Module3 管理用户和服务帐户

Microsoft®OfficialCourseModule3管理用户和服务帐户刘道军老师主讲如有疑问请与我联系：10804072ModuleOverview•ConfiguringPasswordPolicyandUserAccountLockoutSettings•ConfiguringManagedServiceAccountsLesson1:ConfiguringPasswordPolicyandUserAccountLockoutSettings•UserAccountPolicies•KerberosPolicies•ConfiguringUserAccountPolicies•WhatArePasswordSettingsObjects?•ConfiguringPSOs•Demonstration:ConfiguringPSOs•Discussion:PlanningPasswordPoliciesUserAccountPoliciesUsethefollowingsettingstosetpasswordrequirements:•Enforcepasswordhistory•Maximumpasswordage•Minimumpasswordage•Minimumpasswordlength•Passwordcomplexityrequirements•Accountlockoutduration•AccountlockoutthresholdKerberosPolicies•KerberospolicysettingsdeterminetimingforKerberosticketsandothereventsSettingDefaultEnforceuserlogonrestrictionsEnabledMaximumlifetimeforserviceticket600minutesMaximumlifetimeforuserticket10hoursMaximumlifetimeforuserticketrenewal7daysMaximumtoleranceforcomputerclocksynchronization5minutes•KerberosclaimsandcompoundauthenticationforDACrequiresWindowsServer2012domaincontrollersConfiguringUserAccountPolicies•LocalSecurityPolicyaccountsettings:•Configuredwithsecpol.msc•Applytolocaluseraccounts•GroupPolicyaccountsettings•ConfiguredwiththeGroupPolicyManagementconsole•ApplytoallaccountsinADDSandlocalaccountsoncomputersjoinedtothedomain•Canonlybeappliedonce,inDefaultDomainPolicy•TakeprecedenceoverLocalSecurityPolicysettingsWhatArePasswordSettingsObjects?•Youcanusefine-grainedpasswordpoliciestospecifymultiplepasswordpolicieswithinasingledomain•Fine-grainedpasswordpolicies:•Applyonlytouserobjects(orinetOrgPersonobjects)andglobalsecuritygroups•CannotbeappliedtoanOUdirectly•DonotinterferewithcustompasswordfiltersthatyoumightuseinthesamedomainConfiguringPSOs•WindowsServer2012providestwotoolsforconfiguringPSOs•WindowsPowerShellcmdlets•New-ADFineGrainedPasswordPolicy•Add-FineGrainedPasswordPolicySubject•ActiveDirectoryAdministrativeCenter•Graphicaluserinterface•UsesWindowsPowerShellcmdletstocreateandmanagePSOsDemonstration:ConfiguringPSOsInthisdemonstration,youwillseehowtocreateaPasswordSettingsObjectfortheITAdminsgroupDiscussion:PlanningPasswordPolicies•WoodgroveBank•Newaccountlockoutpolicy•TailspinToys•BestpracticesWhatpasswordpolicieswouldyourecommendfor…?Microsoft®OfficialCourseThanks!如有疑问请与我联系：10804072Microsoft®OfficialCourseModule3管理用户和服务帐户刘道军老师主讲如有疑问请与我联系：10804072Lesson2:ConfiguringManagedServiceAccounts•ServiceAccountOverview•ChallengesofUsingStandardUserAccountsforServices•ManagedServiceAccountandVirtualAccounts•WhatAreGroupManagedServiceAccounts?•Demonstration:ConfiguringGroupManagedServiceAccounts•KerberosDelegationandServicePrincipalNamesServiceAccountOverview•Applicationsneedresourceaccess•Cancreatedomainorlocalaccountstomanagesuchaccess,butcanpotentiallycompromisesecurity•UseServiceAccountsInstead•LocalSystem•Mostprivileged,stillvulnerableifcompromised•LocalService•Leastprivileged,maynothaveenoughpermissionstoaccessallrequiredresources•NetworkService•CanaccessnetworkresourceswithpropercredentialsChallengesofUsingStandardUserAccountsforServices•Challengestousingstandarduseraccountsforservicesinclude:•Extraadministrationefforttomanagetheserviceaccountpassword•Difficultyindeterminingwhereadomain-basedaccountisusedasaserviceaccount•ExtraadministrationefforttomangetheSPNManagedServiceAccountandVirtualAccounts•UsemanagedserviceaccountstoautomatepasswordandSPNmanagementforserviceaccountsusedbyservicesandapplications•RequiresaWindowsServer2008R2orWindowsServer2012serverinstalledwith:•.NETFramework3.5.x•ActiveDirectorymoduleforWindowsPowerShell•RecommendedtorunwithADDSconfiguredattheWindowsServer2008R2functionallevelorhigher•CanbeusedinaWindowsServer2003or2008ADDSenvironment:•WithWindowsServer2008R2schemaupdates•WithActiveDirectoryManagementGatewayServiceWhatAreGroupManagedServiceAccounts?•Groupmanagedserviceaccountsextendthecapabilityofstandardmanagedserviceaccountsby•Enablingmanagedserviceaccountstobeusedonmorethanonecomputerinthedomain•Storingmanagedserviceaccountsauthenticationinformationondomaincontrollers•Groupmanagedservicecccountsrequirements:•MusthaveatleastoneWindowsServer2012domaincontroller•MusthaveaKDSrootkeycreatedforthedomainDemonstration:ConfiguringGroupManagedServiceAccountsInthisdemonstration,youwillseehowto:•CreatetheKDSrootkeyforthedomain•CreateandassociateamanagedserviceaccountKerberosDelegationandServicePrincipalNames•Kerberosdelegationofauthentication•ServicescandelegateserviceticketsissuedtothembytheKDCtoanotherservice•Constraineddelegation•Allowsadministratorstodefinewhichservicescanuseserviceticketsissuedtootherservices•SPNshelpidentifyservicesuniquely•Windows2012allows•Constraineddelegationacrossdomains•AbilityofserviceadministratorstoconfigureconstraineddelegationLab:ManagingUserandServiceAccounts•Exercise1:ConfiguringPasswordPolicyandAccountLockoutSettings•Exercise2:CreatingandAssociatingaManagedServiceAccountLogonInformationVirtualmachines:20411D-LON-DC1UserName:Adatum\AdministratorPassword:Pa$$w0rdEstimatedTime:45minutesLabScenarioA.Datumisag