IOS110 Introduction to Operating Systems using Windows Session 7 1.

Slides:



Advertisements
Similar presentations
Managing User, Computer and Group Accounts
Advertisements

Chapter Five Users, Groups, Profiles, and Policies.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Lesson 17: Configuring Security Policies
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
5.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Chapter 5: Configuring Users and Groups. Windows Vista User Accounts User accounts are the primary means of authentication Built-in Accounts –Administrator:
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
Chapter 8 Chapter 8: Managing the Server Through Accounts and Groups.
7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Group Accounts; Securing Resources with Permissions
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.
Chapter 7 WORKING WITH GROUPS.
11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.
70-270: MCSE Guide to Microsoft Windows XP Professional Chapter 5: Users, Groups, Profiles, and Policies.
9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Working with Workgroups and Domains
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
MCSE GUIDE TO MICROSOFT WINDOWS 7 Chapter 6 User Management.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
1 User Account Administration Introduction to User Accounts Planning New User Accounts Creating User Accounts Creating User Profiles Creating Home Directories.
6.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 6: Administering User Accounts.
5.1 © 2004 Pearson Education, Inc. Lesson 5: Administering User Accounts Exam Microsoft® Windows® 2000 Directory Services Infrastructure Goals 
Chapter 7: WORKING WITH GROUPS
C HAPTER 6 NTFS PERMISSIONS & SECURITY SETTING. INTRODUCTION NTFS provides performance, security, reliability & advanced features that are not found in.
MCSE GUIDE TO MICROSOFT WINDOWS 7 Chapter 6 User Management.
Windows Server 2003 Overview 1 Windows 2003 Server Overview Ayaz
Module 7: Fundamentals of Administering Windows Server 2008.
IOS110 Introduction to Operating Systems using Windows Session 8 1.
11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.
7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 UNDERSTANDING USER ACCOUNTS  Local user accounts  stored in the Security.
DIT314 ~ Client Operating System & Administration CHAPTER 5 MANAGING USER ACCOUNTS AND GROUPS Prepared By : Suraya Alias.
Managing Groups, Folders, Files and Security Local Domain local Global Universal Objects Folders Permissions Inheritance Access Control List NTFS Permissions.
1 Chapter Overview Configuring Account Policies Configuring User Rights Configuring Security Options Configuring Internet Options.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
Overview Introduction to Managing User Environments Introduction to Administrative Templates Using Administrative Templates in Group Policy Assigning Scripts.
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
Module 9: Preparing to Administer a Server. Overview Introduction to Administering a Server Configuring Remote Desktop to Administer a Server Managing.
Module 7 Active Directory and Account Management.
70-270: MCSE Guide to Microsoft Windows XP Professional 1 Windows XP Professional User Accounts Designed for use as a network client for: Windows NT Windows.
Introduction to Microsoft Management Console (MMC) MMC is a common console framework for management applications. MMC provides a common environment for.
1 Chapter Overview Publishing Resources in Active Directory Service Redirecting Folders Using Group Policies Deploying Applications Using Group Policies.
Chapter 9: SHARING FILE SYSTEM RESOURCES1 CHAPTER OVERVIEW  Create and manage file system shares and work with share permissions.  Use NTFS file system.
1 Administering Shared Folders Understanding Shared Folders Planning Shared Folders Sharing Folders Combining Shared Folder Permissions and NTFS Permissions.
1 Chapter Overview Understanding User Accounts Planning New User Accounts Creating, Modifying, and Deleting User Accounts Setting Properties for User Accounts.
Working with Workgroups and Domains Lesson 9. Objectives Understand users and groups Create and manage local users and groups Understand the difference.
Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.
Page 1 User Accounts Lecture 3 Hassan Shuja 09/21/2004.
Module 4 Planning for Group Policy. Module Overview Planning Group Policy Application Planning Group Policy Processing Planning the Management of Group.
Fall 2011 Nassau Community College ITE153 – Operating Systems Session 21 Administering User Accounts and Groups 1.
NetTech Solutions Security and Security Permissions Lesson Nine.
1 Active Directory Administration Tasks And Tools Active Directory Administration Tasks Active Directory Administrative Tools Using Microsoft Management.
Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.
CHAPTER 5 MANAGING USER ACCOUNTS & GROUPS. User Accounts Windows 95, 98 & Me do not need a user account like Windows XP Professional to access computer.
1 Chapter Overview Using Group Objects Understanding Default Groups Creating Group Objects Managing Administrative Access.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Configuring the User and Computer Environment Using Group Policy Lesson 8.
Active Directory Administration
Objectives Differentiate between the different editions of Windows Server 2003 Explain Windows Server 2003 network models and server roles Identify concepts.
Creating and Managing User Accounts
Presentation transcript:

IOS110 Introduction to Operating Systems using Windows Session 7 1

Objectives: Microsoft Management Console (MMC) User Accounts Group Accounts

Microsoft Management Console

MMC Tool designed by Microsoft as a unified interface to manage administrative tools and third-party applications Does not contain the tools themselves, just a framework for “snap-ins” The snap-ins provide the functionality The MMC is designed with the look and feel of Windows Explorer You can design your own console and save it as a.msc file – this file can then be distributed Advantages: Common interface save time and a learning curve for each new tool Can perform administrative tasks from a single computer Most snap-ins allow for remote access/administration, saves having to be physically in front of the machine you are trying to administer Can create custom consoles and distribute them to personnel delegated with a subset of administrative tasks 4 Microsoft Management Console

Console Modes The console can run in two modes: Author Mode –Provides total access to all MMC functionality –This is the default mode for all newly created consoles User Mode –Reduced functionality –Cannot add or remove snap-in or save changes to the console 5 Microsoft Management Console Author Mode User mode, full-access User mode – limited access, multiple windows User mode – limited access, single window Permits creation and modification in User Mode – Full Access Allows for navigation between snap-ins, open new windows, access all parts of the console tree Allows users to view multiple windows in the console. Cannot open new windows, or other portions of the console tree Permits user to view only one window in the console. User cannot open new windows, or gain access to other portions of the tree

Snap-ins Program controls that provide the actual management environment All have a similar look-and -feel Can be : Stand-alone snap-ins Extension snap-ins Stand-alone Snap-ins Each manages a particular XP function Some written by Microsoft, others written by vendors to Microsoft specifications Extension Snap-ins Provide additional functionality to stand-alone snap-ins When adding an extension to a stand-alone, only those extensions that are compatible with the stand-alone are displayed certain snap-ins can be configured to act a a stand-alone snap-in or a an extension snap-in (Event Viewer) 6 Microsoft Management Console

User Accounts

Three categories: Local User Accounts Domain User Accounts Built-in User Accounts Local User Accounts Required to log on to a WinXP computer that is not part of a domain If use to log on to a WinXP computer that is part of a domain, you will have access only to resources on that computer Each computer maintains its own security accounts database, and does not share it. Computers participating in a Workgroup do not share their accounts database Local accounts cannot be control through a domain or its administrators Three types: Restricted Standard Computer Administrator 8 User Accounts

Local User Accounts - Restricted Change the picture associated with the user's account Set, change or remove user's password Local User Accounts - Standard Same as restricted, includes additional privileges Make changes to basic computer settings such as display properties and power settings Local User Accounts – Computer Administrator Has system-wide privileges: Create, modify or delete user accounts Perform computer-wide configuration changes Install hardware and software Gain access to all files on the computer 9 User Accounts

Domain User Accounts Domain user accounts allow access to resources anywhere on a Windows Domain User provides user ID and password to log on, however the user ID and password are stored on a Domain Controller (running Active Directory) When authenticated, an Access Token is generated for the user for the duration of their session Access Control Lists (ACLs), made up of Access Control Entries (ACEs) determine the rights the user has A change to the ACL can only be picked up by generating a new Access Token (logoff, logon) 10 User Accounts

Built-in User Accounts During installation WindowsXP creates two accounts automatically: Administrator Guest Built-in User Accounts - Administrator Scope of control is over the machine it is created on Used to: create and modify user accounts and user groups create printers configure hardware and disk volume options manage security policies assign permissions to users and groups Microsoft recommends that a separate account be set up for day-to-day use – similar in concept to creating a separate Linux account and not use “root” for day-to-day use A good idea to change its name, hackers will try “Administrator” Built-in User Accounts - Guest Designed to allow occasional or temporary users to log on to a computer or network and access a limited set of resources If not required – leave it disabled (default setting) If required, assign it a password Consider renaming or at least logging attempts to use the account (evidence of hackers present) 11 User Accounts

Naming User Accounts The naming convention is a set of rules to create user Ids, so that they are unique and easy to remember The following are considerations: Unique names are required for local accounts or for the domain System stores first 20 characters of user name Cannot use restricted characters – the same as are restricted in files names: »“ \ / [ ] : ; | =, + * Not case sensitive Have a method to resolve duplicates (John Smith and James Smith might both be JSMITH, so make one JSMITH, the other JSMITH1 Some organisations embed the department into the user ID 12 User Accounts

Creating Passwords Used in conjunction with a user ID Common guidelines: Assign a password to the Administrator account Implement consistent password changing policy, either: »assign the password to the user, and do not let them change it »assign an initial password, and force the user to change it the first time they log in. Allow them to change the password in the future as well. This is the recommended policy. There are other controls that will determine the change frequency and 'strength' Select passwords that are difficult to guess – avoid dictionary words, family names, clichés, profanities, and obvious passwords Use a minimum length of eight characters for the password, more is better but harder to realistically use (WinXP limits passwords to 128 characters) Use non-alphabetic characters, as well as mixed case characters 13 User Accounts

User Profiles One of the tabs in User Account Properties Used to specify: Profile Path Logon script name Home folder path User profile (on user profile path) contains registry entries that define a user's working environment: Application settings Desktop settings Personal information Network settings including mapped drives and other network connections Start menu options Three types of User profiles: Local Roaming Mandatory 14 User Accounts

User Profiles – Local User Profile WinXP automatically creates a user profile for each user account when a user logs onto a particular computer for the first time A “My Documents” folder is also created It is stored on the local computer By default a user can make changes to their profile, by changing their environment (create short-cuts, map a network drive) When user logs off, Windows saves the changes to the profile Profiles can be changed, copied or deleted through Control Panel's Advanced tab User Profiles – Roaming User Profile A user's desktop and other settings remain consistent regardless of which PC they log on to Creating a roaming user profile: Create and share a folder on a server that is accessible during logon Specify the path to the share in the User's properties dialogue box Copy the user's profile to this share User Profiles – Mandatory User Profile Copy the ntuser.dat (the user's profile file) to ntuser.man The user can still make changes to their environment, however the changes are not saved when the user logs off 15 User Accounts

Home Folders A Home Folder or Directory is the default for 'Save As..' and 'Open File...' dialogue boxes Can be located on local computer or on a network share -based home folder if: Users need access to data from different client PCs Users on the network are using older operating systems, such as Win95 or MS- DOS You have centralized administration and backup Users log on to the network using Remote Access Service Users are working computers with minimal local disk space Your network can handle the extra traffic that server-based home folders will generate 16 User Accounts

Folder Redirection Redirect the path of a folder to a new location For example, take the “My Documents” folder and redirect it to a network drive Regardless of where the user is, the “My Documents” folder behaves as if was a local folder to the PC, and contains the files they stored there Similar in concept to a Home Folder, however this can be applied on a per-folder basis Commonly used in conjunction with Roaming profiles. 17 User Accounts

Resetting Passwords WinXP introduced a Password Reset Disk – users can reset their own passwords Contains a Private/Public key pair that the backup process creates A file on the PC contains the user's password encrypted under the public key – not associated with the SAM (Security Accounts Manager) database Can only be used for local user accounts Users must create their own disks – the Administrator cannot create one for them Deleting a User Account Beware of the implications of deleting an account When the user is created a unique Security Identifier (SID) is assigned to the account The SID is never reused – even if a new account contains the same account information There is no way to restore group membership or permission information once the account has been deleted 18 User Accounts

Group Accounts

A collection of user accounts Used to streamline the process of managing and administering accounts Permissions can be assigned to a group – all users that are a member of that group inherit the permissions. Saves having to assign the permission to each individual user A user can also inherit the permissions if they are added to a group Various levels of group accounts: Local group – groups are available only on the local computer Universal group – users from all domains. Can be granted permissions to any resource in the domain forest Global group – users from a single domain. Can be granted permissions to any resources in the domain forest Domain local group – contain members from any domain, but can only be assigned resources in the domain where the account was created. 20 Group Accounts

Local Groups Stored one computer in the local security database Used to assign permissions on that particular computer, and only that computer Also true of standalone servers in a Workgroup Note that: you cannot create local groups on a domain controller local groups created on Workgroup computers or stand-alone servers can only contain individual user accounts from the local security database Local groups have little to no value in a domain environment – defeats the purpose of a domain Local groups cannot contain other local groups Local groups have access only to local resources on that computer 21 Group Accounts

Built-in Local Groups Built-in groups principally involved in administrative tasks You can: assign users to built-in groups that most closely match their duties assign users to a built-in group, and remove users from a built-in group add and remove permissions to built-in groups (Administrator group already has full permissions) You cannot: delete or rename a built-in group Administrators Built-in Group Has all rights and permissions as the Administrator Account Full rights and privileges over files and other resources on an WinXP computer that is not a domain controller If a computer joins a domain, then the users that are members of the Domain Admin group are automatically added to the Administrator's group Default account type created when you add users through the Control Panel 22 Group Accounts

Power Users Built-in Group Less than complete access to the computer Tasks include: Installing most applications – cannot install applications that modify system files or contain a service component Installing, managing, sharing and deleting printers Sharing directories Changing the system clock Creating users and local groups, and deleting users and local groups that they created Can run legacy applications that are not certified for Win2K or WinXP (Users cannot run applications that have not been certified) Recommended group membership if you are the only user on the computer – prevents you from accidentally affecting system files. Administrator account still available if you lock your Power User account Users Built-in Group All accounts, except Guest and Administrator, have membership in this group automatically Tasks include: Run programs, manage files use local and network printers Create and manage self-created local groups Manage their local user profile If the computer joins a domain, the Domain Users global group are automatically added as members of he Users local group 23 Group Accounts

Guest Built-in Group Limited access to a computer's resources Cannot make permanent changes to their desktop environment If the computer joins a domain, the Domain Guests global group are automatically added as members of he Guests local group Backup Operators Permits users to back and restore all files and folders on a workstation using Microsoft's Backup program Replicator Support replication of data between computers in a domain – e.g. the directory or other important files and folders Network Configuration Operators Manage and configure networking features, such as IP address assignment Remote Desktop Users Allowed to connect to your computer using the Remote Desktop feature Help Services Group Use 'helper' applications to diagnose system problems 24 Group Accounts

System Group Functions You cannot assign system group membership to a user You cannot remove permissions from, or assign permissions to a system group You cannot rename or delete a system group Common System Groups: Everyone – anyone who access a WinXP computer Network – Access network resources Creator Owner – creates objects (files, folders) Authenticated Users – Has a valid account or has joined a domain Interactive – Loggon on locally to a WinXP computer Anonymous Logon – Any user WinXP is aware of, but has not authenticated Dialup – User with a dial-up connection 25 Group Accounts