Download presentation
Presentation is loading. Please wait.
1
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Six Creating and Managing User and Computer Accounts
2
Guide to MCSE 70-270, 70-2902 Objectives Explain the purpose of local user accounts, profiles, and logon procedures Create and manage local user and group accounts Manage local security profiles Manage local policies Work with Windows XP as a domain client
3
Guide to MCSE 70-270, 70-2903 Working with Local User Accounts, Profiles and Logon Procedures User account: Represents all information defining user’s access to local computer or network –Stored on local computer or in Active Directory Local user accounts: Stored in Security Accounts Manager (SAM) database –Managed using Local Users and Groups snap-in Domain user account: Exists in a domain by virtue of being created on a domain controller –Used to gain access to domain resources Provide users with personalized desktop environments via profiles and policies
4
Guide to MCSE 70-270, 70-2904 Windows Logon Methods Windows system can be set up as: –Standalone system, automatic logon –Standalone system –Workgroup member –Domain client –Domain controller Windows Welcome Logon Method: XP Professional displays list of user accounts –Click icon, enter password to log on –Fast user switching
5
Guide to MCSE 70-270, 70-2905 Windows Logon Methods (continued) Classic Logon Method: Requires pressing Ctrl+Alt+Delete to open WinLogon security dialog box –Used by default in Windows Server 2003 –Fast User Switching not available –Logon mode set to classic when Windows XP system becomes a domain member
6
Guide to MCSE 70-270, 70-2906 User Account Naming Conventions Naming convention: Standard process for creating names on a network or standalone system –Should incorporate scheme for user accounts, computers, folders, network shares, printers, and servers Requirements: –Consistent across all objects –Easy to use and understand –New names should be easy to construct –Object’s name should clearly identify object’s type
7
Guide to MCSE 70-270, 70-2907 User Account Naming Conventions (continued) Table 6-1: User naming convention guidelines
8
Guide to MCSE 70-270, 70-2908 Managing Windows XP Local User and Group Accounts Local user account identifies user to local OS via unique name and password –Information about local user or group accounts stored on local computer in SAM database Exists on systems that are not domain controllers –Each computer in workgroup environment maintains own SAM database Domain controllers uses copy of Active Directory domain database shared among domain controllers
9
Guide to MCSE 70-270, 70-2909 Default Local User and Group Accounts When Windows XP Professional installed, two default user accounts created –Administrator and Guest –Also several local group accounts Local User Accounts: –Administrator account: Unlimited access and unrestricted privileges to every aspect of Windows Must be protected from misuse
10
Guide to MCSE 70-270, 70-29010 Default Local User and Group Accounts (continued) Local User Accounts (continued): –Administrator account (continued): Cannot be deleted Cannot be locked out Can be disabled Can have blank password Can be renamed Cannot be removed from Administrators local group –Guest account: Limited access to resources and computer activities
11
Guide to MCSE 70-270, 70-29011 Default Local User and Group Accounts (continued) Local User Accounts (continued): –Guest account (continued): Member of Everyone group Cannot be deleted Can be locked out Can be disabled (disabled by default) Can have a blank password (blank by default) Can be renamed (recommended) Can be removed from Guests local group
12
Guide to MCSE 70-270, 70-29012 Default Local User and Group Accounts (continued) Local Group Accounts: Used to grant rights to local OS –Everyone –Administrators –Backup Operators –Guests –Network Configuration Operators –Power Users
13
Guide to MCSE 70-270, 70-29013 Default Local User and Group Accounts (continued) Local Group Accounts (continued): –Remote Desktop Users –Replicator –Users –HelpServicesGroup
14
Guide to MCSE 70-270, 70-29014 Creating and Managing Local User Accounts Local user accounts can be created and managed: –With User Accounts applet –Through Local Users and Groups MMC snap-in User Accounts Applet: Function differs depending on whether system part of workgroup or domain –Domain: Main purpose is to import domain user accounts into local SAM database –Workgroup: Offers user-friendly way to create, modify, or delete user accounts
15
Guide to MCSE 70-270, 70-29015 Creating and Managing Local User Accounts (continued) Figure 6-1: The User Accounts applet
16
Guide to MCSE 70-270, 70-29016 Creating and Managing Local User Accounts (continued) Figure 6-3: Options for changing a user account
17
Guide to MCSE 70-270, 70-29017 Creating and Managing Local User Accounts (continued) Figure 6-4: Changing the user logon method
18
Guide to MCSE 70-270, 70-29018 Creating and Managing Local User Accounts (continued) Activity 6-1: Working with the User Accounts Applet –Objective: Review the properties of a user account Local Users and Groups Snap-in: Used to create and manage local users and groups –Console tree has two nodes: Users node: Contains all local user accounts Groups node: Contains all local group accounts –Use Profile tab to define user profile path, logon script, and home folder
19
Guide to MCSE 70-270, 70-29019 Creating and Managing Local User Accounts (continued) Figure 6-5: Displaying local user accounts
20
Guide to MCSE 70-270, 70-29020 Creating and Managing Local User Accounts (continued) Figure 6-6: A user account’s Properties dialog box
21
Guide to MCSE 70-270, 70-29021 Creating and Managing Local User Accounts (continued) Figure 6-8: The Advanced option of the Select Groups dialog box
22
Guide to MCSE 70-270, 70-29022 Creating and Managing Local User Accounts (continued) Activity 6-2: Creating a Local Account –Objective: Create a new local user account with Local Users and Groups Activity 6-3: Creating a Local Group –Objective: Create a local group by using Local Users and Groups Activity 6-4: Changing Built-in Group Membership for a Local Account –Objective: Change the group membership of a local account using Local Users and Groups
23
Guide to MCSE 70-270, 70-29023 Creating and Managing Local User Accounts (continued) Figure 6-9: The Profile tab
24
Guide to MCSE 70-270, 70-29024 Creating and Managing Local User Accounts (continued) Figure 6-12: The Select Users dialog box
25
Guide to MCSE 70-270, 70-29025 Managing Local User Profiles User profile: Collection of desktop and environmental configurations for specific user or group of users –By default, each Windows computer maintains profile for each user who has logged on Except for Guest accounts –User Profile Info: Application Data Cookies Desktop Favorites Local Settings
26
Guide to MCSE 70-270, 70-29026 Managing Local User Profiles (continued) User profile (continued): –User Profile Info (continued): My Documents NetHood PrintHood My Recent Documents SendToStart MenuTemplates Ntuser.dat Ntuser.dat.log Ntuser.ini
27
Guide to MCSE 70-270, 70-29027 Managing Local User Profiles (continued) Administrator can force users to load mandatory profile –Changes assigned by mandatory profile restored next time user logs on –Created by manually renaming Ntuser.dat to Ntuser.man Must temporarily rename profile’s Registry file back to Ntuser.dat or edit Registry directly –Edit contents of HKEY_USERS\.DEFAULT key
28
Guide to MCSE 70-270, 70-29028 Managing Local User Profiles (continued) Figure 6-13: The User Profiles dialog box
29
Guide to MCSE 70-270, 70-29029 Managing Local User Profiles (continued) When user without user profile logs on, profile created by duplicating Default User profile –To modify Default User profile: Log on as new user to copy existing default profile Modify default desktop environment Log off to save changes to new user’s profile folder located in Documents and Settings\NewUserName Log on as Administrator and copy contents of new user’s profile folder to default folder All Users profile created during installation –Initially empty
30
Guide to MCSE 70-270, 70-29030 Managing Local User Profiles (continued) Local Profile: Set of specifications and preferences for individual user –Stored on local machine –Two ways to create: User logs on, arranges information as needed, logs off Assign mandatory profile from existing profile folder Roaming Profile: Used in domains to allow users to have a common desktop on any Windows XP member of domain
31
Guide to MCSE 70-270, 70-29031 Managing Local Security Policies Security policies allow administrators to change system security configuration settings in local Windows Registry –Registry provides hierarchical database of info about system’s software, hardware, and user configuration Local Security Policy tool: Used to edit local policy settings on systems that are not domain controllers –Applied to Registry during computer startup or when user logs on
32
Guide to MCSE 70-270, 70-29032 Account Policies Improve local user account security Password Policy: Defines password restrictions –Enforce strong passwords –Default settings in Password Policy node: Enforce password history: 0 passwords Maximum password age: 42 days Minimum password age: 0 days Minimum password length: 0 characters Password must meet complexity requirements: Disabled Store password using reversible encryption for all users in the domain: Disabled
33
Guide to MCSE 70-270, 70-29033 Account Policies (continued) Account Lockout Policy: Defines conditions that result when user account locked out –Default settings for Account Lockout Policy items: Account lockout threshold: 0 Invalid logon attempts Account lockout duration: Not Applicable (defaults to 30 minutes after Account lockout threshold defined) Reset account lockout counter after: Not Applicable (defaults to 30 minutes after Account lockout threshold defined) Activity 6-5: Setting Account Policies –Objective: Set account policies by using the Local Security Policy tool
34
Guide to MCSE 70-270, 70-29034 Local Policies Control logon process, audit access to computer resources, grant specialized rights to groups and individual user accounts Audit Policy: Defines events recorded in Security log of EventViewer –Default settings for Audit Policy items: Audit account logon events: No auditing Audit account management: No auditing Audit directory service access: No auditing Audit object access: No auditing Audit policy change: No auditing
35
Guide to MCSE 70-270, 70-29035 Local Policies (continued) Audit Policy (continued): –Default settings for Audit Policy items (continued): Audit privilege use: No auditing Audit process tracking: No auditing Audit system events: No auditing User rights assignment: Defines which groups or users can perform specific privileged actions –Default groups and users for user rights: Access this computer from the network—Everyone, Users, Power Users, Backup Operators, Administrators
36
Guide to MCSE 70-270, 70-29036 Local Policies (continued) User rights assignment (continued): –Default groups and users for user rights (continued): Add workstations to domain—None Allow logon through Terminal Services— Administrators, Remote Desktop Users Back up files and directories—Backup Operators, Administrators Change the system time—Power Users, Administrators Create a pagefile—Administrators Debug programs—Administrators
37
Guide to MCSE 70-270, 70-29037 Local Policies (continued) User rights assignment (continued): –Default groups and users for user rights (continued): Deny access to this computer from the network— Guest and SUPPORT accounts Deny logon locally— Guest and SUPPORT accounts Deny logon through Terminal Services—None Force shutdown from a remote system— Administrators Generate security audits—Local Services, Network Service Increase scheduling priority—Administrators Load and unload device drivers—Administrators
38
Guide to MCSE 70-270, 70-29038 Local Policies (continued) User rights assignment (continued): –Default groups and users for user rights (continued): Logon as a service—Network Service Logon locally—Guest account, Users, Power Users, Backup Operators, Administrators Manage auditing and security log—Administrators Perform volume maintenance tasks—Administrators Profile single process—Power Users, Administrators Profile system performance—Administrators Remove computer from docking station—Users, Power Users, Administrators
39
Guide to MCSE 70-270, 70-29039 Local Policies (continued) User rights assignment (continued): –Default groups and users for user rights (continued): Restore files and directories—Backup Operators, Administrators Shut down the system—Users, Power Users, Backup Operators, Administrators Take ownership of files or other objects— Administrators Activity 6-6: Setting User Rights –Objective: Change the user rights assignment by using the Local Security Policy tool
40
Guide to MCSE 70-270, 70-29040 Local Policies (continued) Security options: Define and control security features in Windows Registry –Security options and default settings: Accounts—Administrator account status: Not applicable Accounts—Guest account status: Not applicable Accounts—Limit local account use of blank passwords to console logon only: Enabled Accounts—Rename administrator account: Administrator Accounts—Rename guest account: Guest
41
Guide to MCSE 70-270, 70-29041 Local Policies (continued) Security options (continued): –Security options and default settings (continued): Audit—Audit access of global system objects: Disabled Audit—Audit use of Backup and Restore privilege: Disabled Audit—Shut down system immediately if unable to log security audits: Disabled Devices—Allow undock without having to logon: Enabled Devices—Allowed to format and eject removable media: Administrators
42
Guide to MCSE 70-270, 70-29042 Local Policies (continued) Security options (continued): –Security options and default settings (continued): Devices—Prevent users from installing printer drivers: Disabled Devices—Restrict CD-ROM access to locally logged- on user only: Disabled Devices—Restrict floppy access to locally logged-on user only: Disabled Devices—Unsigned driver installation behavior: Warn but allow installation Interactive logon—Do not display last username: Disabled
43
Guide to MCSE 70-270, 70-29043 Local Policies (continued) Security options (continued): –Security options and default settings (continued): Interactive logon—Do not require CTRL+ALT+DEL: Not defined Interactive logon—Message text for users attempting to logon: blank Interactive logon—Message title for users attempting to logon: Not defined Interactive logon—Number of previous logons to cache (in case domain controller is not available): 10 logons Interactive logon—Prompt user to change password before expiration: 14 days
44
Guide to MCSE 70-270, 70-29044 Local Policies (continued) Security options (continued): –Security options and default settings (continued): Interactive logon—Require Domain Controller authentication to unlock workstation: Disabled Shutdown—Allow system to be shut down without having to logon: Enabled Shutdown—Clear virtual memory pagefile: Disabled
45
Guide to MCSE 70-270, 70-29045 Working with Windows XP as a Domain Client Domain-based networking offers centralized control of user accounts and security settings –Allows administrators to provide single domain- based user account with rights to access resources through Active Directory forest Adding an XP System as a Domain Client: –Use Name tab in System Properties dialog box –To create required computer account: Generate account from XP Professional client Through Active Directory Users and Computers on a domain controller
46
Guide to MCSE 70-270, 70-29046 Working with Windows XP as a Domain Client Figure 6-15: The Computer Name tab
47
Guide to MCSE 70-270, 70-29047 Working with Windows XP as a Domain Client (continued) Activity 6-7: Joining a Domain: Method 1 –Objective: Add an XP Professional client to Active Directory by creating the computer account on the client Activity 6-8: Joining a Domain: Method 2 –Objective: Add a Windows XP Professional system to a domain by creating a computer account on a domain controller Managing a Domain Client: –Domain enforces control over clients using GPOs
48
Guide to MCSE 70-270, 70-29048 The User Accounts Applet for a Domain Member After client added to domain, User Accounts applet changes to provide new domain-based functions –User and advanced tabs Imported user account: Local user account created from user account on another computer –Allow outside users to access resources on system –Access levels: Standard, Restricted, or Other –Can be member of only one group
49
Guide to MCSE 70-270, 70-29049 The User Accounts Applet for a Domain Member (continued) Figure 6-17: The User Accounts applet for a domain client
50
Guide to MCSE 70-270, 70-29050 The User Accounts Applet for a Domain Member (continued) Figure 6-19: Advanced options for user accounts
51
Guide to MCSE 70-270, 70-29051 Working with Cached Credentials Windows XP Professional automatically caches user credentials in Registry when domain logon or.NET Passport logon takes place –Allows single logon that can be used to access multiple network services without reauthentication Managed through Stored User Names and Passwords utility (in User Accounts applet) Troubleshooting tips for cached credentials: –If being authenticated as wrong user account or with wrong access level, remove stored account information for server or domain
52
Guide to MCSE 70-270, 70-29052 Working with Cached Credentials (continued) Troubleshooting tips for cached credentials: –If unable to access resources you previously had access to, account may have expired or password must be changed Edit account credentials –If you can access a resource that you shouldn’t be able to access, delete necessary stored credentials to remove unauthorized access
53
Guide to MCSE 70-270, 70-29053 Summary Windows XP Professional can use three types of users: locally created users, imported users, and domain users A user account stores preference settings for each person who uses a computer Users are collected into groups to simplify management and grant access or privileges Users can be managed by using the User Accounts applet or the Local Users and Groups snap-in Local groups are managed only through the Local Users and Groups snap-in
54
Guide to MCSE 70-270, 70-29054 Summary (continued) Some groups allow you to customize their membership; others are system-controlled groups with memberships that can’t be customized Windows XP Professional has two built-in user accounts, Administrator and Guest, and several built-in groups User profiles can be local or roaming User profiles store a wide variety of personalized or custom data about a user’s environment
55
Guide to MCSE 70-270, 70-29055 Summary (continued) The Local Security Policy tool is used to manage passwords, account lockout parameters, auditing, user rights, security options, and more Cached credentials allow a single logon to access resources on multiple servers and to allow a user to log on to the local computer when the domain controller is unavailable
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.