Managing User and Service Accounts Flashcards
Configuring Password Policy and User Account Configuring Managed Service Accounts
What are the Kerberous Policies?
- Enforce User Logon Restrictions
- Maximum Lifetime For Service Ticket
- Maximum Lifetime For User Ticket
- Maximum Lifetime For User Ticket Renewal
- Maximum Tolerance For Computer Clock Synchronization
What are Password Policies?
- Enforce Password History
- Maximum Password Age
- Minimum Password Age
- Minimum password length
- Password must meet complexity requirements
- Store Password using reversible encryption
What are the Account Lockout Policies?
- Account lockout duration
- Account lockout threshold
- Reset account lockout counter after
What is the order that Group Policy is applied in?
L - Local
S - Site
D - Domain
OU - Organizational Unit
Where do Password Setting objects live?
Where can this be viewed?
System -> Password Settings Objects
ADSI Edit
ADUC (Users and Computers)
ADAC (Administrative Center)
What can Password Setting objects be applied to?
Users and Groups
Note: Not Organizational Units
New-ADFineGrainedPasswordPolicy
Please provide an example
Creates a new Active Directory Password Settings Object
ex. New-ADFineGrainedPasswordPolicy -Name “DomainUsersPSO” -Precedence 500 -ComplexityEnabled $true -Description “The Domain Users Password Policy” -DisplayName “Domain Users PSO” -LockoutDuration “0.12:00:00” -LockoutObservationWindow “0.00:15:00” -LockoutThreshold 10
Get-ADFineGrainedPasswordPolicy
Gets one or more Active Directory Password Settings Object
Remove-ADFineGrainedPasswordPolicy
Removes an Active Directory Password Settings Object
Set-ADFineGrainedPasswordPolicy
Modifies an Active Directory Password Settings Object
Add-ADFineGrainedPasswordPolicySubject
Please provide an example
Add-ADFineGrainedPasswordPolicySubject cmdlet applies a fine-grained password policy object to one or more global security groups and users.
Ex. Add-ADFineGrainedPasswordPolicySubject -Identity DomainUsersPSO -Subjects ‘Domain Users’
How do PSO’s determine which wins?
Whats the exception to this rule?
Precedence. Lowest value is last to apply
exception: If mixture of groups and direct assign to user. The Direct assign wins
When were Managed Service Accounts introduced?
When were Group Managed Service Accounts introduced?
- Windows Server 2012
- Windows Server 2012R2
What is the differnce between a Managed Service Account and a Group Managed Service Account?
Managed Service Account: 1 account per machine
Group Managed Service Account: allows 1 object to be created in AD to be used only be specific computers
What are the requirements for a Group Managed Service Account?
- Must have a least 1 - 2012 DC
- KDS Root Key created for Domain
PowerShell steps to create a gMSA
Service Account Name: Service01
Server: Server01
Domain: contoso
PowerShell steps to create a Group Managed Service Account
- Add-KdsRootKey
- (Just a Note not need for answer) If Immediately (Add-KdsRootKey -EffectiveImmediately) or specified time (Add-KdsRootKey -EffectiveTime “03/06/2013”)
- New-ADServiceAccount -Name “Service01” -DNSHostName “Service01.contoso.com” -Enabled $True
- Add-ADComputerServiceAccount -Computer Server01 -service Account Service01
- Get-ADServiceAccount -Identity service01
ON THE SERVER IT WILL BE USED
- Install-ADServiceAccount -Identity ‘service01’
What is a Virtual Account?
How do you use one for a service?
Virtual accounts are another type of Service Account. All windows Services use a Vitrual Account by default.
To use a virtual account for a service, simply enter
NT SERVICE\ for the account name, and leave the password blank
How do you create a Managed Service Account?
- New-ADServiceAccount –Name <msa_name> –RestrictToSingleComputer -Enabled:$True</msa_name>
- Add-ADComputerServiceAccount –identity <host_computer_name> -ServiceAccount <msa_name></msa_name></host_computer_name>
ON THE COMPUTER FOR WHICH IT WILL BE USED
- Install-ADServiceAccount –Identity <msa_name></msa_name>
How do you get a list of SPN’s (Service Prinicipal Names)?
setspn -l < HostName>
If you see incorrect names for SPN’s listed for a server what should you do?
How would you do this?
Reset them
setspn -r < hostname >
When might you need to add an SPN?
How would you add an SPN?
setspn -s < Service > / < FDQN > <hostname></hostname>
*FDQN = Fully Qualified Domain Name (i.e. server1.google.com)
How would you remove an SPN?
setspn -d < service > / < FDQN >
How do you configure Kerberos Delegation?
- Open ADUC (Active Directory Users and Computers)
- Select the computer object, open the properties
- Select the delegation Tab
- Select the level of delegation
End of Answer
- * Note: Constrainment levels
- Unconstrained = Trust this computer for delegation to any service (Kerberos only)
- Constrained =Trust this computer for delegation to specified services only
- What is Unconstrained delegation?
- What is constrained delegation?
- Unconstrained delegation allows a server
to act on behalf of a user for any services. - Constrained delegation restricts a server
to act on behalf of a user for only specific services.
What are the different ways you can deleagete password settings management?
(Not Processes, just resource wise)
- Modify permissions at an OU level
- Modify permission on a PSO
- What are the different ways you can configure a lockout policy?
- (Not processes, just resources)
- What options can you set for all of them?
- Is this enabled by default?
1.
- Group Policy - default domain policy
- PSO - Password Settings Object
- Options
- Number of failed logon attempts
- Reset failed logon attemps count after (minutes) duration
- Account will be lockout out
- For a duration of minutes
- or (if on a PSO this is avaliable)
- until an administrator manually unlocks the account
- No
