1.06k likes | 1.6k Views
Windows XP Users, Groups, Profiles and Policies 70-270: MCSE Guide to Microsoft Windows XP Professional Windows XP Professional User Accounts Designed for use as a network client for: Windows NT Windows 2000 Windows Server 2003 Member of a workgroup
E N D
Windows XP Users, Groups, Profiles and Policies 70-270: MCSE Guide to Microsoft Windows XP Professional
Windows XP Professional User Accounts • Designed for use as a network client for: • Windows NT • Windows 2000 • Windows Server 2003 • Member of a workgroup • Standalone operating system when more than one user is using the computer • Home or business environment
Types of Windows XP Professional User Accounts • Local user account • Exists on a single computer • Can provide access to resources if the user is a member in a workgroup • No domain access • Domain user account • Created on a domain controller using "Active Directory" and exists throughout the domain • Available on any domain member computer
User Account Details • Uniquely identified to the system by user account name and password • Provides secure access to authorized users • Preferences are environmental settings that are stored in a profile • Desktop, Favorites, My Documents, Start Menu, Internet files and Cookies, etc.
Accounts Interaction with an XP Professional System (Page 1) • Standalone system, automatic logon— • All users access local resources through a "common user account" that automatically logins in when computer starts • Standalone system— • Each user logs into system with access to "their own" local resources
Accounts Interaction with an XP Professional System (Page 2) • Workgroup member— • Users login to an account both local and shared resources • Domain network client— • Users login to system with a unique domain user account to gain access to local and domain resources
Supporting More Than One User • Multiple-user systems—support more than one user on the same machine, either on a single computer or in a domain • Implemented through: • Groups • Resources • Policies • Profiles
Groups • Named collections of user accounts • One user account may be a member of more than one group • Members of group receive access rights and restrictions for that group • Local groups are created using Windows XP professional and provide privileges at the machine level
Resources • Useful objects including printers, shared directories, software applications, etc. • Limited to a single user, group or all users on a machine or within a network
Policies • A set of configuration options for a user, computer or group: • Define password restrictions, i.e. • Is the user required to change their password at prescribed intervals? • Account lockouts, i.e. • What happens if a user enters an incorrect login several times in sequence? • User rights • Event auditing
Profiles • User environmental settings including Desktop, Favorites, My Documents, Start Menu, etc. • A local profile exists on local computer • A domain profile follows a user no matter which computer he/she logons to in the domain
Types of Logon • Two types: • Windows Welcome Logon Method • Classic Logon Method • Changing between the login types is found in "User Accounts" applet in Control Panel • Logon authentication has two purposes: • Maintain security • Track computer usage
Windows Welcome Logon Method (Page 1) • Completely new logon method designed for use on standalone or workgroup member systems • Not available when the Windows XP client is a member of a domain • Displayed as a list of user accounts each with its own icon which the user clicks • For accounts with password, user is prompted for it before access is granted View Windows Welcome Logon Screen
Windows Welcome Logon Method (Page 1) Last slide viewed
Windows Welcome Logon Method (Page 2) • To turn the Welcome screen on or off: • Open User Accounts in Control Panel • Click Change the way users log on or off command • Do one of the following: • Specify that users log onto computer using the Welcome screen, select the Use the Welcome screen check box • Specify that users log onto computer using "Windows Classic Logon" dialog, clear the Use the Welcome screen check box View Windows Welcome Logon Screen View Classic Logon Dialog
Windows Welcome Logon Method (Page 3) • Fast User Switching: • Allows switching from one user to another without logging off (not in a domain and only for Welcome Screen logon) • Also updated in "User Accounts" from Change the way users log on or off • From "Start" menu, select the Log Off… command; then in the "Logoff Windows" dialog click the <Switch User> button • When switching back, environment and all programs that were active are restored
Activity • Turn on Fast User Switching in the "User Accounts" applet • Activate the Guest account and then practice switching between it and your user account
Classic Logon Method • Press the <Ctrl>+<Alt>+<Delete> key combination to access the "WinLogon" security dialog box • Required for domain member systems • Selected automatically when a Windows XP system becomes part of a domain • No user switching available • Must log off computer to make it available to the next user View Classic Logon Dialog
Classic Logon Method Last slide viewed
Activity • In the "User Accounts" applet change between the "Windows Welcome" and "Classic" logon methods • Try logging on using each
Logging On to Windows XP • When Windows XP Professional first is installed, two accounts are automatically created • Administrator • Guest
Administrator (Page 1) • Most powerful user account possible • Unlimited access and unrestricted privileges to manage users, groups, O/S environment, printers, shares, storage devices, etc. • Must be protected from misuse • Complicated password should be used • Account should be renamed
Administrator (Page 2) • The original Administrator account: • Cannot be deleted • Cannot be locked out (occurs when user attempts to logon unsuccessfully) • Can be disabled (only performed manually by another administrator account) • Can have a blank password (not recommended) • Can be renamed (recommended) • Cannot be removed from Administrators local group
Guest (Page 1) • One of the least privileged user accounts • Limited access to resources and computer activities • Account should be renamed • Member of the "Everyone" group • Recommended to leave account disabled since by default all new objects and shares give full control for group "Everyone"
Guest (Page 2) • The original Guest account: • Cannot be deleted • Can be locked out • Can be disabled (disabled by default) • Can have a blank password (blank by default) • Can be renamed (recommended) • Can be removed from the Guests local group
Naming Conventions (Page 1) • A predetermined process should be used for creating names on either a network or a standalone system • A convention is an accepted practice within an organization or even industry-wide • Important since networks usually tend to grow very quickly
Naming Conventions (Page 2) • Should incorporate a schemes for naming: • User accounts • Computers • Directories • Network shares • Printers • Servers
Naming Conventions (Page 3) • Two common conventions: • User name employs first and last name, and a code indicating user's department • Group name represents the organization of the firm: department, location, project name, and/or combination of the above
Naming Conventions (Page 4) • Needs to be: • Consistent • Easy to use and understand • Easy to create new names using the convention (variations are predetermined) • Clearly identify the object's type
Managing Local User Accounts • Two types of local accounts: • Accounts created from scratch locally • Local representations of domain/network user accounts • User Accounts applet • Used to create local representation (only for a domain client) • In a standalone system, applet becomes a task wizard with easy-to-follow tasks
User Accounts Applet in a Domain • Users tab • Lists active users • Add New User wizard to add users • Advanced tab • Access to • Password and passport management • Advanced user management • Secure logon settings
User Accounts Applet in a Domain Last slide viewed
To find the user in the domain Add a User in a Domain User Accounts applet
Add a User in a Domain User Accounts applet
Properties in a Domain User Accounts applet
Activity • Create a new user account named Jan Walters using the "User Accounts" applet • Limited privileges • No password
Local Users and Groups Console • Found in "Computer Management" applet of Administrative Tools • Console tree nodes (in left frame) are Users and Groups • The list frame (on the right) shows the names of the user and/or group accounts • "Local Users and Groups" MMC snap-in also can be used to create and manage user accounts and groups
Users Node (Page 1) • Creating a new user account: • Select User node within the Local Users and Groups node • With no user selected, click Action New User… from the menu bar • Or right-click on any white space in list (right) frame and select New User… • Fill-in form and click the <Create> button
Users Node (Page 2) • Select any user account and click Action from menu bar (or right-click any user account name) to: • Set (reset) password • Delete user account • Rename user account • View user account properties • Help
Users Node (Page 3) • The Properties window for user accounts has three tabs: • General – update Fullname and Description, modify password properties, enable/disable the account, and manage locked out accounts • Member Of – list of group memberships with <Add…> and <Remove> buttons
Users Node (Page 4) • The Properties (con.): • Profile – defines: • Alternate location for the user's profile • By default stored in "c:\Documents and Settings\username" • Name of an optional logon script that executes after successful login • Alternate home directory, either a local folder or mapped network drive • By default "c:\Documents and Settings\username\My Documents"
Activity • Create an MMC console with the "Local Users and Groups" snap-in • Save it on the Desktop as filename "Local Users and Groups.msc"
Activity 5-4 • Create a local account with the "Local Users and Groups" MMC console snap-in • Username – BobTemp • Full Name – Bob Smith • Description – A temporary account for Bob • Password – provide and confirm • User must change password at next logon – deselected
Activity 5-5 • Add BobTemp account to the PowerUsers group from "User Accounts" • Found on the Members Of tab of Properties • Requires clicking the <Advanced> button, then the <Find Now> button