Presentation is loading. Please wait.

Presentation is loading. Please wait.

Managing User, Computer and Group Accounts

Published byLena Dods Modified over 10 years ago

Similar presentations

Presentation on theme: "Managing User, Computer and Group Accounts"— Presentation transcript:

1 Managing User, Computer and Group Accounts
Lecture 5

2 Computer Accounts To access Windows 2008 domain a computer needs an account Joining a domain creates a computer account object in the AD Each computer account has SID (other security principals, such as users and groups have SIDs as well)

3 User Accounts To access Windows 2008 network a user needs an account
Account determines 3 factors: - when a user may log on - where within the domain/workgroup - what privilege level a user is assigned

4 User Accounts Each account has SID that serves as security credentials
Any object trying to access resource must do it through a user account Windows 2008 has 2 types of accounts: local and domain

5 Interactive Logon Process
Interactive Logon – a process to verify user’s credentials for logon to a Win2008 computer If the local account – it’s checked against the local user account database. Domain account – using encryption process, user credentials are verified at a DC, and after successful authentication a logon key/logon token is granted for the session

6 Network Authentication Process
Process of verifying user’s credentials to allow access to network resources When a user attempts to access a resources, user’s credentials and session key/token are compared against resources’ ACL list to grant access

7 Local Accounts Supported on all Windows 2000, 2003 and 2008 systems except DCs (on member servers participating in domains and on standalone systems participating in workgroups ) Maintained on the local system, not distributed to other systems Local user account authenticates the user for local machine access only; access to resources on other computers is not supported Built-in local accounts: Guest; Administrator

8 Domain User Accounts Permit access throughout a domain and provide centralized user administration through AD Created within a domain container in AD database and propagated to all other DCs Once authenticated against AD database using GC, a user obtains an access token for the logon session, which determines permissions to all resources in the domain

9 Creating User Accounts
Domain accounts names must be unique within the domain, although the same logon name can be used on several systems with local logon. Logon names are not case sensitive, must not contain more than 20 chars, and nust not contain: +,*,?,<,>,/,\,[,],:,;. Passwords are case sensitive, must be secure – not easy to guess

10 Copying, Moving, Disabling and Renaming User Accounts
Renaming account doesn’t affect any of the user account properties, except the name. Accounts can be moved from one container to another Disabled accounts can’t be accessed When account is copied, most properties are copied, except the username, full name, password, logon hours, address/phone info, organization info, the Account is disabled option, and user rights and permissions.

11 Deleting User and Computer Accounts
Deleting account – permanently removes it, and all if its group memberships, permissions and user rights. The new account with the same name has different SID and GUID Disabling an account may be a better option! Administrator and Guest can be renamed, but not deleted

12 Understanding User Account Properties
As with all AD objects, user accounts have a number of associated properties or attributes Once the account is created, those properties maybe modified using Computer Management tool (local accounts) or AD Users and Computers (domain accounts)

13 Group Accounts Group – AD objects that contain users, computers and other entities. (have SIDS) Groups are used for easier management of users/computers/resources Access token identifies groups to which a users belongs/rights assigned 2 Types of groups: Distribution group for Security groups to assign limited permission to groups that need access to resources or to deny access

14 Example of Access Token

15 Group Accounts Rights and privileges are assigned at the group level
Groups can be nested (membership by inheritance) User’s rights and privileges through group memberships are cumulative

16 Group/User relationship
Group 3 is a member of Group 1 Group 2 Group 3

17 Group Scope Scope of influence (or scope)
Reach of a group for gaining access to resources in Active Directory Types of groups and associated scopes: Local Domain local Global Universal

18 Local Groups Local security group
Used to manage resources on a stand-alone computer that is not part of a domain and on member servers in a domain (non-DCs) Create using the Local Users and Groups MMC snap-in

19 Domain Local Groups Domain local security group
Used when Active Directory is deployed Manage resources in a domain Give global groups from the same and other domains access to those resources Scope of a domain local group Domain in which the group exists Can convert a domain local group to a universal group

20 Domain Local Groups

21 Domain Local Group Example
Domain C Domain B Domain A Engineering (Global Group) User 1 User 2 Printer Group (Domain Local) User 1 Engineering User 2 Printer ACL Printer Group - Print

22 Global Groups Contain user accounts from a single domain
Can also be set up as a member of a domain local group in the same or another domain Broader scope than domain local groups Can be nested Typical use: Add accounts that need access to resources in the same or in another domain Make the global group in one domain a member of a domain local group in the same or another domain

23 Nested Global Groups

24 Global Group Example Domain B Domain A Domain C Group 2 User1 Group 1
Accountants Accountants (Global Group) Domain C User 1 Group 1 Printer ACL Accountants

25 Universal Groups Universal security groups Can include
Span domains and trees Can include User accounts from any domain Global groups from any domain Other universal groups from any domain Guidelines to help simplify how you plan to use groups

26 Universal Groups

27 Group Strategy Put users into global domain group. A global group can be thought of as an Accounts group. Put resources into domain local (or machine local) groups. A local group can be thought of as a Resource group. Put a global group into any domain local (or machine local) group in the forest Assign permissions for accessing resources to the domain local (or machine local) groups that contain them Use Universal groups to grant access to resources in multi-domain environments where access is needed across domain trees.

28 Group Strategy Example
Domain B Domain A Engineers (Global Group) Engineers (Global Group) Database Access (Domain Local G.) Domain C Domain A Engineers Domain B Engineers Domain C Engineers Engineers (Global Group) ACL Database Access Allow Write/Read Database

29 Default User Account Membership
Built-in groups are automatically created in Windows Server 2003 to reflect most common attributes and tasks Domain Users/Users Domain Admins/Administrators

30 Special Groups EVERYONE Network Interactive Service System
Authenticated Users SELF CREATOR OWNER

31 User Profiles Profiles customize user environment, store profiles on server (roaming), restrict changes through mandatory profiles Local profiles are stored on a computer when each user logs in.

Download ppt "Managing User, Computer and Group Accounts"

Similar presentations

Chapter Five Users, Groups, Profiles, and Policies.

Chapter Five Users, Groups, Profiles, and Policies.
By Rashid Khan Lesson 5-Directory Assistance: Administration Using Active Directory Users and Computers.

By Rashid Khan Lesson 5-Directory Assistance: Administration Using Active Directory Users and Computers.
1 Module 3 Setting Up User Accounts. 2  Overview Introduction to User Accounts Planning New User Accounts Creating User Accounts Deleting and Renaming.

1 Module 3 Setting Up User Accounts. 2  Overview Introduction to User Accounts Planning New User Accounts Creating User Accounts Deleting and Renaming.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Chapter 4 Chapter 4: Planning the Active Directory and Security.

Chapter 4 Chapter 4: Planning the Active Directory and Security.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Chapter 5: Configuring Users and Groups. Windows Vista User Accounts User accounts are the primary means of authentication Built-in Accounts –Administrator:

Chapter 5: Configuring Users and Groups. Windows Vista User Accounts User accounts are the primary means of authentication Built-in Accounts –Administrator:
Chapter 4 Introduction to Active Directory and Account Management

Chapter 4 Introduction to Active Directory and Account Management
Chapter 8 Chapter 8: Managing the Server Through Accounts and Groups.

Chapter 8 Chapter 8: Managing the Server Through Accounts and Groups.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.
Group Accounts; Securing Resources with Permissions

Group Accounts; Securing Resources with Permissions
Understanding Active Directory

Understanding Active Directory
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008

Similar presentations

Ads by Google