70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Wind...
This presentation is the property of its rightful owner.
Sponsored Links
1 / 55

Chapter Six Creating and Managing User and Computer Accounts PowerPoint PPT Presentation


  • 101 Views
  • Uploaded on
  • Presentation posted in: General

70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003. Chapter Six Creating and Managing User and Computer Accounts. Objectives. Explain the purpose of local user accounts, profiles, and logon procedures

Download Presentation

Chapter Six Creating and Managing User and Computer Accounts

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Chapter six creating and managing user and computer accounts

70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003

Chapter Six

Creating and Managing User and Computer Accounts


Objectives

Objectives

  • Explain the purpose of local user accounts, profiles, and logon procedures

  • Create and manage local user and group accounts

  • Manage local security profiles

  • Manage local policies

  • Work with Windows XP as a domain client

Guide to MCSE 70-270, 70-290


Working with local user accounts profiles and logon procedures

Working with Local User Accounts, Profiles and Logon Procedures

  • User account: Represents all information defining user’s access to local computer or network

    • Stored on local computer or in Active Directory

  • Local user accounts: Stored in Security Accounts Manager (SAM) database

    • Managed using Local Users and Groups snap-in

  • Domain user account: Exists in a domain by virtue of being created on a domain controller

    • Used to gain access to domain resources

  • Provide users with personalized desktop environments via profiles and policies

Guide to MCSE 70-270, 70-290


Windows logon methods

Windows Logon Methods

  • Windows system can be set up as:

    • Standalone system, automatic logon

    • Standalone system

    • Workgroup member

    • Domain client

    • Domain controller

  • Windows Welcome Logon Method: XP Professional displays list of user accounts

    • Click icon, enter password to log on

    • Fast user switching

Guide to MCSE 70-270, 70-290


Windows logon methods continued

Windows Logon Methods (continued)

  • Classic Logon Method: Requires pressing Ctrl+Alt+Delete to open WinLogon security dialog box

    • Used by default in Windows Server 2003

    • Fast User Switching not available

    • Logon mode set to classic when Windows XP system becomes a domain member

Guide to MCSE 70-270, 70-290


User account naming conventions

User Account Naming Conventions

  • Naming convention: Standard process for creating names on a network or standalone system

    • Should incorporate scheme for user accounts, computers, folders, network shares, printers, and servers

  • Requirements:

    • Consistent across all objects

    • Easy to use and understand

    • New names should be easy to construct

    • Object’s name should clearly identify object’s type

Guide to MCSE 70-270, 70-290


User account naming conventions continued

User Account Naming Conventions (continued)

Table 6-1: User naming convention guidelines

Guide to MCSE 70-270, 70-290


Managing windows xp local user and group accounts

Managing Windows XP Local User and Group Accounts

  • Local user account identifies user to local OS via unique name and password

    • Information about local user or group accounts stored on local computer in SAM database

      • Exists on systems that are not domain controllers

    • Each computer in workgroup environment maintains own SAM database

  • Domain controllers uses copy of Active Directory domain database shared among domain controllers

Guide to MCSE 70-270, 70-290


Default local user and group accounts

Default Local User and Group Accounts

  • When Windows XP Professional installed, two default user accounts created

    • Administrator and Guest

    • Also several local group accounts

  • Local User Accounts:

    • Administrator account: Unlimited access and unrestricted privileges to every aspect of Windows

      • Must be protected from misuse

Guide to MCSE 70-270, 70-290


Default local user and group accounts continued

Default Local User and Group Accounts (continued)

  • Local User Accounts (continued):

    • Administrator account (continued):

      • Cannot be deleted

      • Cannot be locked out

      • Can be disabled

      • Can have blank password

      • Can be renamed

      • Cannot be removed from Administrators local group

    • Guest account: Limited access to resources and computer activities

Guide to MCSE 70-270, 70-290


Default local user and group accounts continued1

Default Local User and Group Accounts (continued)

  • Local User Accounts (continued):

    • Guest account (continued):

      • Member of Everyone group

      • Cannot be deleted

      • Can be locked out

      • Can be disabled (disabled by default)

      • Can have a blank password (blank by default)

      • Can be renamed (recommended)

      • Can be removed from Guests local group

Guide to MCSE 70-270, 70-290


Default local user and group accounts continued2

Default Local User and Group Accounts (continued)

  • Local Group Accounts: Used to grant rights to local OS

    • Everyone

    • Administrators

    • Backup Operators

    • Guests

    • Network Configuration Operators

    • Power Users

Guide to MCSE 70-270, 70-290


Default local user and group accounts continued3

Default Local User and Group Accounts (continued)

  • Local Group Accounts (continued):

    • Remote Desktop Users

    • Replicator

    • Users

    • HelpServicesGroup

Guide to MCSE 70-270, 70-290


Creating and managing local user accounts

Creating and Managing Local User Accounts

  • Local user accounts can be created and managed:

    • With User Accounts applet

    • Through Local Users and Groups MMC snap-in

  • User Accounts Applet: Function differs depending on whether system part of workgroup or domain

    • Domain: Main purpose is to import domain user accounts into local SAM database

    • Workgroup: Offers user-friendly way to create, modify, or delete user accounts

Guide to MCSE 70-270, 70-290


Creating and managing local user accounts continued

Creating and Managing Local User Accounts (continued)

Figure 6-1: The User Accounts applet

Guide to MCSE 70-270, 70-290


Creating and managing local user accounts continued1

Creating and Managing Local User Accounts (continued)

Figure 6-3: Options for changing a user account

Guide to MCSE 70-270, 70-290


Creating and managing local user accounts continued2

Creating and Managing Local User Accounts (continued)

Figure 6-4: Changing the user logon method

Guide to MCSE 70-270, 70-290


Creating and managing local user accounts continued3

Creating and Managing Local User Accounts (continued)

  • Activity 6-1: Working with the User Accounts Applet

    • Objective: Review the properties of a user account

  • Local Users and Groups Snap-in: Used to create and manage local users and groups

    • Console tree has two nodes:

      • Users node: Contains all local user accounts

      • Groups node: Contains all local group accounts

    • Use Profile tab to define user profile path, logon script, and home folder

Guide to MCSE 70-270, 70-290


Creating and managing local user accounts continued4

Creating and Managing Local User Accounts (continued)

Figure 6-5: Displaying local user accounts

Guide to MCSE 70-270, 70-290


Creating and managing local user accounts continued5

Creating and Managing Local User Accounts (continued)

Figure 6-6: A user account’s Properties dialog box

Guide to MCSE 70-270, 70-290


Creating and managing local user accounts continued6

Creating and Managing Local User Accounts (continued)

Figure 6-8: The Advanced option of the Select Groups dialog box

Guide to MCSE 70-270, 70-290


Creating and managing local user accounts continued7

Creating and Managing Local User Accounts (continued)

  • Activity 6-2: Creating a Local Account

    • Objective: Create a new local user account with Local Users and Groups

  • Activity 6-3: Creating a Local Group

    • Objective: Create a local group by using Local Users and Groups

  • Activity 6-4: Changing Built-in Group Membership for a Local Account

    • Objective: Change the group membership of a local account using Local Users and Groups

Guide to MCSE 70-270, 70-290


Creating and managing local user accounts continued8

Creating and Managing Local User Accounts (continued)

Figure 6-9: The Profile tab

Guide to MCSE 70-270, 70-290


Creating and managing local user accounts continued9

Creating and Managing Local User Accounts (continued)

Figure 6-12: The Select Users dialog box

Guide to MCSE 70-270, 70-290


Managing local user profiles

Managing Local User Profiles

  • User profile: Collection of desktop and environmental configurations for specific user or group of users

    • By default, each Windows computer maintains profile for each user who has logged on

      • Except for Guest accounts

    • User Profile Info:

      • Application Data

      • Cookies

      • Desktop

      • Favorites

      • Local Settings

Guide to MCSE 70-270, 70-290


Managing local user profiles continued

Managing Local User Profiles (continued)

  • User profile (continued):

    • User Profile Info (continued):

      • My Documents

      • NetHood

      • PrintHood

      • My Recent Documents

      • SendToStart

      • MenuTemplates

      • Ntuser.dat

      • Ntuser.dat.log

      • Ntuser.ini

Guide to MCSE 70-270, 70-290


Managing local user profiles continued1

Managing Local User Profiles (continued)

  • Administrator can force users to load mandatory profile

    • Changes assigned by mandatory profile restored next time user logs on

    • Created by manually renaming Ntuser.dat to Ntuser.man

      • Must temporarily rename profile’s Registry file back to Ntuser.dat or edit Registry directly

        • Edit contents of HKEY_USERS\.DEFAULT key

Guide to MCSE 70-270, 70-290


Managing local user profiles continued2

Managing Local User Profiles (continued)

Figure 6-13: The User Profiles dialog box

Guide to MCSE 70-270, 70-290


Managing local user profiles continued3

Managing Local User Profiles (continued)

  • When user without user profile logs on, profile created by duplicating Default User profile

    • To modify Default User profile:

      • Log on as new user to copy existing default profile

      • Modify default desktop environment

      • Log off to save changes to new user’s profile folder located in Documents and Settings\NewUserName

      • Log on as Administrator and copy contents of new user’s profile folder to default folder

  • All Users profile created during installation

    • Initially empty

Guide to MCSE 70-270, 70-290


Managing local user profiles continued4

Managing Local User Profiles (continued)

  • Local Profile: Set of specifications and preferences for individual user

    • Stored on local machine

    • Two ways to create:

      • User logs on, arranges information as needed, logs off

      • Assign mandatory profile from existing profile folder

  • Roaming Profile: Used in domains to allow users to have a common desktop on any Windows XP member of domain

Guide to MCSE 70-270, 70-290


Managing local security policies

Managing Local Security Policies

  • Security policies allow administrators to change system security configuration settings in local Windows Registry

    • Registry provides hierarchical database of info about system’s software, hardware, and user configuration

  • Local Security Policy tool: Used to edit local policy settings on systems that are not domain controllers

    • Applied to Registry during computer startup or when user logs on

Guide to MCSE 70-270, 70-290


Account policies

Account Policies

  • Improve local user account security

  • Password Policy: Defines password restrictions

    • Enforce strong passwords

    • Default settings in Password Policy node:

      • Enforce password history: 0 passwords

      • Maximum password age: 42 days

      • Minimum password age: 0 days

      • Minimum password length: 0 characters

      • Password must meet complexity requirements: Disabled

      • Store password using reversible encryption for all users in the domain: Disabled

Guide to MCSE 70-270, 70-290


Account policies continued

Account Policies (continued)

  • Account Lockout Policy: Defines conditions that result when user account locked out

    • Default settings for Account Lockout Policy items:

      • Account lockout threshold: 0 Invalid logon attempts

      • Account lockout duration: Not Applicable (defaults to 30 minutes after Account lockout threshold defined)

      • Reset account lockout counter after: Not Applicable (defaults to 30 minutes after Account lockout threshold defined)

  • Activity 6-5: Setting Account Policies

    • Objective: Set account policies by using the Local Security Policy tool

Guide to MCSE 70-270, 70-290


Local policies

Local Policies

  • Control logon process, audit access to computer resources, grant specialized rights to groups and individual user accounts

  • Audit Policy: Defines events recorded in Security log of EventViewer

    • Default settings for Audit Policy items:

      • Audit account logon events: No auditing

      • Audit account management: No auditing

      • Audit directory service access: No auditing

      • Audit object access: No auditing

      • Audit policy change: No auditing

Guide to MCSE 70-270, 70-290


Local policies continued

Local Policies (continued)

  • Audit Policy (continued):

    • Default settings for Audit Policy items (continued):

      • Audit privilege use: No auditing

      • Audit process tracking: No auditing

      • Audit system events: No auditing

  • User rights assignment: Defines which groups or users can perform specific privileged actions

    • Default groups and users for user rights:

      • Access this computer from the network—Everyone, Users, Power Users, Backup Operators, Administrators

Guide to MCSE 70-270, 70-290


Local policies continued1

Local Policies (continued)

  • User rights assignment (continued):

    • Default groups and users for user rights (continued):

      • Add workstations to domain—None

      • Allow logon through Terminal Services—Administrators, Remote Desktop Users

      • Back up files and directories—Backup Operators, Administrators

      • Change the system time—Power Users, Administrators

      • Create a pagefile—Administrators

      • Debug programs—Administrators

Guide to MCSE 70-270, 70-290


Local policies continued2

Local Policies (continued)

  • User rights assignment (continued):

    • Default groups and users for user rights (continued):

      • Deny access to this computer from the network—Guest and SUPPORT accounts

      • Deny logon locally— Guest and SUPPORT accounts

      • Deny logon through Terminal Services—None

      • Force shutdown from a remote system—Administrators

      • Generate security audits—Local Services, Network Service

      • Increase scheduling priority—Administrators

      • Load and unload device drivers—Administrators

Guide to MCSE 70-270, 70-290


Local policies continued3

Local Policies (continued)

  • User rights assignment (continued):

    • Default groups and users for user rights (continued):

      • Logon as a service—Network Service

      • Logon locally—Guest account, Users, Power Users, Backup Operators, Administrators

      • Manage auditing and security log—Administrators

      • Perform volume maintenance tasks—Administrators

      • Profile single process—Power Users, Administrators

      • Profile system performance—Administrators

      • Remove computer from docking station—Users, Power Users, Administrators

Guide to MCSE 70-270, 70-290


Local policies continued4

Local Policies (continued)

  • User rights assignment (continued):

    • Default groups and users for user rights (continued):

      • Restore files and directories—Backup Operators, Administrators

      • Shut down the system—Users, Power Users, Backup Operators, Administrators

      • Take ownership of files or other objects—Administrators

  • Activity 6-6: Setting User Rights

    • Objective: Change the user rights assignment by using the Local Security Policy tool

Guide to MCSE 70-270, 70-290


Local policies continued5

Local Policies (continued)

  • Security options: Define and control security features in Windows Registry

    • Security options and default settings:

      • Accounts—Administrator account status: Not applicable

      • Accounts—Guest account status: Not applicable

      • Accounts—Limit local account use of blank passwords to console logon only: Enabled

      • Accounts—Rename administrator account: Administrator

      • Accounts—Rename guest account: Guest

Guide to MCSE 70-270, 70-290


Local policies continued6

Local Policies (continued)

  • Security options (continued):

    • Security options and default settings (continued):

      • Audit—Audit access of global system objects: Disabled

      • Audit—Audit use of Backup and Restore privilege: Disabled

      • Audit—Shut down system immediately if unable to log security audits: Disabled

      • Devices—Allow undock without having to logon: Enabled

      • Devices—Allowed to format and eject removable media: Administrators

Guide to MCSE 70-270, 70-290


Local policies continued7

Local Policies (continued)

  • Security options (continued):

    • Security options and default settings (continued):

      • Devices—Prevent users from installing printer drivers: Disabled

      • Devices—Restrict CD-ROM access to locally logged-on user only: Disabled

      • Devices—Restrict floppy access to locally logged-on user only: Disabled

      • Devices—Unsigned driver installation behavior: Warn but allow installation

      • Interactive logon—Do not display last username: Disabled

Guide to MCSE 70-270, 70-290


Local policies continued8

Local Policies (continued)

  • Security options (continued):

    • Security options and default settings (continued):

      • Interactive logon—Do not require CTRL+ALT+DEL: Not defined

      • Interactive logon—Message text for users attempting to logon: blank

      • Interactive logon—Message title for users attempting to logon: Not defined

      • Interactive logon—Number of previous logons to cache (in case domain controller is not available): 10 logons

      • Interactive logon—Prompt user to change password before expiration: 14 days

Guide to MCSE 70-270, 70-290


Local policies continued9

Local Policies (continued)

  • Security options (continued):

    • Security options and default settings (continued):

      • Interactive logon—Require Domain Controller authentication to unlock workstation: Disabled

      • Shutdown—Allow system to be shut down without having to logon: Enabled

      • Shutdown—Clear virtual memory pagefile: Disabled

Guide to MCSE 70-270, 70-290


Working with windows xp as a domain client

Working with Windows XP as a Domain Client

  • Domain-based networking offers centralized control of user accounts and security settings

    • Allows administrators to provide single domain-based user account with rights to access resources through Active Directory forest

  • Adding an XP System as a Domain Client:

    • Use Name tab in System Properties dialog box

    • To create required computer account:

      • Generate account from XP Professional client

      • Through Active Directory Users and Computers on a domain controller

Guide to MCSE 70-270, 70-290


Working with windows xp as a domain client1

Working with Windows XP as a Domain Client

Figure 6-15: The Computer Name tab

Guide to MCSE 70-270, 70-290


Working with windows xp as a domain client continued

Working with Windows XP as a Domain Client (continued)

  • Activity 6-7: Joining a Domain: Method 1

    • Objective: Add an XP Professional client to Active Directory by creating the computer account on the client

  • Activity 6-8: Joining a Domain: Method 2

    • Objective: Add a Windows XP Professional system to a domain by creating a computer account on a domain controller

  • Managing a Domain Client:

    • Domain enforces control over clients using GPOs

Guide to MCSE 70-270, 70-290


The user accounts applet for a domain member

The User Accounts Applet for a Domain Member

  • After client added to domain, User Accounts applet changes to provide new domain-based functions

    • User and advanced tabs

  • Imported user account: Local user account created from user account on another computer

    • Allow outside users to access resources on system

    • Access levels: Standard, Restricted, or Other

    • Can be member of only one group

Guide to MCSE 70-270, 70-290


The user accounts applet for a domain member continued

The User Accounts Applet for a Domain Member (continued)

Figure 6-17: The User Accounts applet for a domain client

Guide to MCSE 70-270, 70-290


The user accounts applet for a domain member continued1

The User Accounts Applet for a Domain Member (continued)

Figure 6-19: Advanced options for user accounts

Guide to MCSE 70-270, 70-290


Working with cached credentials

Working with Cached Credentials

  • Windows XP Professional automatically caches user credentials in Registry when domain logon or .NET Passport logon takes place

    • Allows single logon that can be used to access multiple network services without reauthentication

  • Managed through Stored User Names and Passwords utility (in User Accounts applet)

  • Troubleshooting tips for cached credentials:

    • If being authenticated as wrong user account or with wrong access level, remove stored account information for server or domain

Guide to MCSE 70-270, 70-290


Working with cached credentials continued

Working with Cached Credentials (continued)

  • Troubleshooting tips for cached credentials:

    • If unable to access resources you previously had access to, account may have expired or password must be changed

      • Edit account credentials

    • If you can access a resource that you shouldn’t be able to access, delete necessary stored credentials to remove unauthorized access

Guide to MCSE 70-270, 70-290


Summary

Summary

  • Windows XP Professional can use three types of users: locally created users, imported users, and domain users

  • A user account stores preference settings for each person who uses a computer

  • Users are collected into groups to simplify management and grant access or privileges

  • Users can be managed by using the User Accounts applet or the Local Users and Groups snap-in

  • Local groups are managed only through the Local Users and Groups snap-in

Guide to MCSE 70-270, 70-290


Summary continued

Summary (continued)

  • Some groups allow you to customize their membership; others are system-controlled groups with memberships that can’t be customized

  • Windows XP Professional has two built-in user accounts, Administrator and Guest, and several built-in groups

  • User profiles can be local or roaming

  • User profiles store a wide variety of personalized or custom data about a user’s environment

Guide to MCSE 70-270, 70-290


Summary continued1

Summary (continued)

  • The Local Security Policy tool is used to manage passwords, account lockout parameters, auditing, user rights, security options, and more

  • Cached credentials allow a single logon to access resources on multiple servers and to allow a user to log on to the local computer when the domain controller is unavailable

Guide to MCSE 70-270, 70-290


  • Login