Users, Groups, Profiles, and Policies
advertisement
70-270: MCSE Guide to Microsoft Windows XP Professional Chapter 5: Users, Groups, Profiles, and Policies Objectives • • • • • • Understand Windows XP Professional user accounts Understand the different types of logons Understand how to log on to Windows XP Understand naming conventions Create and manage local user accounts Planning groups and system groups 70-270: MCSE Guide to Microsoft Windows XP Professional 2 Objectives (continue) • • • • • Work with Windows XP as a domain client Create user profiles Work with group policies Troubleshoot cached credentials Understand the Files and Settings Transfer Wizard and the User State Migration Tool (USMT) 70-270: MCSE Guide to Microsoft Windows XP Professional 3 Windows XP Professional User Accounts • Designed for use as a network client for: • Windows NT • Windows 2000 • Windows Server 2003 • Member of a workgroup • Standalone operating system 70-270: MCSE Guide to Microsoft Windows XP Professional 4 Types of Windows XP Professional User Accounts • Local user account • Exists on a single computer • No domain access • Domain user account • Exists throughout a domain • Can be used on any domain member computer 70-270: MCSE Guide to Microsoft Windows XP Professional 5 How Accounts Interact with a Windows XP Professional System • • • • Standalone system, automatic logon Standalone system Workgroup member Domain network client 70-270: MCSE Guide to Microsoft Windows XP Professional 6 Supporting More Than One User • Multiple-user systems • Implemented through: • • • • Groups Resources Policies Profiles 70-270: MCSE Guide to Microsoft Windows XP Professional 7 Types of Logon • Logon authentication has two purposes: • Maintain security • Track computer usage 70-270: MCSE Guide to Microsoft Windows XP Professional 8 Windows Welcome Logon Method • Completely new logon method • Designed for use on standalone or workgroup member systems • List of user accounts with icons • Fast User Switching, • Switch users without logoff 70-270: MCSE Guide to Microsoft Windows XP Professional 9 Classic Logon Method • Press Ctrl+Alt+Delete to access WinLogon security dialog box • Required for domain member systems 70-270: MCSE Guide to Microsoft Windows XP Professional 10 Logging On to Windows XP • XP automatically creates accounts • Administrator • Guest 70-270: MCSE Guide to Microsoft Windows XP Professional 11 Administrator • Most powerful user account possible • Unlimited access and unrestricted privileges • Must be protected from misuse • Complicated password should be used • Should rename this account 70-270: MCSE Guide to Microsoft Windows XP Professional 12 Administrator (continued) • Characteristics: • • • • Cannot be deleted Cannot be locked out Can be disabled Can have a blank password (however, this is not recommended) • Can be renamed (which is recommended) • Cannot be removed from the Administrators local group 70-270: MCSE Guide to Microsoft Windows XP Professional 13 Guest • • • • • One of the least privileged user accounts Limited access to resources and computer activities Should rename account Member of the Everyone group Recommended to leave the Guest account disabled 70-270: MCSE Guide to Microsoft Windows XP Professional 14 Guest (continued) • Characteristics: • • • • • • Cannot be deleted Can be locked out Can be disabled (it is disabled by default) Can have a blank password (it is blank by default) Can be renamed (which is recommended) Can be removed from the Guests local group 70-270: MCSE Guide to Microsoft Windows XP Professional 15 Naming Conventions • Predetermined process for creating names on network or standalone system • Should incorporate a scheme for: • • • • • • User accounts Computers Directories Network shares Printers Servers 70-270: MCSE Guide to Microsoft Windows XP Professional 16 Managing Local User Accounts • Two types: • Local representations of domain/network user accounts • Created from scratch locally • User Accounts applet • Used to create local representation • Local Users and Groups snap-in • Used to create accounts from scratch 70-270: MCSE Guide to Microsoft Windows XP Professional 17 User Accounts Applet • Users tab • Lists active users • Add New User wizard to add users • Advanced tab • Access to • Password and passport management • Advanced user management • Secure logon settings 70-270: MCSE Guide to Microsoft Windows XP Professional 18 Local Users and Groups • Create and manage local users • Console tree nodes: • Users • Groups 70-270: MCSE Guide to Microsoft Windows XP Professional 19 Planning Groups and System Groups • Plan how to manage groups • Pair groups with resources for administrative control • Ongoing administrative task: • Adding and removing users from groups 70-270: MCSE Guide to Microsoft Windows XP Professional 20 Working with Groups You’ve Made • Must have a Windows NT, 2000, or Server 2003 in client/server environment • Resource • Has local groups assigned to it • Global user groups • Assigned to local resource groups • Users • Assigned to global groups 70-270: MCSE Guide to Microsoft Windows XP Professional 21 Assigning users access to resources using groups 70-270: MCSE Guide to Microsoft Windows XP Professional 22 Working with Default Groups • • • • • Administrators Backup Operators Guests Network Configuration Operators Power Users 70-270: MCSE Guide to Microsoft Windows XP Professional 23 Working with Default Groups (continued) • • • • Remote Desktop Users Replicator Users HelpServicesGroup 70-270: MCSE Guide to Microsoft Windows XP Professional 24 Working with System Groups and Other Important Groups • • • • Built-in system-controlled groups Preexisting groups Cannot be edited Used by system to control or place restrictions on specific groups of users based on activities 70-270: MCSE Guide to Microsoft Windows XP Professional 25 Windows XP as a Domain Client • Can serve as a client to an Active Directory domain • Centralized control of user accounts and overall security • Resources centrally located • Management of access easier than a workgroup network 70-270: MCSE Guide to Microsoft Windows XP Professional 26 Adding a System as a Domain Client • Add a Windows XP Professional system as a client in domain network: • Administrator creates computer account in the domain • Computer account in the domain is generated from the client • Remove a client from a domain: • Join a workgroup 70-270: MCSE Guide to Microsoft Windows XP Professional 27 Controlling a Domain Client • Domain enforces control using group policy objects (GPOs) • GPOs • Registry templates • Forced onto a system each time it starts or each time a user logs on • Domain-level version of the local security policy 70-270: MCSE Guide to Microsoft Windows XP Professional 28 Access to Systems and Resources by a Domain Client • Only members of domain can access systems and resources within domain • Resources accessed through My Network Places 70-270: MCSE Guide to Microsoft Windows XP Professional 29 Group Types assigned by a Domain Client • • • • • Administrators Backup Operators Guests HelpServicesGroup Network Configuration Operators 70-270: MCSE Guide to Microsoft Windows XP Professional 30 Group Types assigned by a Domain Client (continued) • • • • Power Users Remote Desktop Users Replicator Users 70-270: MCSE Guide to Microsoft Windows XP Professional 31 Active Directory Domain Containers • Active Directory domain containers: • Logical: • Domain • Organizational Unit (OU) • Physical: • Site 70-270: MCSE Guide to Microsoft Windows XP Professional 32 User Profiles • Collection of desktop and environmental configurations • Computer maintains profile for each user • Material such as: • • • • Application data My Documents Cookies Etc. 70-270: MCSE Guide to Microsoft Windows XP Professional 33 Local Profiles • Set of specifications and preferences • For an individual user • Stored on local machine • Reside in the %username% subdirectory beneath the \Documents and Settings directory • Set up by example • Saved on logout 70-270: MCSE Guide to Microsoft Windows XP Professional 34 Roaming Profiles • Resides on a network server • Automatically downloaded to any system when user logs on • Default path designation: • \\computername\username 70-270: MCSE Guide to Microsoft Windows XP Professional 35 Application of Group Policies • Several security and access controls • Group policies (GPOs) can be defined for: • Domain • Sites • Organizational units (OUs) • Local computer group policy managed from a Windows XP Professional system • Policies applied in order: • LSDOU (local, site, domain, organizational unit) 70-270: MCSE Guide to Microsoft Windows XP Professional 36 Password Policy • Defines the restrictions on passwords • Includes password age, length, etc. 70-270: MCSE Guide to Microsoft Windows XP Professional 37 Account Lockout Policy • Conditions that result when a user account is locked out • Used to prevent brute force attacks against user accounts • Items: • Account lockout threshold • Account lockout duration • Reset account lockout counter after 70-270: MCSE Guide to Microsoft Windows XP Professional 38 Audit Policy • Defines events recorded in Security log of Event Viewer • Used to track resource usage • Items (not full list): • • • • Audit directory service access Audit logon events Audit account logon events Audit system events 70-270: MCSE Guide to Microsoft Windows XP Professional 39 User Rights Assignment • Defines which groups or users can perform the specific privileged action • Items (not full list): • • • • • • Access this computer from the network Back up files and directories Change the system time Load and unload device drivers Profile single process Shut down the system 70-270: MCSE Guide to Microsoft Windows XP Professional 40 Security Options • Controls various security features, functions, and controls of environment • Items (not full list): • • • • Accounts Devices Domain member Microsoft network server 70-270: MCSE Guide to Microsoft Windows XP Professional 41 Group Policies • Domain-level version of the local security policy • Two primary divisions: • Computer Configuration • User Configuration 70-270: MCSE Guide to Microsoft Windows XP Professional 42 Troubleshooting Cached Credentials • Automatically caches user’s credentials in the Registry • When domain logon or .NET Passport logon is performed • Can be disabled: • Enable the group policy setting of Interactive logon • Set the cachedlogonscount Registry value to 0 70-270: MCSE Guide to Microsoft Windows XP Professional 43 Files and Settings Transfer Wizard • Move data files and personal desktop settings from another computer to new Windows XP Professional system • Must have some sort of network connection between the two systems • Transfer files from Windows 95, 98, SE, Me, NT, 2000, or XP systems • Transfer process can take considerable time 70-270: MCSE Guide to Microsoft Windows XP Professional 44 User State Migration Tool (USMT) • Supports migration to user data from Windows 9x, Windows NT Workstation 4.0, and Windows 2000 Professional to a Windows XP Professional system • Able to transfer the same files and settings that the Files and Settings Transfer Wizard can • Fully configurable and scriptable 70-270: MCSE Guide to Microsoft Windows XP Professional 45 User State Migration Tool (USMT) (continued) • Two command-line utilities: • ScanState • LoadState • Read instructions and control parameters from INF files • ScanState • Used to create a backup of the user data • LoadState • Used to copy the data onto new target system 70-270: MCSE Guide to Microsoft Windows XP Professional 46 Summary • Three types of users: • Locally created users • Imported users • Domain users • Users are collected into groups • Simplifies management and grant access or privileges • There are two built-in users, Administrator and Guest, and several built-in groups • Profiles can be local or roaming 70-270: MCSE Guide to Microsoft Windows XP Professional 47 Summary (continued) • Group policies are domain-level versions of the local security policy. • The Files and Settings Transfer Wizard • Used to move data files and personal desktop settings from one system to another. • The User State Migration Tool • Used for enterprise migrations 70-270: MCSE Guide to Microsoft Windows XP Professional 48
