windows xp users groups profiles and policies l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Windows XP Users, Groups, Profiles and Policies PowerPoint Presentation
Download Presentation
Windows XP Users, Groups, Profiles and Policies

Loading in 2 Seconds...

play fullscreen
1 / 104

Windows XP Users, Groups, Profiles and Policies - PowerPoint PPT Presentation


  • 423 Views
  • Uploaded on

Windows XP Users, Groups, Profiles and Policies 70-270: MCSE Guide to Microsoft Windows XP Professional Windows XP Professional User Accounts Designed for use as a network client for: Windows NT Windows 2000 Windows Server 2003 Member of a workgroup

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Windows XP Users, Groups, Profiles and Policies' - jacob


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
windows xp users groups profiles and policies

Windows XP Users, Groups, Profiles and Policies

70-270: MCSE Guide to Microsoft Windows XP Professional

windows xp professional user accounts
Windows XP Professional User Accounts
  • Designed for use as a network client for:
    • Windows NT
    • Windows 2000
    • Windows Server 2003
  • Member of a workgroup
  • Standalone operating system when more than one user is using the computer
    • Home or business environment
types of windows xp professional user accounts
Types of Windows XP Professional User Accounts
  • Local user account
    • Exists on a single computer
    • Can provide access to resources if the user is a member in a workgroup
    • No domain access
  • Domain user account
    • Created on a domain controller using "Active Directory" and exists throughout the domain
    • Available on any domain member computer
user account details
User Account Details
  • Uniquely identified to the system by user account name and password
    • Provides secure access to authorized users
  • Preferences are environmental settings that are stored in a profile
    • Desktop, Favorites, My Documents, Start Menu, Internet files and Cookies, etc.
accounts interaction with an xp professional system page 1
Accounts Interaction with an XP Professional System (Page 1)
  • Standalone system, automatic logon—
    • All users access local resources through a "common user account" that automatically logins in when computer starts
  • Standalone system—
    • Each user logs into system with access to "their own" local resources
accounts interaction with an xp professional system page 2
Accounts Interaction with an XP Professional System (Page 2)
  • Workgroup member—
    • Users login to an account both local and shared resources
  • Domain network client—
    • Users login to system with a unique domain user account to gain access to local and domain resources
supporting more than one user
Supporting More Than One User
  • Multiple-user systems—support more than one user on the same machine, either on a single computer or in a domain
  • Implemented through:
    • Groups
    • Resources
    • Policies
    • Profiles
groups
Groups
  • Named collections of user accounts
    • One user account may be a member of more than one group
  • Members of group receive access rights and restrictions for that group
  • Local groups are created using Windows XP professional and provide privileges at the machine level
resources
Resources
  • Useful objects including printers, shared directories, software applications, etc.
  • Limited to a single user, group or all users on a machine or within a network
policies
Policies
  • A set of configuration options for a user, computer or group:
    • Define password restrictions, i.e.
      • Is the user required to change their password at prescribed intervals?
    • Account lockouts, i.e.
      • What happens if a user enters an incorrect login several times in sequence?
    • User rights
    • Event auditing
profiles
Profiles
  • User environmental settings including Desktop, Favorites, My Documents, Start Menu, etc.
  • A local profile exists on local computer
  • A domain profile follows a user no matter which computer he/she logons to in the domain
types of logon
Types of Logon
  • Two types:
    • Windows Welcome Logon Method
    • Classic Logon Method
  • Changing between the login types is found in "User Accounts" applet in Control Panel
  • Logon authentication has two purposes:
    • Maintain security
    • Track computer usage
windows welcome logon method page 1
Windows Welcome Logon Method (Page 1)
  • Completely new logon method designed for use on standalone or workgroup member systems
  • Not available when the Windows XP client is a member of a domain
  • Displayed as a list of user accounts each with its own icon which the user clicks
  • For accounts with password, user is prompted for it before access is granted

View Windows Welcome Logon Screen

windows welcome logon method page 2
Windows Welcome Logon Method (Page 2)
  • To turn the Welcome screen on or off:
    • Open User Accounts in Control Panel
    • Click Change the way users log on or off command
    • Do one of the following:
      • Specify that users log onto computer using the Welcome screen, select the Use the Welcome screen check box
      • Specify that users log onto computer using "Windows Classic Logon" dialog, clear the Use the Welcome screen check box

View Windows Welcome Logon Screen

View Classic Logon Dialog

windows welcome logon method page 3
Windows Welcome Logon Method (Page 3)
  • Fast User Switching:
    • Allows switching from one user to another without logging off (not in a domain and only for Welcome Screen logon)
    • Also updated in "User Accounts" from Change the way users log on or off
    • From "Start" menu, select the Log Off… command; then in the "Logoff Windows" dialog click the <Switch User> button
    • When switching back, environment and all programs that were active are restored
activity
Activity
  • Turn on Fast User Switching in the "User Accounts" applet
  • Activate the Guest account and then practice switching between it and your user account
classic logon method
Classic Logon Method
  • Press the <Ctrl>+<Alt>+<Delete> key combination to access the "WinLogon" security dialog box
  • Required for domain member systems
    • Selected automatically when a Windows XP system becomes part of a domain
  • No user switching available
    • Must log off computer to make it available to the next user

View Classic Logon Dialog

classic logon method19
Classic Logon Method

Last slide viewed

activity20
Activity
  • In the "User Accounts" applet change between the "Windows Welcome" and "Classic" logon methods
  • Try logging on using each
logging on to windows xp
Logging On to Windows XP
  • When Windows XP Professional first is installed, two accounts are automatically created
    • Administrator
    • Guest
administrator page 1
Administrator (Page 1)
  • Most powerful user account possible
  • Unlimited access and unrestricted privileges to manage users, groups, O/S environment, printers, shares, storage devices, etc.
  • Must be protected from misuse
    • Complicated password should be used
    • Account should be renamed
administrator page 2
Administrator (Page 2)
  • The original Administrator account:
    • Cannot be deleted
    • Cannot be locked out (occurs when user attempts to logon unsuccessfully)
    • Can be disabled (only performed manually by another administrator account)
    • Can have a blank password (not recommended)
    • Can be renamed (recommended)
    • Cannot be removed from Administrators local group
guest page 1
Guest (Page 1)
  • One of the least privileged user accounts
  • Limited access to resources and computer activities
  • Account should be renamed
  • Member of the "Everyone" group
  • Recommended to leave account disabled since by default all new objects and shares give full control for group "Everyone"
guest page 2
Guest (Page 2)
  • The original Guest account:
    • Cannot be deleted
    • Can be locked out
    • Can be disabled (disabled by default)
    • Can have a blank password (blank by default)
    • Can be renamed (recommended)
    • Can be removed from the Guests local group
naming conventions page 1
Naming Conventions (Page 1)
  • A predetermined process should be used for creating names on either a network or a standalone system
    • A convention is an accepted practice within an organization or even industry-wide
    • Important since networks usually tend to grow very quickly
naming conventions page 2
Naming Conventions (Page 2)
  • Should incorporate a schemes for naming:
    • User accounts
    • Computers
    • Directories
    • Network shares
    • Printers
    • Servers
naming conventions page 3
Naming Conventions (Page 3)
  • Two common conventions:
    • User name employs first and last name, and a code indicating user's department
    • Group name represents the organization of the firm: department, location, project name, and/or combination of the above
naming conventions page 4
Naming Conventions (Page 4)
  • Needs to be:
    • Consistent
    • Easy to use and understand
    • Easy to create new names using the convention (variations are predetermined)
    • Clearly identify the object's type
managing local user accounts
Managing Local User Accounts
  • Two types of local accounts:
    • Accounts created from scratch locally
    • Local representations of domain/network user accounts
  • User Accounts applet
    • Used to create local representation (only for a domain client)
    • In a standalone system, applet becomes a task wizard with easy-to-follow tasks
user accounts applet in a domain
User Accounts Applet in a Domain
  • Users tab
    • Lists active users
    • Add New User wizard to add users
  • Advanced tab
    • Access to
      • Password and passport management
      • Advanced user management
      • Secure logon settings
add a user in a domain

To find the user

in the domain

Add a User in a Domain

User Accounts applet

add a user in a domain35
Add a User in a Domain

User Accounts applet

properties in a domain
Properties in a Domain

User Accounts applet

activity39
Activity
  • Create a new user account named Jan Walters using the "User Accounts" applet
    • Limited privileges
    • No password
local users and groups console
Local Users and Groups Console
  • Found in "Computer Management" applet of Administrative Tools
  • Console tree nodes (in left frame) are Users and Groups
  • The list frame (on the right) shows the names of the user and/or group accounts
  • "Local Users and Groups" MMC snap-in also can be used to create and manage user accounts and groups
users node page 1
Users Node (Page 1)
  • Creating a new user account:
    • Select User node within the Local Users and Groups node
    • With no user selected, click Action New User… from the menu bar
      • Or right-click on any white space in list (right) frame and select New User…
    • Fill-in form and click the <Create> button
users node page 2
Users Node (Page 2)
  • Select any user account and click Action from menu bar (or right-click any user account name) to:
    • Set (reset) password
    • Delete user account
    • Rename user account
    • View user account properties
    • Help
users node page 3
Users Node (Page 3)
  • The Properties window for user accounts has three tabs:
    • General – update Fullname and Description, modify password properties, enable/disable the account, and manage locked out accounts
    • Member Of – list of group memberships with <Add…> and <Remove> buttons
users node page 4
Users Node (Page 4)
  • The Properties (con.):
    • Profile – defines:
      • Alternate location for the user's profile
        • By default stored in "c:\Documents and Settings\username"
      • Name of an optional logon script that executes after successful login
      • Alternate home directory, either a local folder or mapped network drive
        • By default "c:\Documents and Settings\username\My Documents"
activity48
Activity
  • Create an MMC console with the "Local Users and Groups" snap-in
  • Save it on the Desktop as filename "Local Users and Groups.msc"
activity 5 4
Activity 5-4
  • Create a local account with the "Local Users and Groups" MMC console snap-in
    • Username – BobTemp
    • Full Name – Bob Smith
    • Description – A temporary account for Bob
    • Password – provide and confirm
    • User must change password at next logon – deselected
activity 5 5
Activity 5-5
  • Add BobTemp account to the PowerUsers group from "User Accounts"
    • Found on the Members Of tab of Properties
    • Requires clicking the <Advanced> button, then the <Find Now> button
planning groups and system groups
Planning Groups and System Groups
  • Plan well in advance how to groups are to be managed
  • Pair groups with resources
  • Some sample organizational groupings:
    • Organizational units or departments
    • Authorized users of applications
    • Events, projects or special assignments
    • Location or geography
    • Individual function or job description
working with default groups page 1
Working with Default Groups (Page 1)
  • Administrators
    • Full access; the local Administrator account is always a member
  • Backup Operators
    • Has the ability to backup and restore all files and folders; no default members
  • Guests
    • Can operate the computer and save files; cannot install programs or alter system settings; default member of group Guest
working with default groups page 2
Working with Default Groups (Page 2)
  • Network Configuration Operators
    • Able to configure network components; no default members
  • Power Users
    • Can modify the computer and create user accounts, share resources and install programs; cannot access files that belong to others; no default members
  • Remote Desktop Users
    • Can logon remotely; no default users
working with default groups page 3
Working with Default Groups (Page 3)
  • Replicator
    • Facilitates directory replication between systems and domains; no default users
  • Users
    • Able to operate computer and save files; cannot install programs; modify user accounts, share resources, or alter system settings; all new users are default members
  • HelpServicesGroup
    • Used by Microsoft's "Help and Support" center to provide remote support
groups node page 1
Groups Node (Page 1)
  • Creating a new group account:
    • Select Group node within the Local Users and Groups node
    • With no group selected, click Action New Group… from the menu bar
      • Or right-click on any white space in list (right) frame and select New Group…
    • Fill-in Group Name and Description
    • The <Add…> button is for adding user accounts to the group
    • Click <Create> button when finished
groups node page 2
Groups Node (Page 2)
  • Select any group account and click the Action command from menu bar (or right-click any group account name) to:
    • Add (new user accounts) to group
    • Delete group account
    • Rename group account
    • View group account properties
    • Help
groups node page 3
Groups Node (Page 3)
  • The Properties window for user accounts has one tab:
    • General – update the Description, and display list of group members with <Add…> and <Remove> buttons
activity 5 6
Activity 5-6
  • Create a local group account and add user account BobTemp to group with the "Local Users and Groups" MMC console snap-in
    • Group name – SalesGroup
    • Description – Members of the Sales Department
    • Requires first clicking the <Add…> button in "Properties", then the <Advanced> button, and then the <Find Now> button
user profiles
User Profiles
  • Collection of desktop and environmental configurations
  • Computer maintains profile for each user
  • Material such as Application data, My Documents, cookies, etc.
  • A new profile is created for a user at the first successful logon
    • Even for the Guest account
local profiles
Local Profiles
  • Set of specifications and preferences for an individual user
  • Stored on the local machine residing in the %username% subdirectory beneath the \Documents and Settings directory
  • Set up by example
    • As the user modifies the system
  • Saved on logout
roaming profiles page 1
Roaming Profiles (Page 1)
  • Roaming profiles are user profiles that are stored in the server
  • Each time the user logs on, their profile is requested and sent to whatever machine makes the request
  • Default path designation:
    • \\computername\username
roaming profiles page 2
Roaming Profiles (Page 2)
  • To create a roaming profile:
    • Click Start, right-click My Computer, and select Properties from shortcut menu
    • Click the Advanced tab, and then click Settings under "User Profiles"
    • In the Profiles stored on this computer list, click the profile that you want
    • To change the type of profile, click Change Type, click Roaming profile, and then click <OK> button
activity63
Activity
  • On the Desktop create a shortcut for the previously created "Local Users and Groups" MMC console
  • Now move the console itself (not the shortcut) to your "My Documents" folder
  • Create a new folder named Consoles in "C:\Documents and Settings\username\Start Menu\Programs"; move the shortcut to it
  • Now click Start menu Programs etc.
application of local and group policies
Application of Local and Group Policies
  • Several security and access controls
  • Local computer group policy is managed from a Windows XP Professional system
    • Found in "Local Security Settings" dialog of Administrative Tools applet in Control Panel
  • Group policies (GPOs) can be defined for the domain, sites, and organizational units (OUs) from Active Directory
password policy page 1
Password Policy (Page 1)
  • Defines the restrictions on passwords
  • Restrictions include:
    • Enforce password history – to prevent reuse of old passwords
    • Maximum password age – how often it must be reset
    • Minimum password age – how long before it can be changed

Password Policy screen

password policy page 2
Password Policy (Page 2)
  • Restrictions include (con.):
    • Minimum password length – minimum characters in the password
    • Password must meet complexity requirements – as defined by Microsoft, i.e. minimum number of alphabetic characters, plus minimum number of numeric characters

Password Policy screen

password policy
Password Policy

Last slide viewed

activity 5 11 part 1
Activity 5-11 (Part 1)
  • Update password policies:
    • Security Settings
      • Account Policies
        • Password Policy
          • Enforce password history – 5
          • Maximum password age – 60
          • Minimum password age – 2
          • Minimum password length – 6
account lockout policy page 1
Account Lockout Policy (Page 1)
  • Conditions that result when a user account is locked out from too may failed login attempts
  • Used to prevent brute force attacks against user accounts

Account Lockout Policy

account lockout policy page 2
Account Lockout Policy (Page 2)
  • Policy items include:
    • Account lockout threshold – number of failed logins before account locked out
    • Account lockout duration – minutes account remains locked out; if set to zero, requires administrative action to unlock
    • Reset account lockout counter after – length of time before lockout counter resets

Account Lockout Policy

account lockout policy
Account Lockout Policy

Last slide viewed

activity 5 11 part 2
Activity 5-11 (Part 2)
  • Update password policies:
    • Security Settings
      • Account Policies
        • Account Lockout Policy
          • Account lockout threshold – 3
          • Account lockout duration – 30
          • Reset account lockout after – 15
audit policy
Audit Policy
  • Defines events recorded in Security log of Event Viewer (covered in Chapter 6)
  • Used to track resource usage
  • Items (not full list):
    • Audit directory service access (access to "Active Directory")
    • Audit logon events
    • Audit account logon events
    • Audit system events

Audit Policy

audit policy75
Audit Policy

Last slide viewed

activity 5 11 part 3
Activity 5-11 (Part 3)
  • Update password policies:
    • Security Settings
      • Local Policies
        • Audit Policy
          • Audit logon events – Failure
          • Audit system events – Failure
user rights assignment
User Rights Assignment
  • Defines who (which groups or users) can perform the specific privileged action
  • Items (not full list):
    • Access this computer from the network
    • Add workstations to domain
    • Back up files and directories
    • Change the system time
    • Load and unload device drivers
    • Profile single process
    • Shut down the system

User Rights Assignment

user rights assignment78
User Rights Assignment

Last slide viewed

activity 5 12
Activity 5-12
  • Update password policies:
    • Security Settings
      • Local Policies
        • User Rights Assignment
          • Add workstations to domain – Power Users
security options
Security Options
  • Controls a wide variety of security features, functions, and controls of environment
  • Items (not full list):
    • Accounts—including enabling and renaming Administrator and Guest accounts
    • Devices—access to and installation options
    • Domain member—requirements
    • Interactive logon—modifying logon process
    • Microsoft network server—behaviors

Security Options

security options81
Security Options

Last slide viewed

customizing the logon process
Customizing the Logon Process
  • The Administrator can alter the default logon process by modifying Winlogon, the process that produces the logon dialog, i.e.
    • Deactivating Ctrl+Alt+Delete to start logon
    • Disabling display of the last username
    • Adding a security warning message
    • Disabling the shutdown button
    • Changing the shell
    • Automating logons
    • Automatic account lockout
deactivating ctrl alt delete to start logon
Deactivating <Ctrl>+<Alt>+<Delete> to Start Logon
  • Access to Windows Classic logon window usually is initiated by pressing together the keys <Ctrl>+<Alt>+<Delete>
  • Forces the XP security logon sequence
  • However requirement can be disabled
  • Edit with Local Security Policy dialog in "Administrative Tools" (Security Options):
    • Interactive logon: Do not require Ctrl+Alt+Delete set to "Enabled"
activity84
Activity
  • Deactivate <Ctrl>+<Alt>+<Delete> for Windows Classic logon dialog:
    • Security Settings
      • Local Policies
        • Security Options
          • Interactive logon: Do not require CTRL + ALT + DELETE – Enabled
disabling the default username page 1
Disabling the Default Username (Page 1)
  • By default the Classic Logon Window displays name of the last user to logon
  • May not be secure if the workstation often is left unattended
  • Edit with Local Security Policy dialog in "Administrative Tools" (Security Options):
    • Interactive logon: Do not display last username set to "Enabled"
activity 6 3
Activity 6-3
  • Disabling the default username for Windows Classic logon dialog:
    • Security Settings
      • Local Policies
        • Security Options
          • Interactive logon: Do not display last username – Enabled
disabling the default username page 2
Disabling the Default Username (Page 2)
  • Many security values also can be viewed and even updated directly in the Registry
  • To view display of last username value in the registry, run the "regedit" command from Start menuRun
disabling the default username page 3
Disabling the Default Username (Page 3)
  • Locate the key at:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogin
  • Select the DontDisplayLastUserName value and change it:
    • Enabled = "0"
    • Disabled = "1"
adding security warning message page 1
Adding Security Warning Message (Page 1)
  • Might be legally obligated to add a warning message for unauthorized usage
  • Edit with Local Security Policy dialog in "Administrative Tools" (Security Options):
    • Interactive logon: Message text for users attempting to logon–set to any warning message
    • Interactive logon: Message title for users attempting to logon–title bar text
activity 6 4
Activity 6-4
  • Adding a security warning caption and message before logon:
    • Security Settings
      • Local Policies
        • Security Options
          • Interactive logon: Message text for users attempting to logon – Authorized CS28 users only! Unauthorized access will be punished to the full extent of the law
          • Interactive logon: Message title for users attempting to logon – Warning!
adding security warning message page 2
Adding Security Warning Message (Page 2)
  • To modify the warning title and text in the registry, locate their keys at:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogin
  • Select the following:
    • LegalNoticeCaption – title bar text
    • LegalNoticeText – the text message
disabling the shutdown button page 1
Disabling the Shutdown Button (Page 1)
  • Windows XP logon window includes Shutdown button
    • Eliminates the potential for unwanted system shutdowns
  • Edit with Local Security Policy dialog in "Administrative Tools" (Security Options):
    • Shutdown: Allow system to be shut down without having to log on set to "Disabled"
  • Machine still can be physically powered-off
activity93
Activity
  • Disable the shutdown button:
    • Security Settings
      • Local Policies
        • Security Options
          • Shutdown: Allow system to be shut down without having to log on – Disabled
disabling the shutdown button page 2
Disabling the Shutdown Button (Page 2)
  • To disable the shutdown button in the registry, locate the key at:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogin
  • Select the ShutdownWithoutLogon value and change it:
    • Enabled = "1"
    • Disabled = "0"
automating logons page 1
Automating Logons (Page 1)
  • Values for username and password can be coded into Registry to automate logons
  • When enabled, the login dialog is bypassed
  • Execute "regedit" from Start menu Run
  • Locate the key:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogin
automating logons page 2
Automating Logons (Page 2)
  • Registry settings:
    • DefaultDomainName – only when logging into a domain
    • DefaultUserName – your logon name
    • DefaultPassword – delete this key if automatic logon is not turned on
    • AutoAdminLogon – value set to "1" to automate login
    • (Keys that do not exist must be created – right-click on parent node and select the command New String)
activity97
Activity
  • Turn on automatic logon:
    • DefaultDomainName – not required (should be your computer name)
    • DefaultUserName – your account name
    • DefaultPassword – create this key if it already does not exist; leave blank if there is no password
    • AutoAdminLogon – 1
automating logons page 3
Automating Logons (Page 3)
  • Dialog window to control automatic logons:
    • Execute "control userpasswords2 " from Start menu Run
    • In new window select the account you wish to make the primary logon
    • Unselect "Users must enter a username and password..." checkbox
    • Click <Apply> and a dialog box will appear asking you to confirm password
    • Click <OK> when you are done
files and settings transfer wizard
Files and Settings Transfer Wizard
  • Move data files and personal desktop settings from another computer to new Windows XP Professional system
  • Must have some sort of network connection between the two systems
  • Transfer files from Windows 95, 98, SE, Me, NT, 2000, or XP systems
  • Transfer process can take considerable time
activity 5 13
Activity 5-13
  • Transfer files and settings using the "Files and Settings Transfer Wizard"
  • Start menu  Programs
  • Quit at the Auto detect
user state migration tool usmt page 1
User State Migration Tool (USMT) (Page 1)
  • Alternate to "Files and Settings Transfer Wizard" which also supports migration of user data from:
    • Windows 9x
    • Windows NT Workstation 4.0
    • Windows 2000 Professional

… to a Windows XP Professional system

  • Permits administrators to fully customize specific settings such as modifications to the registry
user state migration tool usmt page 2
User State Migration Tool (USMT) (Page 2)
  • The utilities are:
    • ScanState.exe – collects user data and settings based on the information that is contained in the Migapp.inf, Migsys.inf, Miguser.inf and Sysfiles.inf files
    • LoadState.exe – deposits user-state data on computer running clean (not upgraded) installation of Windows XP Professional
  • Requires client computer be connected to a Microsoft Windows server-based domain controller