. One of your responsibilities is to create all user accounts for the domain. You must perform this task while implementing the utmost security for the environment.

Scope of Task

Duration

This task should take 30 minutes.

Setup

You have just been informed of the need to create five user accounts for a new role today, with another 100 users expected to be added over the next three months. These first five users will begin working next week.

To provide user access following the principle of least privilege, these roles require special desktop controls to be implemented on their desktops.

Caveat

As users are created, unless proper security is implemented, attackers can compromise these accounts and gain unauthorized access to many resources.

Also, the implementation of GPOs can adversely affect the operations and security of your information systems. If the implementation is too lax, users gain too much access. If it’s too tight, required resources may be unavailable to users.

Procedure

For this task, you will configure a new user template account and secure this template. Then you will create the five users based on this template, secure them properly, and place them into the proper OU. Next you will write the desktop GPO required for these users and link it to the proper OU.

Equipment Used

For this task, you must have:

• Windows Server 2003 domain controller system
• Domain Administrator access

Details

Building a User Account Template

1. Log on to the Windows Server 2003 domain controller system as the Domain Administrator.

2. Select Start ⇒ Programs ⇒ Administration Tools ⇒ Active Directory Users And Computers (ADUC).

3. Expand the domain. Click on the domain name.

4. In the right pane, right-click and select New ⇒ Organizational Unit.

5. Name the new OU Widget Production. It should become the selected item in the left pane.

6. In the right pane, right-click and select New ⇒ User.

7. Assign the new user the name _WProd_Template and set the user logon name to WProd. Click Next.

Create the template account with the underscore (_) as the first character so it will come first alphabetically and will be easy to locate as the OU becomes populated with potentially hundreds of user accounts.

8. Enter a strong password for the template account and enable the User Must Change Password At Next Logon (enabled by default) and Account Is Disabled settings. Click Next, and then click Finish to create the account.

A password is typically considered average strength when it contains 8 characters; 14 characters or longer is considered strong. Strong passwords should include at least one uppercase alpha, at least one lowercase alpha, and at least one numeric or symbol character. You will not need to remember the password for this template account. No one should ever log onto this template account.

It is important to ensure that this template account is disabled!

9. Notice the account has a red dot with a white X on it, indicating that it is disabled.

10. In the white space below _WProd_Template, right-click and select New ⇒ Group, and create a new Global Security Group named Widget Production GG.

11. In the white space below _WProd_Template, right-click and select New ⇒ Group, and create a new Domain Local Security Group named Widget Production DLG.

12. Double-click on Widget Production GG and select the Members tab. Click Add.

13. Click Advanced.

14. Click Find Now to display all users and groups in the domain.

15. Click the user account _WProd_Template. Then click OK.

16. Click OK again to add this user into the Widget Production GG.

17. Click OK to close the Widget Production GG Properties dialog box.

Adding a Global Security Group to a Domain Local Group

Now you will add the Widget Production GG into the Domain Local Group called Widget Production DLG.

Remember the AGDLP chain (User Accounts get added to Global Groups; Global Groups get added to Domain Local Groups; Local Groups get granted Permissions). You have just assembled AGDL of the AGDLP chain for granting permissions. That is, you placed Users (accounts) into Widget Production GG (global groups), and Widget Production GG into Widget Production DLG (domain local group). Next you will grant the Widget Production DLG permissions, both NTFS and share-point permissions, as desired. Any user account created from this template will already be a member of this chain of permissions.

The process of building AGDLP is detailed in Phase 4, Task 4.8.

You have created a template account in the proper OU to base all Widget Production users on. This account has a strong password, is disabled, will require users based on this template to change their password at first logon, and has been granted membership to the Widget Production GG and the resulting resource accesses.

Creating Users Based on the New User Account Template

1. In ADUC, in the Widget Production OU, right-click on the _WProd_Template user object and select Copy.

2. Type Prod1 in the First Name field and the User Logon Name field. Click Next.

3. Type in a strong password twice. Notice the two settings that are enabled:

• User Must Change Password At First Logon
• Account Is Disabled

Retain these settings and click Next.

You will need to record this username and password and provide it to the worker, Prod1, for their first logon. The new user will be forced to change this password as they log on for the first time.

4. Click Finish to create the new user Prod1, based on the user template _WProd_Template.

5. Repeat steps 1 through 4 and create users Prod2, Prod3, Prod4, and Prod5 similarly.

As the new workers show up for work, you would enable the appropriate account and provide each worker with their new username and password. You should advise the worker that they will be forced to change their password at first logon.

6. Double-click on the group Widget Production GG and select Members. Confirm that your five new users are members of this global group.

7. Close the Widget Production GG.

Securing the Widget Production Users with a GPO

1. In the left pane of ADUC, right-click on the Widget Production OU and select Properties. Select the Group Policy tab.

2. Select New and name the new GPO WProd Desktops.

3. Click Edit. Expand the GPO to view User Configuration ⇒ Administrative Templates ⇒ Desktop.

4. Double-click on Remove My Computer Icon On The Desktop. In the resulting dialog box, select the Enabled radio button, and then click OK.

5. Double-click on Prohibit User From Changing My Documents Path. In the resulting dialog box, select the Enabled radio button, and then click OK.

6. Double-click on Prohibit Adjusting Desktop Toolbars. In the resulting dialog box, select the Enabled radio button, and then click OK.

The Desktop settings selected are simple, representative controls that could be enabled. Any GPO settings in the User Configuration region of this GPO will apply to all users in the Widget Production OU.

7. Close the GPO by clicking the X in the upper-right corner.

Criteria for Completion

You have completed this task when you have built the template account with the proper security controls in place, created several users based on that secure template, and configured a GPO and linked to the OU containing the new user accounts to further secure those users.