Download presentation
Presentation is loading. Please wait.
1
Chapter 8 Chapter 8: Managing the Server Through Accounts and Groups
2
Chapter 8 Learning Objectives n Work with users on setting up their accounts n Set up account-naming guidelines n Develop guidelines for user account policies and set up account policies n Explain how to manage Windows NT domains continued
3
Chapter 8 Learning Objectives n Explain how groups are used in Windows NT Server, and create and configure group policies n Create, copy, disable, delete, and rename user accounts n Set up account auditing
4
Chapter 8 Obtaining Input from Users n Advantages u Secure user interest in making installation work u Ensure set up of server meets user needs n Key issues u Naming conventions for user accounts u User account policies u Use of server for home directories u Use and composition of groups u Group policies u Hours for server to be available
5
Chapter 8 Setting Up Account-naming Conventions n Based on account user’s actual name u ex. “rknauerh” or “robk” u use enough of name to be unique F ex. include middle initials u works well for E-mail as well n Based on function within organization u ex. “shift1mgr” or “retail-clerk7” F good if people often change jobs F possible security hole
6
Chapter 8 User Account Policies n Network administrator establishes general password and logon security stipulations for user accounts
7
Chapter 8 Password Security n Only effective if used properly n Account policy options u Password expiration u Password length u Password history u Account lockout
8
Chapter 8 User Home Directories n Home directory: A dedicated location on a file server or a workstation for a specific account holder to store files User home directories in a small office
9
Chapter 8 User Home Directories User home directories in a large organization
10
Chapter 8 Domain Services Management n Preserves idea of work groupings without managing them individually u Allows network administrator to manage resources and users as one unit n Saves time as administrator sets up users, privileges, and groups n Provides a powerful management tool u One domain can be home to 26,000 users and 250 groups
11
Chapter 8 Ethernet An Example of Two Domains Primary domain controller (domain A) Backup domain controller (B) Primary domain controller (B) Backup domain controller (A) Ethernet
12
Chapter 8 Domain Trust Relationships n Trusted domain: The domain that is granted security access to resources n Trusting domain: The domain that grants the access to its resources n One-way trust: One domain is trusted, the other trusting; not reciprocal n Two-way trust: Both domains are trusted and trusting u Universal trust: Two-way trusts among more than two domains
13
Chapter 8 n Trusting domain u Access to business server prohibited n Trusted domain u Access to manufacturing servers allowed One-way Trust Manufacturing domain Business domain
14
Chapter 8 Two-way Trust Business office domain Production branch domain n Trusted and trusting domain
15
Chapter 8 Domain Management n Single-master domain model u Management control of several domains centralized in only one domain u Works well for small organizations n Multiple-master domain model u Management of many domains located in two or more domains u Works well for larger organizations
16
Chapter 8 Advantages of the Single-master Domain n Accounts and resources are centrally managed n Resources are available to all users n One consistent security policy applies across organization n Groups can be tailored across organizational unit boundaries n SAM data is easy to maintain and keep synchronized within the master domain
17
Chapter 8 Advantages of the Multiple-master Domain n Administration can be centralized or decentralized n Thousands of users can share resources throughout the world n Groups can be formed to span domains n Security policies can be standardized for thousands of users and resources
18
Chapter 8 Multiple-master Domain Model
19
Chapter 8 Using Groups n Management of domain resources u By individual user: Most labor-intensive method u By resource: Still labor-intensive u By group: Saves time by eliminating repetitive steps in managing user and resource access
20
Chapter 8 Group Management Concept n Users belong to one or more groups having same access needs n Types of groups in Windows NT Server u Local groups: Used to manage accounts and resources within a single domain or on a single server u Global groups: Used to enable resource sharing across domains
21
Chapter 8 Local Groups n Used to help manage rights and permissions on a server within a domain n User accounts can be members of local groups n Domain resources can be assigned to local groups n Global groups can belong to local groups n Local groups can be used to make domain resources available to trusted domains
22
Chapter 8 Windows NT Predefined Local Groups
23
Chapter 8 Global Groups n Provide rights access across domains by linking rights from trusting domains to groups in trusted domains n Global groups can have domain user accounts as members but not local groups, to avoid circular group relationships n Global groups can be members of local groups n Global groups cannot have resources as members
24
Chapter 8 Windows NT Predefined Global Groups
25
Chapter 8 Adding Groups n New local and global groups can be added at any time Business group composition
26
Chapter 8 Managing Accounts n Creating accounts n Copying an account n Deleting an account n Disabling an account n Renaming an account
27
Chapter 8 Creating Accounts n Two accounts are created when Windows NT Server was installed u Administrator account: Provides complete access and control over the server u Guest account: Can be set up with controlled access for guest users
28
Chapter 8 Completing New Account Information
29
Chapter 8 Assigning Users to a Group n Accounts that have same security and access requirements can be assigned as members of a group
30
Chapter 8 Customizing User Access n User account environment can be customized through user profiles, logon scripts, and home directories u ex. make everyone run a virus checker u ex. user “fred” wants to always set up certain programs whenever/wherever he logs in
31
Chapter 8 Windows NT Logon Script Commands
32
Chapter 8 Configuring the Server Hours n Server administrator can set up user accounts so they cannot access server at designated times (e.g, during backups and other system work) Logon Hours dialog box
33
Chapter 8 Securing Account Access from Designated Workstations n Server administrator can limit where a user can log on to the domain n Ensures that certain accounts can only be accessed from designated workstations
34
Chapter 8 Account Expiration and Type n Expiration date is useful for an account that is needed for a specific time period (e.g., guests or temporary employees) n Can be designated global or local
35
Chapter 8 Copying an Account n Accounts can be modeled after a master account n Saves time when there are many accounts to create
36
Chapter 8 Deleting an Account n Completely erases account from security database n Before deleting an account, consider disabling it for a period of time in case there is a need to reactivate it for access at a later date
37
Chapter 8 Disabling an Account n Good security practice n A disabled account cannot be used to log on to the system but all other settings and configuration options remain intact
38
Chapter 8 Renaming an Account n To prevent intruders familiar with the default account names from gaining access to the system n To change an account name if an account is associated with a specific job is assigned to another individual n To comply with changes in organization’s naming convention n To reflect a user’s name change
39
Chapter 8 Account Auditing n Auditing: Tracking success or failure of events by recording selected types of events in an event log or a server or a workstation u use carefully; can overload system F disk space F CPU time available to programs
40
Chapter 8 Events that Can Be Audited n Logon and logoff activity n Access to files and objects n How often user rights are exercised n User and group management functions n Security policy changes n Restarting, shutting down, other activities n Starting processes or software applications
41
Chapter 8 Creating Groups n Organizational units, workgroups, or departments n Authorized users of network resources or applications n Events, projects, or special assignments n Geographical or location-based groups n Individual job descriptions or functions
42
Chapter 8 Setting Group Policies n Rights grant privileges to perform functions u Accessing server u Adding workstations to the domain u Changing system time u Backing up files
43
Chapter 8 Setting Group Policies n Standard rights: Apply to everyday users and groups (see next slide) n Advanced rights: For programmers and system developers who have technical access needs u Debugging programs u Gaining access to operating system internals u Controlling memory swapping
44
Chapter 8 Default NT Server User Rights continued
45
Chapter 8 Default NT Server User Rights continued
46
Chapter 8 Default NT Server User Rights
47
Chapter 8 Chapter Summary n Do some preliminary research before setting up accounts and groups. u User feedback helps to ensure accounts match user needs u Develop guidelines for account names u Develop account policies for setting up passwords and account lockout features continued
48
Chapter 8 Chapter Summary n Windows NT domains are a tool to help manage a server. u Local and global groups u Reduce time spent managing individual accounts continued
49
Chapter 8 Chapter Summary n Creating an account is multiple step process. u User and password information u Group assignments u Home directory assignments u Hours to access account u Security options
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.