Introduction to NT Administration Objectives: How to use DOMAINS Create Users & Set Properties to user accounts Manage User Accounts & Assign Security Policies Use Shared Folder Permissions User Server Manager & Win NT Diagnostics Administer Local & Remote Printing Devices Use Event Viewer & Archive Logs
Why Do We NETWORK? • Share Resources • More Computing Power • Collaborate & Communicate • More File Space • Faster Access than a “Sneaker Net”
DOMAINS The concept behind NT Networks
Workgroups A workgroup is a collection of computers that form a peer-to-peer network. In a workgroup, each computer can act as both a server & a client for sharing resources. Each station in a Workgroup is Managed Separately. Advantages? Disadvantages?
List of users Name Password Mary Fido Bill Pentium Sue Logical A workgroup List of users List of users List of users
PERMISSIONS The Rules that limit which users can use specified network resources
Permissions and permission sets Task name Task Read (R) Display the folder’s data, attributes, owner, and permissions Write (W) Create new files or change the folder’s attributes Execute (X) Run files in the folder or open the folder Delete (D) Delete files in the folder Change Permissions (P) Change the folder’s permissions Take Ownership (O) Become the owner of the folder Permission Allows No Access Denies all access to the folder List RX Read RX Add XW Add & Read RXW Change RXWD Full Control RXWDPO Special Directory Access Any custom combination of tasks Special File Access Set independently
Layers of security Shared folder NTFS security Share security Network request User workstation
Unified logon for Microsoft networks Enter Network Password Enter your network password for Microsoft Networking Peer-to-peer network OK Cancel User name: Password: Enter Network Password Enter your network password for Microsoft Networking OK Cancel Windows NT domain User name: Password: Domain:
DOMAINS A DOMAIN is a collection of computers that can be used and managed as a single entity. Users can log on once to a domain & then have access to any computer or resource for which they have permissions. Usually, Domains are organized by a common use or purpose
A DOMAIN Requires the presence of at least one computer running Windows NT Server. This computer, called the Primary Domain Controler (PDC), maintiains a central accounts database called the directory database of its members. A Domain may have multiple servers, clients or domain controllers (maintains directory database & participates in validating logon requests)
List of users Name Password Sue Logical Rashad Pentium Fred Password Fred’s computer Rashad’s computer Sue’s computer A domain has a centralized directory database Domain controller List of users
The role of Windows NT Server domain controllers Windows NT Server PDC Processes user logons Windows NT Server BDC client
The role of Windows NT Server domain controllers (cont.) Windows NT Server PDC Update accounts database and perform directory replication Windows NT Server PDC client
DOMAINS • WHAT IF: • The PDC goes down? Can users logon to the network? Yes, BUT only if there is a Backup Domain Controller (server) with the current directory database.
DOMAINS Give two advantages of using a domain model for your network. Computers can be centrally administered The common directory database simplifies security administration Give one Disadvantage of using DOMAINS A DOMAIN requires a dedicated Network Administrator!
DOMAIN CONTROLLERS • Primary Domain Controller (PDC) • The PDC database is the only copy that can be edited (User Manager). If the PDC is offline, you cannot change the directory database. • The first WinNT Server created in a Domain will automatically become the PDC. You can override this at a later time –AFTER adding a BDC (Backup Domain Controller). • You can ONLY have ONE PDC in a Domain.
Backup Domain Controller (BDC) A BDC assist the PDC by authenticating domain users. The BDC maintains a read-only version of the directory database (it cannot be edited) which it periodically updates with the PDC. You MUST specify during installation that a computer will act as a BDC. If you promote a BDC to a PDC, then the existing PDC will automatically be demoted to a BDC.
Directory database (read-only copy) Directory database copy Backup Domain Controller (BDC) Primary Domain Controller (PDC) Backup Domain Controller (BDC) Domain: CLASS
MEMBER SERVER A member server is not a domain controller. It merely makes resources available within the Domain. Because a member server does not maintain a copy of the directory database & does not participate in the logon validation process…it can better serve its resources to the domain. Member servers are created when you install the server software. Member servers cannot be promoted to a PDC or BDC unless you reinstall WinNT Server You can have multiple member servers in a Domain.
The role of application servers application server Runs application in RAM client
The role of application servers (cont.) application server Runs application in RAM Responds to client requests client
PLANNING A DOMAIN You cannot change the domain to which a domain controller belongs without reinstalling WinNT Server. Each Domain in a Network must have a unique name. SIDs (Security Identification Numbers) validate a resource to the Domain– NOT the computer or resource name. A Single Domain can span a routed connection (All campuses of a school district) or a Wide Area Network (WAN). Network Traffic Patterns NOT physical Design should determine how your Domains are setup. (I.E. BUSINESS APs versus PEIMS) WHAT ABOUT STUDENT FOLDERS? WHAT ABOUT AR DATABASE? WHAT ABOUT WEB Productivity Access?
LOGGING IN • Ctrl & Alt & Del • Takes you to the Login Screen • Identify • User Name, Password, & DOMAIN • Ctrl & Alt & Del • Change Password • Lock Workstation • Task Manager
Client Client Server Server Server Types of traffic DHCP – Dynamic Addressing WINS registration – Resources on the Network Browser announcements – Master Browser HTTP – Web Access FTP – Files Transferred over Internet (Downloads) Media Streaming – Video broadcasts Logon – Logging Files Browse lists, DNS, File transfer, HTTP Trust, WINS replication, Domain synchronization, Directory replication
MANAGING USERS • A USER ACCOUNT contains the information that allows a user access to the WINNT operating system and its resources. • USER NAME – must be unique • LOGON PASSWORD • & Group Membership List are contained in the account • BUILT-IN ACCOUNTS – • Administrator Account • Guest Account – May wish to disable or change the name & password to “Training” etc.
TOOLS for MANAGING USER ACCCOUNTS • USER MANAGER • Allows Administrator to Create a User Account • Options: • User Must Change Password At Next Logon • User Cannot Change Password • Password Never Expires • Account Disabled – AUP Violations, Moves from District, Retires
Let’s Practice • Open USER MANAGER For the Domain (usrmgr) • What are invalid characters in User Names in NT? • Cannot Include Special Characters: ‘ “ / \ ? < > | , ; : [ ] + * • User Name should be descriptive • 05roussj (preferably no more than 8 characters) • Password is case-sensitive – it may be up to 14 characters • Initial Password like: 123456 • Assign User to Groups
Let’s Practice • User Properties: • Characteristics of a User Account • User Name • Full Name (may include spaces) • Description • Password • Password Control Options • Groups User Belongs to • Profile Settings • Hours During Which the User can log on to Computer • Computers from which a user may log on • Special Account Properties • Dial-in Permissions -- RAS
Let’s Practice • Create a Home Folder • Home Folders – network folder location that is used to store all the personal programs & data files for the user • \\senior01\users\%username% • When a Home folder is set in the user’s account, it becomes the user’s default folder for the Open & Save As dialog boxes in most applications. • NTFS will create these folders & share them with the user • FAT you must create & share home folders
Let’s Practice • Create a Home Folder • Select User, Properties, Profile • Enter the Universal Naming Convention (UNC) path next to Local Path textbox for the Home Directory • \\senior01\users\%username% • Two back slashes • server name • slash • shared folder • slash • %username% • The server & shared folder must first exist on the network. NT will create a subfolder using the User ID name for the folder name. Click OK.
Let’s Practice • Look through the HOURS options • Observe the Grid • Drag from Monday at 8:00 am to Friday at 5:00 pm • Click Disallow • Click OK • What does this action accomplish? • When would you use it?
Let’s Practice Explore – Answer the following: How can you Restrict a user’s logon access to a single computer? How can you set an expiration date to an account?
Let’s Check for Understanding Troubleshooting User Account Properties Create a User Account for your machine with the following properties Username: Student Password: Logical No account options enabled Home folder: D:\Users\Student\%username% Logon Hours: Monday to Friday, 9 to 5 Disabled Domain Users have the right to logon locally.
Let’s Check for Understanding Troubleshooting User Account Properties Create a User Account for your machine with the following properties Username: Student Password: Logical No account options enabled Home folder: C:\Users\Student Domain Users have the right to logon locally. Logoff as administrator & log on as student Create a Notepad document & attempt to save it using Save As. Where does Notepad attempt to save the file by default?
User Profiles User PROFILES are files that store user configuration information, such as the desktop appearance. Profiles are created and maintained by the system. Each user is assigned a profile with information stored in a set of files and folders within the Windows (Winnt) Profiles folder. Profiles can reside on the client computer (or each client computer a user logs onto OR ROAMING Profiles may reside on the logon server. ROAMING Profiles follow a user from client to client. Roaming Profiles can be Personal OR Mandatory – on WINNT machines. Roaming Personal Profiles – User can change Roaming Mandatory Profiles – User cannot change
User Profiles • When you assign a server location for user profiles, a copy of the user’s local profile is saved both locally & remotely on the server. Comparison of both profiles is made at the next logon the user is asked which profile to load. • Create a roaming Profile • Create a normal user profile by logging on as a user & changing your desktop • Log off & logon as the Administrator. In Control Panel, open the System application & activate the USER PROFILE TAB. • Select the user’s profile & click on Copy TO • Enter the name of the destination network folder (\\senior01\users\%username% will work) • In the Permitted To Use box click on Change. Add appropriate User. Click OK
User Profiles In the USER MANAGER For DOMAINS, view properties for the user to whom you will be assigning this roaming profile. Click on Profiles to display the User Environment Profile dialog box Enter the Path to user’s roaming user profile using the UNC name Click OK.
User Profiles Roaming Mandatory User Profiles May NOT be modified. I.E. User CANNOT change the desktop color. To create a mandatory user profile, create a roaming personal user profile and rename the Ntuser.dat file to Ntuser.man This file is found WHERE?
User Profiles In a DOMAIN, where should you create your User Accounts? What tool do you use to create the accounts? Where does one get this tool? Where can this tool be placed? What are the three types of User Profiles? Where are they stored? User Profiles \windows\profiles, Roaming Personal Profiles & Roaming Mandatory Profiles – stored on the server.
Local & Global Groups • Local Groups belong to the Domain & can be assigned permissions & rights • Local Groups can contain Global Groups • Global Groups do not have permissions or rights assigned to them, but they can become members of local groups that do have permissions & rights • Global Groups can only contain Users from the Domain • The Primary Reason for creating Global Groups is that they are to be assigned to a Local Group
Remember Local vs. global groups Local group Global group • Users from a local database • Users from other computers’ databases • Users from outside of the domain • Global groups Can contain: Can contain: • Users from the domain database
Domain Teachers Domain Students Domain Secretaries Domain Students Domain Teachers A strategy for implementing network security (cont.) 2. Organize user accounts into global groups. (Domain Group) 1. Create user accounts. 3. Put global groups into local groups. WebMasters Local Groups Give Access To Resources
Domain Teachers Domain Students Domain Secretaries Domain Students Domain Teachers OK to access A strategy for implementing network security (cont.) 2. Organize user accounts into global groups. (Domain Group) 1. Create user accounts. 3. Put global groups into local groups. WebMasters 4. Grant permissions to the local group.
Groups in a trust relationship Users Global groups Local groups
Let’s Practice • Decide what Global Groups & Local Groups are needed for your campus. • Decide this by looking at all the resources. • File Servers • Folders • Plan a Folder Scheme • Name of Folder • Needed Subfolders • Level of Sharing • Application Servers • CD ROM Towers • Internet Access • RAS Access • Printers • Client Hardware (Drives & Printers— • & Folders (Shared CD ROM Drives & Folders)
Let’s Practice • Decide what Global Groups & Local Groups are needed for your campus. • Create Global & Local Groups to Manage Identified Resources • Diagram Resource & those Local Groups & Global Groups
Let’s Practice • Assign Permissions to resources using your Local Groups • Describe what Permissions you will need to assign • for each resource per Local Group