1 / 31

Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts. Lecture 5. Computer Accounts. To access Windows 2008 domain a computer needs an account Joining a domain creates a computer account object in the AD

jerrod
Download Presentation

Managing User, Computer and Group Accounts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Managing User, Computer and Group Accounts Lecture 5

  2. Computer Accounts • To access Windows 2008 domain a computer needs an account • Joining a domain creates a computer account object in the AD • Each computer account has SID (other security principals, such as users and groups have SIDs as well)

  3. User Accounts • To access Windows 2008 network a user needs an account • Account determines 3 factors:- when a user may log on- where within the domain/workgroup- what privilege level a user is assigned

  4. User Accounts • Each account has SID that serves as security credentials • Any object trying to access resource must do it through a user account • Windows 2008 has 2 types of accounts: local and domain

  5. Interactive Logon Process • Interactive Logon – a process to verify user’s credentials for logon to a Win2008 computer • If the local account – it’s checked against the local user account database. • Domain account – using encryption process, user credentials are verified at a DC, and after successful authentication a logon key/logon token is granted for the session

  6. Network Authentication Process • Process of verifying user’s credentials to allow access to network resources • When a user attempts to access a resources, user’s credentials and session key/token are compared against resources’ ACL list to grant access

  7. Local Accounts • Supported on all Windows 2000, 2003 and 2008 systems except DCs (on member servers participating in domains and on standalone systems participating in workgroups ) • Maintained on the local system, not distributed to other systemsLocal user account authenticates the user for local machine access only; access to resources on other computers is not supported • Built-in local accounts: Guest; Administrator

  8. Domain User Accounts • Permit access throughout a domain and provide centralized user administration through AD • Created within a domain container in AD database and propagated to all other DCs • Once authenticated against AD database using GC, a user obtains an access token for the logon session, which determines permissions to all resources in the domain

  9. Creating User Accounts • Domain accounts names must be unique within the domain, although the same logon name can be used on several systems with local logon. • Logon names are not case sensitive, must not contain more than 20 chars, and nust not contain: +,*,?,<,>,/,\,[,],:,;. • Passwords are case sensitive, must be secure – not easy to guess

  10. Copying, Moving, Disabling and Renaming User Accounts • Renaming account doesn’t affect any of the user account properties, except the name. • Accounts can be moved from one container to another • Disabled accounts can’t be accessed • When account is copied, most properties are copied, except the username, full name, password, logon hours, address/phone info, organization info, the Account is disabled option, and user rights and permissions.

  11. Deleting User and Computer Accounts • Deleting account – permanently removes it, and all if its group memberships, permissions and user rights. The new account with the same name has different SID and GUID • Disabling an account may be a better option! • Administrator and Guest can be renamed, but not deleted

  12. Understanding User Account Properties • As with all AD objects, user accounts have a number of associated properties or attributes • Once the account is created, those properties maybe modified using Computer Management tool (local accounts) or AD Users and Computers (domain accounts)

  13. Group Accounts • Group – AD objects that contain users, computers and other entities. (have SIDS) • Groups are used for easier management of users/computers/resources • Access token identifies groups to which a users belongs/rights assigned • 2 Types of groups: • Distribution group for e-mail • Security groups to assign limited permission to groups that need access to resources or to deny access

  14. Example of Access Token

  15. Group Accounts • Rights and privileges are assigned at the group level • Groups can be nested (membership by inheritance) • User’s rights and privileges through group memberships are cumulative

  16. Group/User relationship Group 1 Group 3 is a member of Group 1 Group 2 Group 3

  17. Group Scope • Scope of influence (or scope) • Reach of a group for gaining access to resources in Active Directory • Types of groups and associated scopes: • Local • Domain local • Global • Universal

  18. Local Groups • Local security group • Used to manage resources on a stand-alone computer that is not part of a domain and on member servers in a domain (non-DCs) • Create using the Local Users and Groups MMC snap-in

  19. Domain Local Groups • Domain local security group • Used when Active Directory is deployed • Manage resources in a domain • Give global groups from the same and other domains access to those resources • Scope of a domain local group • Domain in which the group exists • Can convert a domain local group to a universal group

  20. Domain Local Groups

  21. Domain Local Group Example Domain C Domain B Domain A Engineering(Global Group) User 1 User 2 Printer Group(Domain Local) User 1EngineeringUser 2 Printer ACL Printer Group - Print

  22. Global Groups • Contain user accounts from a single domain • Can also be set up as a member of a domain local group in the same or another domain • Broader scope than domain local groups • Can be nested • Typical use: • Add accounts that need access to resources in the same or in another domain • Make the global group in one domain a member of a domain local group in the same or another domain

  23. Nested Global Groups

  24. Global Group Example Domain B Domain A Group 2 User1Group 1 Accountants Accountants(Global Group) Domain C User 1Group 1 Printer ACL Accountants

  25. Universal Groups • Universal security groups • Span domains and trees • Can include • User accounts from any domain • Global groups from any domain • Other universal groups from any domain • Guidelines to help simplify how you plan to use groups

  26. Universal Groups

  27. Group Strategy • Put users into global domain group. A global group can be thought of as an Accounts group. • Put resources into domain local (or machine local) groups. A local group can be thought of as a Resource group. • Put a global group into any domain local (or machine local) group in the forest • Assign permissions for accessing resources to the domain local (or machine local) groups that contain them • Use Universal groups to grant access to resources in multi-domain environments where access is needed across domain trees.

  28. Group Strategy Example Domain B Domain A Engineers(Global Group) Engineers(Global Group) Database Access(Domain Local G.) Domain C Domain A EngineersDomain B EngineersDomain C Engineers Engineers(Global Group) ACLDatabase Access Allow Write/Read Database

  29. Default User Account Membership • Built-in groups are automatically created in Windows Server 2003 to reflect most common attributes and tasks • Domain Users/Users • Domain Admins/Administrators

  30. Special Groups • EVERYONE • Network • Interactive • Service • System • Authenticated Users • SELF • CREATOR OWNER

  31. User Profiles • Profiles customize user environment, store profiles on server (roaming), restrict changes through mandatory profiles • Local profiles are stored on a computer when each user logs in.

More Related