260 likes | 558 Views
Guide to Microsoft Windows Server 2003 Command Line Administration . Chapter 6 User Administration and Data Security. Objectives. Create and delete user and group accounts Manage permissions for users Administer security and user authentication. User Accounts.
E N D
Guide toMicrosoft Windows Server 2003Command Line Administration Chapter 6 User Administration and Data Security
Objectives • Create and delete user and group accounts • Manage permissions for users • Administer security and user authentication Guide to Microsoft Windows Server 2003 Command Line Administration
User Accounts • A user account is what a user uses to log in to a server - either locally or remotely • The server relies on a user account, which includes permissions and other user specifications, to determine whether a specific user may access certain data and the level of access granted • Users can access the data contained on a server in one of three ways: through a logged-in user account; through a user group; through data permissions • The level of data access is represented by permissions; read and full control are examples of permissions • User groups are used as containers to group user accounts that have similar access needs Guide to Microsoft Windows Server 2003 Command Line Administration
Creating and Deleting User Accounts • User accounts on a Server 2003 server provide local logon and network access • Accounts are configured to both log on to the server locally and access its data remotely over the network • User accounts are created on a stand-alone XP or Server 2003 system using the NET USER command • NET USER <USERNAME> <PASSWORD> /ADD adds the USERNAME account and a PASSWORD for the account • The NET USER command is only used in script and batch files as an administrative time-saver • Generally, user and group administration is accomplished using the Computer Management GUI tool Guide to Microsoft Windows Server 2003 Command Line Administration
Adding Users with a Batch File Guide to Microsoft Windows Server 2003 Command Line Administration
Running useradd.bat Guide to Microsoft Windows Server 2003 Command Line Administration
Modifying Default Account Behaviors • Default account behaviors are options applied to all new accounts and include password characteristics • The NET ACCOUNTS command can be used to modify the default behavior of every account that is created • Password characteristics: minimum length, minimum or maximum age, and unique limitation (passwords that must be mixed case and/or include symbols or numerals) • NET ACCOUNTS /MINPWLEN:<NUMBER> sets the minimum number of characters in a logon password • The three most frequently used options for NET ACCOUNTS are /MINPWLEN, /MAXPWAGE (sets a password to expire on a regular basis), and /UNIQUEPW (restricts how often a user can reuse a password) Guide to Microsoft Windows Server 2003 Command Line Administration
Modifying Existing User Accounts • Modifying existing users accounts is done after an account has been created using NET USER • It is better to separate the account creation and enhancement process into distinct commands • From a scripting perspective, creating and modifying user accounts using separate commands is ideal because it allows for separate conformation and troubleshooting • NET USER<USERNAME> /EXPIRES:<MM/DD/YY> sets the existing account to expire on the specified date; the /PASSWORDCHG: YES/NO option allows users to change their password Guide to Microsoft Windows Server 2003 Command Line Administration
Newly Added User Accounts Guide to Microsoft Windows Server 2003 Command Line Administration
Allowing Users to Change Their Own Passwords and Requiring Passwords Guide to Microsoft Windows Server 2003 Command Line Administration
Changing Default Account Properties Guide to Microsoft Windows Server 2003 Command Line Administration
Changing a Password • Changing a user password is relatively simple to do from both the command window and Computer Management • From command window, use NET USER <USERNAME> <PASSWORD> to change an existing user’s password • Within Computer Management, right-click the user account and select the Set Password option • Never delete a user account once it has been established and used by a user; it is highly recommended to disable it • Disabling a user account maintains the account’s existence in the event that it is needed for data retrieval: NET USER <USERNAME> /ACTIVE:NO/YES disables an account Guide to Microsoft Windows Server 2003 Command Line Administration
Account Properties for the henry Account Guide to Microsoft Windows Server 2003 Command Line Administration
Creating and Modifying User Groups • Creating and modifying user groups is similar to managing user accounts • User groups contain user accounts and exist to avoid the need to assign individual accounts specific access; instead, similar user accounts can be assigned group membership, and access privileges can be assigned to the group • The NET LOCALGROUP command is used for managing groups; once a group is created, the users are added to it • NET LOCALGROUP <GROUPNAME> /ADD adds the specified group • NET LOCALGROUP <GROUPNAME> <USERNAME> /ADD adds the specified user to the specified group Guide to Microsoft Windows Server 2003 Command Line Administration
Changing a Group and Adding Users Guide to Microsoft Windows Server 2003 Command Line Administration
Updated User Membership Guide to Microsoft Windows Server 2003 Command Line Administration
Updated Group Membership Guide to Microsoft Windows Server 2003 Command Line Administration
Permissions • Every user on a system needs varying levels of access to certain data on the network • Some users need to modify data, some need to simply view data, others do not need to see certain data at all • Each file and folder that resides on an NTFS volume contains a list of users called an Access Control List (ACL) • The ACL specifies a user’s particular access permission • Permissions allow a user the following file or folder access levels: none/deny; read; write; change; full control • The CALCS command is used by administrators to view and manage permissions; CALCS <FILENAME> /G <USERNAME>:R|W|C|F grants the user access to the file or folder with the specified permission Guide to Microsoft Windows Server 2003 Command Line Administration
Permissions Within Windows Explorer Guide to Microsoft Windows Server 2003 Command Line Administration
Modifying Permissions Using CACLS Guide to Microsoft Windows Server 2003 Command Line Administration
Stored Users and Passwords • System, server, and network security are major concerns for companies and computer users • Stored Users and Passwords is a Control Panel utility that became available with Windows XP and Server 2003 • With the functionality provided by Stored Users and Passwords, users can store data for remote sites that require usernames and passwords that are different than the system defaults on their computers, and associate them with a specific network or Internet resource • The command window equivalent of Stored Users and Passwords is CMDKEY; CMDKEY /ADD:<COMPUTER or DOMAIN NAME> /USER:<COMPUTER or DOMAIN NAME>\<USERNAME> /PASS:<PASSWORD> Guide to Microsoft Windows Server 2003 Command Line Administration
Using Elevated Privileges without Logging Off • Administrators will be called upon to fix problems and perform maintenance on users’ computers; this is usually time-consuming because many administrative functions are not available on the standard user system • The solution for administrators is to use the RUNAS command; it runs an application with the privileges of a certain account, such as an administrator, without requiring the user being helped to log off and log back on • RUNAS /PROFILE /USER:<USERNAME> <PROGRAM> runs the specified program on behalf of the user and loads the user’s profile Guide to Microsoft Windows Server 2003 Command Line Administration
Taking File Ownership • The owner of a file is usually the person who created the file, and that individual controls the file permissions • If the owner of a file is unavailable, and the file permissions must be changed, another person can take ownership of the file using the TAKEOWN command • TAKEOWN /F <FILENAME> takes ownership of the file • The ability to take ownership is not granted to everyone; only the members of the Administrators group, or those given Administrative authority can successfully run the TAKEOWN command Guide to Microsoft Windows Server 2003 Command Line Administration
Chapter Summary • Frequently used commands for user and account management (including security) • The NET command is frequently a part of creating and managing user accounts, specifically through the use of NET USERS and NET LOCALGROUP commands • Users access data based on a list of permissions called an ACL, increasing security by allowing users the minimum amount of access required to view or modify files or folders Guide to Microsoft Windows Server 2003 Command Line Administration
Chapter Summary (Cont.) • Stored Users and Passwords, a utility that allows a user to enter multiple user names and passwords to access remote Web and FTP sites • Using elevated privileges to run programs and commands as a different user account without logging in to the system as that user, which allows you to alter data permissions for files and folders that were not created by you Guide to Microsoft Windows Server 2003 Command Line Administration
Command Summary Guide to Microsoft Windows Server 2003 Command Line Administration