1 / 26

Guide to Microsoft Windows Server 2003 Command Line Administration

Guide to Microsoft Windows Server 2003 Command Line Administration . Chapter 6 User Administration and Data Security. Objectives. Create and delete user and group accounts Manage permissions for users Administer security and user authentication. User Accounts.

vina
Download Presentation

Guide to Microsoft Windows Server 2003 Command Line Administration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Guide toMicrosoft Windows Server 2003Command Line Administration Chapter 6 User Administration and Data Security

  2. Objectives • Create and delete user and group accounts • Manage permissions for users • Administer security and user authentication Guide to Microsoft Windows Server 2003 Command Line Administration

  3. User Accounts • A user account is what a user uses to log in to a server - either locally or remotely • The server relies on a user account, which includes permissions and other user specifications, to determine whether a specific user may access certain data and the level of access granted • Users can access the data contained on a server in one of three ways: through a logged-in user account; through a user group; through data permissions • The level of data access is represented by permissions; read and full control are examples of permissions • User groups are used as containers to group user accounts that have similar access needs Guide to Microsoft Windows Server 2003 Command Line Administration

  4. Creating and Deleting User Accounts • User accounts on a Server 2003 server provide local logon and network access • Accounts are configured to both log on to the server locally and access its data remotely over the network • User accounts are created on a stand-alone XP or Server 2003 system using the NET USER command • NET USER <USERNAME> <PASSWORD> /ADD adds the USERNAME account and a PASSWORD for the account • The NET USER command is only used in script and batch files as an administrative time-saver • Generally, user and group administration is accomplished using the Computer Management GUI tool Guide to Microsoft Windows Server 2003 Command Line Administration

  5. Adding Users with a Batch File Guide to Microsoft Windows Server 2003 Command Line Administration

  6. Running useradd.bat Guide to Microsoft Windows Server 2003 Command Line Administration

  7. Modifying Default Account Behaviors • Default account behaviors are options applied to all new accounts and include password characteristics • The NET ACCOUNTS command can be used to modify the default behavior of every account that is created • Password characteristics: minimum length, minimum or maximum age, and unique limitation (passwords that must be mixed case and/or include symbols or numerals) • NET ACCOUNTS /MINPWLEN:<NUMBER> sets the minimum number of characters in a logon password • The three most frequently used options for NET ACCOUNTS are /MINPWLEN, /MAXPWAGE (sets a password to expire on a regular basis), and /UNIQUEPW (restricts how often a user can reuse a password) Guide to Microsoft Windows Server 2003 Command Line Administration

  8. Modifying Existing User Accounts • Modifying existing users accounts is done after an account has been created using NET USER • It is better to separate the account creation and enhancement process into distinct commands • From a scripting perspective, creating and modifying user accounts using separate commands is ideal because it allows for separate conformation and troubleshooting • NET USER<USERNAME> /EXPIRES:<MM/DD/YY> sets the existing account to expire on the specified date; the /PASSWORDCHG: YES/NO option allows users to change their password Guide to Microsoft Windows Server 2003 Command Line Administration

  9. Newly Added User Accounts Guide to Microsoft Windows Server 2003 Command Line Administration

  10. Allowing Users to Change Their Own Passwords and Requiring Passwords Guide to Microsoft Windows Server 2003 Command Line Administration

  11. Changing Default Account Properties Guide to Microsoft Windows Server 2003 Command Line Administration

  12. Changing a Password • Changing a user password is relatively simple to do from both the command window and Computer Management • From command window, use NET USER <USERNAME> <PASSWORD> to change an existing user’s password • Within Computer Management, right-click the user account and select the Set Password option • Never delete a user account once it has been established and used by a user; it is highly recommended to disable it • Disabling a user account maintains the account’s existence in the event that it is needed for data retrieval: NET USER <USERNAME> /ACTIVE:NO/YES disables an account Guide to Microsoft Windows Server 2003 Command Line Administration

  13. Account Properties for the henry Account Guide to Microsoft Windows Server 2003 Command Line Administration

  14. Creating and Modifying User Groups • Creating and modifying user groups is similar to managing user accounts • User groups contain user accounts and exist to avoid the need to assign individual accounts specific access; instead, similar user accounts can be assigned group membership, and access privileges can be assigned to the group • The NET LOCALGROUP command is used for managing groups; once a group is created, the users are added to it • NET LOCALGROUP <GROUPNAME> /ADD adds the specified group • NET LOCALGROUP <GROUPNAME> <USERNAME> /ADD adds the specified user to the specified group Guide to Microsoft Windows Server 2003 Command Line Administration

  15. Changing a Group and Adding Users Guide to Microsoft Windows Server 2003 Command Line Administration

  16. Updated User Membership Guide to Microsoft Windows Server 2003 Command Line Administration

  17. Updated Group Membership Guide to Microsoft Windows Server 2003 Command Line Administration

  18. Permissions • Every user on a system needs varying levels of access to certain data on the network • Some users need to modify data, some need to simply view data, others do not need to see certain data at all • Each file and folder that resides on an NTFS volume contains a list of users called an Access Control List (ACL) • The ACL specifies a user’s particular access permission • Permissions allow a user the following file or folder access levels: none/deny; read; write; change; full control • The CALCS command is used by administrators to view and manage permissions; CALCS <FILENAME> /G <USERNAME>:R|W|C|F grants the user access to the file or folder with the specified permission Guide to Microsoft Windows Server 2003 Command Line Administration

  19. Permissions Within Windows Explorer Guide to Microsoft Windows Server 2003 Command Line Administration

  20. Modifying Permissions Using CACLS Guide to Microsoft Windows Server 2003 Command Line Administration

  21. Stored Users and Passwords • System, server, and network security are major concerns for companies and computer users • Stored Users and Passwords is a Control Panel utility that became available with Windows XP and Server 2003 • With the functionality provided by Stored Users and Passwords, users can store data for remote sites that require usernames and passwords that are different than the system defaults on their computers, and associate them with a specific network or Internet resource • The command window equivalent of Stored Users and Passwords is CMDKEY; CMDKEY /ADD:<COMPUTER or DOMAIN NAME> /USER:<COMPUTER or DOMAIN NAME>\<USERNAME> /PASS:<PASSWORD> Guide to Microsoft Windows Server 2003 Command Line Administration

  22. Using Elevated Privileges without Logging Off • Administrators will be called upon to fix problems and perform maintenance on users’ computers; this is usually time-consuming because many administrative functions are not available on the standard user system • The solution for administrators is to use the RUNAS command; it runs an application with the privileges of a certain account, such as an administrator, without requiring the user being helped to log off and log back on • RUNAS /PROFILE /USER:<USERNAME> <PROGRAM> runs the specified program on behalf of the user and loads the user’s profile Guide to Microsoft Windows Server 2003 Command Line Administration

  23. Taking File Ownership • The owner of a file is usually the person who created the file, and that individual controls the file permissions • If the owner of a file is unavailable, and the file permissions must be changed, another person can take ownership of the file using the TAKEOWN command • TAKEOWN /F <FILENAME> takes ownership of the file • The ability to take ownership is not granted to everyone; only the members of the Administrators group, or those given Administrative authority can successfully run the TAKEOWN command Guide to Microsoft Windows Server 2003 Command Line Administration

  24. Chapter Summary • Frequently used commands for user and account management (including security) • The NET command is frequently a part of creating and managing user accounts, specifically through the use of NET USERS and NET LOCALGROUP commands • Users access data based on a list of permissions called an ACL, increasing security by allowing users the minimum amount of access required to view or modify files or folders Guide to Microsoft Windows Server 2003 Command Line Administration

  25. Chapter Summary (Cont.) • Stored Users and Passwords, a utility that allows a user to enter multiple user names and passwords to access remote Web and FTP sites • Using elevated privileges to run programs and commands as a different user account without logging in to the system as that user, which allows you to alter data permissions for files and folders that were not created by you Guide to Microsoft Windows Server 2003 Command Line Administration

  26. Command Summary Guide to Microsoft Windows Server 2003 Command Line Administration

More Related