560 likes | 725 Views
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003. Chapter Six Creating and Managing User and Computer Accounts. Objectives. Explain the purpose of local user accounts, profiles, and logon procedures
E N D
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Six Creating and Managing User and Computer Accounts
Objectives • Explain the purpose of local user accounts, profiles, and logon procedures • Create and manage local user and group accounts • Manage local security profiles • Manage local policies • Work with Windows XP as a domain client Guide to MCSE 70-270, 70-290
Working with Local User Accounts, Profiles and Logon Procedures • User account: Represents all information defining user’s access to local computer or network • Stored on local computer or in Active Directory • Local user accounts: Stored in Security Accounts Manager (SAM) database • Managed using Local Users and Groups snap-in • Domain user account: Exists in a domain by virtue of being created on a domain controller • Used to gain access to domain resources • Provide users with personalized desktop environments via profiles and policies Guide to MCSE 70-270, 70-290
Windows Logon Methods • Windows system can be set up as: • Standalone system, automatic logon • Standalone system • Workgroup member • Domain client • Domain controller • Windows Welcome Logon Method: XP Professional displays list of user accounts • Click icon, enter password to log on • Fast user switching Guide to MCSE 70-270, 70-290
Windows Logon Methods (continued) • Classic Logon Method: Requires pressing Ctrl+Alt+Delete to open WinLogon security dialog box • Used by default in Windows Server 2003 • Fast User Switching not available • Logon mode set to classic when Windows XP system becomes a domain member Guide to MCSE 70-270, 70-290
User Account Naming Conventions • Naming convention: Standard process for creating names on a network or standalone system • Should incorporate scheme for user accounts, computers, folders, network shares, printers, and servers • Requirements: • Consistent across all objects • Easy to use and understand • New names should be easy to construct • Object’s name should clearly identify object’s type Guide to MCSE 70-270, 70-290
User Account Naming Conventions (continued) Table 6-1: User naming convention guidelines Guide to MCSE 70-270, 70-290
Managing Windows XP Local User and Group Accounts • Local user account identifies user to local OS via unique name and password • Information about local user or group accounts stored on local computer in SAM database • Exists on systems that are not domain controllers • Each computer in workgroup environment maintains own SAM database • Domain controllers uses copy of Active Directory domain database shared among domain controllers Guide to MCSE 70-270, 70-290
Default Local User and Group Accounts • When Windows XP Professional installed, two default user accounts created • Administrator and Guest • Also several local group accounts • Local User Accounts: • Administrator account: Unlimited access and unrestricted privileges to every aspect of Windows • Must be protected from misuse Guide to MCSE 70-270, 70-290
Default Local User and Group Accounts (continued) • Local User Accounts (continued): • Administrator account (continued): • Cannot be deleted • Cannot be locked out • Can be disabled • Can have blank password • Can be renamed • Cannot be removed from Administrators local group • Guest account: Limited access to resources and computer activities Guide to MCSE 70-270, 70-290
Default Local User and Group Accounts (continued) • Local User Accounts (continued): • Guest account (continued): • Member of Everyone group • Cannot be deleted • Can be locked out • Can be disabled (disabled by default) • Can have a blank password (blank by default) • Can be renamed (recommended) • Can be removed from Guests local group Guide to MCSE 70-270, 70-290
Default Local User and Group Accounts (continued) • Local Group Accounts: Used to grant rights to local OS • Everyone • Administrators • Backup Operators • Guests • Network Configuration Operators • Power Users Guide to MCSE 70-270, 70-290
Default Local User and Group Accounts (continued) • Local Group Accounts (continued): • Remote Desktop Users • Replicator • Users • HelpServicesGroup Guide to MCSE 70-270, 70-290
Creating and Managing Local User Accounts • Local user accounts can be created and managed: • With User Accounts applet • Through Local Users and Groups MMC snap-in • User Accounts Applet: Function differs depending on whether system part of workgroup or domain • Domain: Main purpose is to import domain user accounts into local SAM database • Workgroup: Offers user-friendly way to create, modify, or delete user accounts Guide to MCSE 70-270, 70-290
Creating and Managing Local User Accounts (continued) Figure 6-1: The User Accounts applet Guide to MCSE 70-270, 70-290
Creating and Managing Local User Accounts (continued) Figure 6-3: Options for changing a user account Guide to MCSE 70-270, 70-290
Creating and Managing Local User Accounts (continued) Figure 6-4: Changing the user logon method Guide to MCSE 70-270, 70-290
Creating and Managing Local User Accounts (continued) • Activity 6-1: Working with the User Accounts Applet • Objective: Review the properties of a user account • Local Users and Groups Snap-in: Used to create and manage local users and groups • Console tree has two nodes: • Users node: Contains all local user accounts • Groups node: Contains all local group accounts • Use Profile tab to define user profile path, logon script, and home folder Guide to MCSE 70-270, 70-290
Creating and Managing Local User Accounts (continued) Figure 6-5: Displaying local user accounts Guide to MCSE 70-270, 70-290
Creating and Managing Local User Accounts (continued) Figure 6-6: A user account’s Properties dialog box Guide to MCSE 70-270, 70-290
Creating and Managing Local User Accounts (continued) Figure 6-8: The Advanced option of the Select Groups dialog box Guide to MCSE 70-270, 70-290
Creating and Managing Local User Accounts (continued) • Activity 6-2: Creating a Local Account • Objective: Create a new local user account with Local Users and Groups • Activity 6-3: Creating a Local Group • Objective: Create a local group by using Local Users and Groups • Activity 6-4: Changing Built-in Group Membership for a Local Account • Objective: Change the group membership of a local account using Local Users and Groups Guide to MCSE 70-270, 70-290
Creating and Managing Local User Accounts (continued) Figure 6-9: The Profile tab Guide to MCSE 70-270, 70-290
Creating and Managing Local User Accounts (continued) Figure 6-12: The Select Users dialog box Guide to MCSE 70-270, 70-290
Managing Local User Profiles • User profile: Collection of desktop and environmental configurations for specific user or group of users • By default, each Windows computer maintains profile for each user who has logged on • Except for Guest accounts • User Profile Info: • Application Data • Cookies • Desktop • Favorites • Local Settings Guide to MCSE 70-270, 70-290
Managing Local User Profiles (continued) • User profile (continued): • User Profile Info (continued): • My Documents • NetHood • PrintHood • My Recent Documents • SendToStart • MenuTemplates • Ntuser.dat • Ntuser.dat.log • Ntuser.ini Guide to MCSE 70-270, 70-290
Managing Local User Profiles (continued) • Administrator can force users to load mandatory profile • Changes assigned by mandatory profile restored next time user logs on • Created by manually renaming Ntuser.dat to Ntuser.man • Must temporarily rename profile’s Registry file back to Ntuser.dat or edit Registry directly • Edit contents of HKEY_USERS\.DEFAULT key Guide to MCSE 70-270, 70-290
Managing Local User Profiles (continued) Figure 6-13: The User Profiles dialog box Guide to MCSE 70-270, 70-290
Managing Local User Profiles (continued) • When user without user profile logs on, profile created by duplicating Default User profile • To modify Default User profile: • Log on as new user to copy existing default profile • Modify default desktop environment • Log off to save changes to new user’s profile folder located in Documents and Settings\NewUserName • Log on as Administrator and copy contents of new user’s profile folder to default folder • All Users profile created during installation • Initially empty Guide to MCSE 70-270, 70-290
Managing Local User Profiles (continued) • Local Profile: Set of specifications and preferences for individual user • Stored on local machine • Two ways to create: • User logs on, arranges information as needed, logs off • Assign mandatory profile from existing profile folder • Roaming Profile: Used in domains to allow users to have a common desktop on any Windows XP member of domain Guide to MCSE 70-270, 70-290
Managing Local Security Policies • Security policies allow administrators to change system security configuration settings in local Windows Registry • Registry provides hierarchical database of info about system’s software, hardware, and user configuration • Local Security Policy tool: Used to edit local policy settings on systems that are not domain controllers • Applied to Registry during computer startup or when user logs on Guide to MCSE 70-270, 70-290
Account Policies • Improve local user account security • Password Policy: Defines password restrictions • Enforce strong passwords • Default settings in Password Policy node: • Enforce password history: 0 passwords • Maximum password age: 42 days • Minimum password age: 0 days • Minimum password length: 0 characters • Password must meet complexity requirements: Disabled • Store password using reversible encryption for all users in the domain: Disabled Guide to MCSE 70-270, 70-290
Account Policies (continued) • Account Lockout Policy: Defines conditions that result when user account locked out • Default settings for Account Lockout Policy items: • Account lockout threshold: 0 Invalid logon attempts • Account lockout duration: Not Applicable (defaults to 30 minutes after Account lockout threshold defined) • Reset account lockout counter after: Not Applicable (defaults to 30 minutes after Account lockout threshold defined) • Activity 6-5: Setting Account Policies • Objective: Set account policies by using the Local Security Policy tool Guide to MCSE 70-270, 70-290
Local Policies • Control logon process, audit access to computer resources, grant specialized rights to groups and individual user accounts • Audit Policy: Defines events recorded in Security log of EventViewer • Default settings for Audit Policy items: • Audit account logon events: No auditing • Audit account management: No auditing • Audit directory service access: No auditing • Audit object access: No auditing • Audit policy change: No auditing Guide to MCSE 70-270, 70-290
Local Policies (continued) • Audit Policy (continued): • Default settings for Audit Policy items (continued): • Audit privilege use: No auditing • Audit process tracking: No auditing • Audit system events: No auditing • User rights assignment: Defines which groups or users can perform specific privileged actions • Default groups and users for user rights: • Access this computer from the network—Everyone, Users, Power Users, Backup Operators, Administrators Guide to MCSE 70-270, 70-290
Local Policies (continued) • User rights assignment (continued): • Default groups and users for user rights (continued): • Add workstations to domain—None • Allow logon through Terminal Services—Administrators, Remote Desktop Users • Back up files and directories—Backup Operators, Administrators • Change the system time—Power Users, Administrators • Create a pagefile—Administrators • Debug programs—Administrators Guide to MCSE 70-270, 70-290
Local Policies (continued) • User rights assignment (continued): • Default groups and users for user rights (continued): • Deny access to this computer from the network—Guest and SUPPORT accounts • Deny logon locally— Guest and SUPPORT accounts • Deny logon through Terminal Services—None • Force shutdown from a remote system—Administrators • Generate security audits—Local Services, Network Service • Increase scheduling priority—Administrators • Load and unload device drivers—Administrators Guide to MCSE 70-270, 70-290
Local Policies (continued) • User rights assignment (continued): • Default groups and users for user rights (continued): • Logon as a service—Network Service • Logon locally—Guest account, Users, Power Users, Backup Operators, Administrators • Manage auditing and security log—Administrators • Perform volume maintenance tasks—Administrators • Profile single process—Power Users, Administrators • Profile system performance—Administrators • Remove computer from docking station—Users, Power Users, Administrators Guide to MCSE 70-270, 70-290
Local Policies (continued) • User rights assignment (continued): • Default groups and users for user rights (continued): • Restore files and directories—Backup Operators, Administrators • Shut down the system—Users, Power Users, Backup Operators, Administrators • Take ownership of files or other objects—Administrators • Activity 6-6: Setting User Rights • Objective: Change the user rights assignment by using the Local Security Policy tool Guide to MCSE 70-270, 70-290
Local Policies (continued) • Security options: Define and control security features in Windows Registry • Security options and default settings: • Accounts—Administrator account status: Not applicable • Accounts—Guest account status: Not applicable • Accounts—Limit local account use of blank passwords to console logon only: Enabled • Accounts—Rename administrator account: Administrator • Accounts—Rename guest account: Guest Guide to MCSE 70-270, 70-290
Local Policies (continued) • Security options (continued): • Security options and default settings (continued): • Audit—Audit access of global system objects: Disabled • Audit—Audit use of Backup and Restore privilege: Disabled • Audit—Shut down system immediately if unable to log security audits: Disabled • Devices—Allow undock without having to logon: Enabled • Devices—Allowed to format and eject removable media: Administrators Guide to MCSE 70-270, 70-290
Local Policies (continued) • Security options (continued): • Security options and default settings (continued): • Devices—Prevent users from installing printer drivers: Disabled • Devices—Restrict CD-ROM access to locally logged-on user only: Disabled • Devices—Restrict floppy access to locally logged-on user only: Disabled • Devices—Unsigned driver installation behavior: Warn but allow installation • Interactive logon—Do not display last username: Disabled Guide to MCSE 70-270, 70-290
Local Policies (continued) • Security options (continued): • Security options and default settings (continued): • Interactive logon—Do not require CTRL+ALT+DEL: Not defined • Interactive logon—Message text for users attempting to logon: blank • Interactive logon—Message title for users attempting to logon: Not defined • Interactive logon—Number of previous logons to cache (in case domain controller is not available): 10 logons • Interactive logon—Prompt user to change password before expiration: 14 days Guide to MCSE 70-270, 70-290
Local Policies (continued) • Security options (continued): • Security options and default settings (continued): • Interactive logon—Require Domain Controller authentication to unlock workstation: Disabled • Shutdown—Allow system to be shut down without having to logon: Enabled • Shutdown—Clear virtual memory pagefile: Disabled Guide to MCSE 70-270, 70-290
Working with Windows XP as a Domain Client • Domain-based networking offers centralized control of user accounts and security settings • Allows administrators to provide single domain-based user account with rights to access resources through Active Directory forest • Adding an XP System as a Domain Client: • Use Name tab in System Properties dialog box • To create required computer account: • Generate account from XP Professional client • Through Active Directory Users and Computers on a domain controller Guide to MCSE 70-270, 70-290
Working with Windows XP as a Domain Client Figure 6-15: The Computer Name tab Guide to MCSE 70-270, 70-290
Working with Windows XP as a Domain Client (continued) • Activity 6-7: Joining a Domain: Method 1 • Objective: Add an XP Professional client to Active Directory by creating the computer account on the client • Activity 6-8: Joining a Domain: Method 2 • Objective: Add a Windows XP Professional system to a domain by creating a computer account on a domain controller • Managing a Domain Client: • Domain enforces control over clients using GPOs Guide to MCSE 70-270, 70-290
The User Accounts Applet for a Domain Member • After client added to domain, User Accounts applet changes to provide new domain-based functions • User and advanced tabs • Imported user account: Local user account created from user account on another computer • Allow outside users to access resources on system • Access levels: Standard, Restricted, or Other • Can be member of only one group Guide to MCSE 70-270, 70-290
The User Accounts Applet for a Domain Member (continued) Figure 6-17: The User Accounts applet for a domain client Guide to MCSE 70-270, 70-290
The User Accounts Applet for a Domain Member (continued) Figure 6-19: Advanced options for user accounts Guide to MCSE 70-270, 70-290