11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2...

11

SUPPORTING LOCAL USERS AND GROUPS

Chapter 3

Chapter 3: Supporting Local Users and Groups 2

SUPPORTING LOCAL USERS AND GROUPS

Explain the difference between local and domain accounts

Create and modify a user account in Microsoft Windows XP Professional Edition

Explain the use of and configure groups

Configure Fast User Switching

Troubleshoot common password and logon problems


SUPPORTING LOCAL USERS AND GROUPS (CONTINUED)

Explain how Local Security Policy affects a computer running Windows XP

Use the Local Security Policy tool to change security settings

Identify the important security settings that are available through Local Security Policy


LOCAL ACCOUNTS

Local accounts are used for the following activities: To gain initial access to the computer

To control access to local computer resources

To control access to network resources

Specific to one PC only

Used in a workgroup setting


LOCAL ACCOUNTSright click my computer and choose manage


USER ACCOUNTS

Account management is a comprehensive topic that includes: Auditing of account activity

Creation of user and group accounts, and management of account properties

Password and account lockout policy configuration

User rights assignments


DEFAULT USER ACCOUNTS – can not be deleted

Administrator – Most important user

Guest – limited privileges, used for guests

HelpAssistant – builtin for remote assistance

SUPPORT_susux – used by Microsoft when providing remote support through Help and Support Service.


CREATING USER ACCOUNTS


USER ACCOUNT PROPERTIES, GENERAL TAB


USER ACCOUNT PROPERTIES, PROFILE TAB


USER ACCOUNT ACTION MENU


GROUP ACCOUNTS

Group accounts are used to simplify the assignment of security features by associating user accounts that have common needs.

For example the administrators group will store all users who have administrative rights on the local machine.


DEFAULT GROUP ACCOUNTS

There are several default, built-in groups in Windows XP Professional Edition. The most common of these are: Administrators group

Backup Operators group

Guest group

Power Users group

Users group


CREATING GROUP ACCOUNTS


SECURITY IDENTIFIERS (SIDS)

User accounts and groups are considered security principals. Meaning that you can grant them access on a computer. Every security principal has a unique Security Identifier (SID) assigned to it at the time of creation.

Basically a number associated with a user or a group used for tracking security settings. It is easier for the OS to track a number rather than a Name.


LIMITATIONS OF WINDOWS XP HOME EDITION

Cannot create local groups

Local Users And Groups tool is not available—must use User Accounts tool

Supports only two types of accounts: Computer Administrator

Limited

Does not have an account named Administrator

Cannot join a domain


USER PROFILES

User profiles store user-specific configuration settings, such as customized desktops and personalized application settings


Types of profiles Windows XP supports

Local – available only on the PC it was created on. XP pro and Home support this

Roaming – stored in a shared folder on a network server and are accessible from any location in a network. Only XP Pro.

Mandatory – roaming profiles that users cannot make permanent changes to. Mandatory profiles are used to enforce configuration settings. Only XP Pro.


DOCUMENTS AND SETTINGS FOLDER – Storage Location for Local Profiles

Windows stores local user profiles in the Documents And Settings folder. This folder stores several files and folders containing configuration information and data for each user profile.


LOCAL USER PROFILES

A local user profile is available only from the system on which it was created

A unique local user profile is created and stored on each computer a user logs on to


HANDLING MULTIPLE PROFILES FOR THE SAME USER NAME

If a Windows XP Professional Edition computer is a member of a Windows domain, two users with the same user account name can log on to the same system.

If there were 2 Matts that logged onto a local machine 2 separate folders would be created. 1. C:\documents and settings\matt2. C:\documents and settings\matt.<computer_name>

where <computer_name> is the name of the local PC


ROAMING USER PROFILES – stored on a network server - this helps avoid the following 2 problems

Users will have a different profile on each machine they log on to

Without regular backup, if the local machine crashes, the profile could be lost


ENABLING ROAMING PROFILES

Create and share a folder on the server that will hold the roaming profiles

Make sure that the users have access to the shared folder

Specify the location of the roaming profile folder


ADDITIONAL POINTS ON ROAMING PROFILES

Roaming profiles are generally used in a domain environment

In a domain account, a roaming profile is created and configured once on a domain controller


MANDATORY USER PROFILES

Mandatory user profiles are applied to roaming user profiles. When a profile is made mandatory, users are unable to save changes to desktop settings.

Used when you don’t want users to change settings, such as desktop backgrounds and icons.


FAST USER SWITCHING

Allows multiple local user accounts to log on to a computer simultaneously

Users can switch sessions without logging off or closing programs

Running programs still consume computer resources

This can really slow down the PC. I would not recommend using it.


TROUBLESHOOTING PASSWORD PROBLEMS

The user is mistyping the user name, password, or both

The user has the CAPS LOCK key engaged


SECURITY POLICY

Security policy is a combination of security settings that affect the security on a computer

Computers that are members of a workgroup are subject only to Local Security Policy

Computers that are members of a domain are subject to both Local Security Policy and Group Policy


ORDER OF POLICY APPLICATION

1. Local Computer Policy is applied to the computer

2. Group Policy settings are applied for the Active Directory site of which the computer is a member

3. Group Policy settings are applied for the Active Directory domain of which the computer is a member

4. Group Policy settings configured for the Active Directory OU of which the computer is a member are applied


RESULTANT SET OF POLICY

Policy settings are cumulative, so all settings contribute to effective policy. The effective policy is called the Resultant Set of Policy (RSoP).


ACCESSING LOCAL SECURITY POLICY


CONFIGURABLE SECURITY OPTIONS

There are quite a few configurable security options in Windows XP

Including: Shutdown: Allow System To Be Shut Down Without

Having To Log On Microsoft Network Server: Amount Of Idle Time

Required Before Suspending A Session Network Security: Force Logoff When Logon Hours

Expire Other security options


PASSWORD POLICY

Enforce password history

Maximum password age

Minimum password age

Minimum password length

Passwords must meet complexity requirements

Store password using reversible encryption for all users in the domain


ACCOUNT LOCKOUT POLICY

Account Lockout Policy allows you to configure the computer to stop responding to logon requests from a user who has a valid logon name but who keeps entering the incorrect password. The policy settings are as follows: Account Lockout Duration

Account Lockout Threshold

Reset Account Lockout After


AUDITING

Auditing consists of two major components: Audit policy

Audit entries


CHOOSING EVENTS TO AUDIT

There are several types of events that can be audited based on the specific security needs of the given system.

Table 3-1 lists these Auditable events


POTENTIAL EVENTS TO AUDIT

Shutting down and restarting the computer

Users logging on at odd hours

Users logging on to computers they wouldn’t normally log on to

Users attempting to log on unsuccessfully

Changes to user and group accounts

Printer usage

Access to particular files and folders


CONFIGURING AUDIT POLICY

Configure the audit policy

Enable auditing on specific resources


VIEWING AUDIT ENTRIES IN THE SECURITY LOG


CHAPTER SUMMARY

Local user accounts are used to gain initial access to a computer and to control local resources.

Local groups are used to simplify the assignment of security features by associating user accounts that have common needs.

User profiles store user-specific configuration settings, such as customized desktops and personalized application settings.


CHAPTER SUMMARY (CONTINUED)

Windows stores local user profiles in the Documents And Settings folder. This folder stores several files and folders containing configuration information and data for each user profile.

Password problems are a common issue with users. Make sure that they are typing their logon information correctly and that the Caps Lock key is not engaged.


CHAPTER SUMMARY (CONTINUED)

Security policy is a combination of security settings that affect the security on a computer. Computers that are members of a workgroup are subject only to Local Security Policy. Computers that are members of a domain are subject to both Local Security Policy and Group Policy.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2...

Documents

Transcript of 11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2...