Download presentation
Presentation is loading. Please wait.
Published byMorgan White Modified over 9 years ago
1
IOS110 Introduction to Operating Systems using Windows Session 7 1
2
Objectives: Microsoft Management Console (MMC) User Accounts Group Accounts
3
Microsoft Management Console
4
MMC Tool designed by Microsoft as a unified interface to manage administrative tools and third-party applications Does not contain the tools themselves, just a framework for “snap-ins” The snap-ins provide the functionality The MMC is designed with the look and feel of Windows Explorer You can design your own console and save it as a.msc file – this file can then be distributed Advantages: Common interface save time and a learning curve for each new tool Can perform administrative tasks from a single computer Most snap-ins allow for remote access/administration, saves having to be physically in front of the machine you are trying to administer Can create custom consoles and distribute them to personnel delegated with a subset of administrative tasks 4 Microsoft Management Console
5
Console Modes The console can run in two modes: Author Mode –Provides total access to all MMC functionality –This is the default mode for all newly created consoles User Mode –Reduced functionality –Cannot add or remove snap-in or save changes to the console 5 Microsoft Management Console Author Mode User mode, full-access User mode – limited access, multiple windows User mode – limited access, single window Permits creation and modification in User Mode – Full Access Allows for navigation between snap-ins, open new windows, access all parts of the console tree Allows users to view multiple windows in the console. Cannot open new windows, or other portions of the console tree Permits user to view only one window in the console. User cannot open new windows, or gain access to other portions of the tree
6
Snap-ins Program controls that provide the actual management environment All have a similar look-and -feel Can be : Stand-alone snap-ins Extension snap-ins Stand-alone Snap-ins Each manages a particular XP function Some written by Microsoft, others written by vendors to Microsoft specifications Extension Snap-ins Provide additional functionality to stand-alone snap-ins When adding an extension to a stand-alone, only those extensions that are compatible with the stand-alone are displayed certain snap-ins can be configured to act a a stand-alone snap-in or a an extension snap-in (Event Viewer) 6 Microsoft Management Console
7
User Accounts
8
Three categories: Local User Accounts Domain User Accounts Built-in User Accounts Local User Accounts Required to log on to a WinXP computer that is not part of a domain If use to log on to a WinXP computer that is part of a domain, you will have access only to resources on that computer Each computer maintains its own security accounts database, and does not share it. Computers participating in a Workgroup do not share their accounts database Local accounts cannot be control through a domain or its administrators Three types: Restricted Standard Computer Administrator 8 User Accounts
9
Local User Accounts - Restricted Change the picture associated with the user's account Set, change or remove user's password Local User Accounts - Standard Same as restricted, includes additional privileges Make changes to basic computer settings such as display properties and power settings Local User Accounts – Computer Administrator Has system-wide privileges: Create, modify or delete user accounts Perform computer-wide configuration changes Install hardware and software Gain access to all files on the computer 9 User Accounts
10
Domain User Accounts Domain user accounts allow access to resources anywhere on a Windows Domain User provides user ID and password to log on, however the user ID and password are stored on a Domain Controller (running Active Directory) When authenticated, an Access Token is generated for the user for the duration of their session Access Control Lists (ACLs), made up of Access Control Entries (ACEs) determine the rights the user has A change to the ACL can only be picked up by generating a new Access Token (logoff, logon) 10 User Accounts
11
Built-in User Accounts During installation WindowsXP creates two accounts automatically: Administrator Guest Built-in User Accounts - Administrator Scope of control is over the machine it is created on Used to: create and modify user accounts and user groups create printers configure hardware and disk volume options manage security policies assign permissions to users and groups Microsoft recommends that a separate account be set up for day-to-day use – similar in concept to creating a separate Linux account and not use “root” for day-to-day use A good idea to change its name, hackers will try “Administrator” Built-in User Accounts - Guest Designed to allow occasional or temporary users to log on to a computer or network and access a limited set of resources If not required – leave it disabled (default setting) If required, assign it a password Consider renaming or at least logging attempts to use the account (evidence of hackers present) 11 User Accounts
12
Naming User Accounts The naming convention is a set of rules to create user Ids, so that they are unique and easy to remember The following are considerations: Unique names are required for local accounts or for the domain System stores first 20 characters of user name Cannot use restricted characters – the same as are restricted in files names: »“ \ / [ ] : ; | =, + * ? @ Not case sensitive Have a method to resolve duplicates (John Smith and James Smith might both be JSMITH, so make one JSMITH, the other JSMITH1 Some organisations embed the department into the user ID 12 User Accounts
13
Creating Passwords Used in conjunction with a user ID Common guidelines: Assign a password to the Administrator account Implement consistent password changing policy, either: »assign the password to the user, and do not let them change it »assign an initial password, and force the user to change it the first time they log in. Allow them to change the password in the future as well. This is the recommended policy. There are other controls that will determine the change frequency and 'strength' Select passwords that are difficult to guess – avoid dictionary words, family names, clichés, profanities, and obvious passwords Use a minimum length of eight characters for the password, more is better but harder to realistically use (WinXP limits passwords to 128 characters) Use non-alphabetic characters, as well as mixed case characters 13 User Accounts
14
User Profiles One of the tabs in User Account Properties Used to specify: Profile Path Logon script name Home folder path User profile (on user profile path) contains registry entries that define a user's working environment: Application settings Desktop settings Personal information Network settings including mapped drives and other network connections Start menu options Three types of User profiles: Local Roaming Mandatory 14 User Accounts
15
User Profiles – Local User Profile WinXP automatically creates a user profile for each user account when a user logs onto a particular computer for the first time A “My Documents” folder is also created It is stored on the local computer By default a user can make changes to their profile, by changing their environment (create short-cuts, map a network drive) When user logs off, Windows saves the changes to the profile Profiles can be changed, copied or deleted through Control Panel's Advanced tab User Profiles – Roaming User Profile A user's desktop and other settings remain consistent regardless of which PC they log on to Creating a roaming user profile: Create and share a folder on a server that is accessible during logon Specify the path to the share in the User's properties dialogue box Copy the user's profile to this share User Profiles – Mandatory User Profile Copy the ntuser.dat (the user's profile file) to ntuser.man The user can still make changes to their environment, however the changes are not saved when the user logs off 15 User Accounts
16
Home Folders A Home Folder or Directory is the default for 'Save As..' and 'Open File...' dialogue boxes Can be located on local computer or on a network share -based home folder if: Users need access to data from different client PCs Users on the network are using older operating systems, such as Win95 or MS- DOS You have centralized administration and backup Users log on to the network using Remote Access Service Users are working computers with minimal local disk space Your network can handle the extra traffic that server-based home folders will generate 16 User Accounts
17
Folder Redirection Redirect the path of a folder to a new location For example, take the “My Documents” folder and redirect it to a network drive Regardless of where the user is, the “My Documents” folder behaves as if was a local folder to the PC, and contains the files they stored there Similar in concept to a Home Folder, however this can be applied on a per-folder basis Commonly used in conjunction with Roaming profiles. 17 User Accounts
18
Resetting Passwords WinXP introduced a Password Reset Disk – users can reset their own passwords Contains a Private/Public key pair that the backup process creates A file on the PC contains the user's password encrypted under the public key – not associated with the SAM (Security Accounts Manager) database Can only be used for local user accounts Users must create their own disks – the Administrator cannot create one for them Deleting a User Account Beware of the implications of deleting an account When the user is created a unique Security Identifier (SID) is assigned to the account The SID is never reused – even if a new account contains the same account information There is no way to restore group membership or permission information once the account has been deleted 18 User Accounts
19
Group Accounts
20
A collection of user accounts Used to streamline the process of managing and administering accounts Permissions can be assigned to a group – all users that are a member of that group inherit the permissions. Saves having to assign the permission to each individual user A user can also inherit the permissions if they are added to a group Various levels of group accounts: Local group – groups are available only on the local computer Universal group – users from all domains. Can be granted permissions to any resource in the domain forest Global group – users from a single domain. Can be granted permissions to any resources in the domain forest Domain local group – contain members from any domain, but can only be assigned resources in the domain where the account was created. 20 Group Accounts
21
Local Groups Stored one computer in the local security database Used to assign permissions on that particular computer, and only that computer Also true of standalone servers in a Workgroup Note that: you cannot create local groups on a domain controller local groups created on Workgroup computers or stand-alone servers can only contain individual user accounts from the local security database Local groups have little to no value in a domain environment – defeats the purpose of a domain Local groups cannot contain other local groups Local groups have access only to local resources on that computer 21 Group Accounts
22
Built-in Local Groups Built-in groups principally involved in administrative tasks You can: assign users to built-in groups that most closely match their duties assign users to a built-in group, and remove users from a built-in group add and remove permissions to built-in groups (Administrator group already has full permissions) You cannot: delete or rename a built-in group Administrators Built-in Group Has all rights and permissions as the Administrator Account Full rights and privileges over files and other resources on an WinXP computer that is not a domain controller If a computer joins a domain, then the users that are members of the Domain Admin group are automatically added to the Administrator's group Default account type created when you add users through the Control Panel 22 Group Accounts
23
Power Users Built-in Group Less than complete access to the computer Tasks include: Installing most applications – cannot install applications that modify system files or contain a service component Installing, managing, sharing and deleting printers Sharing directories Changing the system clock Creating users and local groups, and deleting users and local groups that they created Can run legacy applications that are not certified for Win2K or WinXP (Users cannot run applications that have not been certified) Recommended group membership if you are the only user on the computer – prevents you from accidentally affecting system files. Administrator account still available if you lock your Power User account Users Built-in Group All accounts, except Guest and Administrator, have membership in this group automatically Tasks include: Run programs, manage files use local and network printers Create and manage self-created local groups Manage their local user profile If the computer joins a domain, the Domain Users global group are automatically added as members of he Users local group 23 Group Accounts
24
Guest Built-in Group Limited access to a computer's resources Cannot make permanent changes to their desktop environment If the computer joins a domain, the Domain Guests global group are automatically added as members of he Guests local group Backup Operators Permits users to back and restore all files and folders on a workstation using Microsoft's Backup program Replicator Support replication of data between computers in a domain – e.g. the directory or other important files and folders Network Configuration Operators Manage and configure networking features, such as IP address assignment Remote Desktop Users Allowed to connect to your computer using the Remote Desktop feature Help Services Group Use 'helper' applications to diagnose system problems 24 Group Accounts
25
System Group Functions You cannot assign system group membership to a user You cannot remove permissions from, or assign permissions to a system group You cannot rename or delete a system group Common System Groups: Everyone – anyone who access a WinXP computer Network – Access network resources Creator Owner – creates objects (files, folders) Authenticated Users – Has a valid account or has joined a domain Interactive – Loggon on locally to a WinXP computer Anonymous Logon – Any user WinXP is aware of, but has not authenticated Dialup – User with a dial-up connection 25 Group Accounts
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.