11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2...
-
date post
21-Dec-2015 -
Category
Documents
-
view
254 -
download
0
Transcript of 11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2...
Chapter 3: Supporting Local Users and Groups 2
SUPPORTING LOCAL USERS AND GROUPS
Explain the difference between local and domain accounts
Create and modify a user account in Microsoft Windows XP Professional Edition
Explain the use of and configure groups
Configure Fast User Switching
Troubleshoot common password and logon problems
Chapter 3: Supporting Local Users and Groups 3
SUPPORTING LOCAL USERS AND GROUPS (CONTINUED)
Explain how Local Security Policy affects a computer running Windows XP
Use the Local Security Policy tool to change security settings
Identify the important security settings that are available through Local Security Policy
Chapter 3: Supporting Local Users and Groups 4
LOCAL ACCOUNTS
Local accounts are used for the following activities: To gain initial access to the computer
To control access to local computer resources
To control access to network resources
Specific to one PC only
Used in a workgroup setting
Chapter 3: Supporting Local Users and Groups 5
LOCAL ACCOUNTSright click my computer and choose manage
Chapter 3: Supporting Local Users and Groups 6
USER ACCOUNTS
Account management is a comprehensive topic that includes: Auditing of account activity
Creation of user and group accounts, and management of account properties
Password and account lockout policy configuration
User rights assignments
Chapter 3: Supporting Local Users and Groups 7
DEFAULT USER ACCOUNTS – can not be deleted
Administrator – Most important user
Guest – limited privileges, used for guests
HelpAssistant – builtin for remote assistance
SUPPORT_susux – used by Microsoft when providing remote support through Help and Support Service.
Chapter 3: Supporting Local Users and Groups 12
GROUP ACCOUNTS
Group accounts are used to simplify the assignment of security features by associating user accounts that have common needs.
For example the administrators group will store all users who have administrative rights on the local machine.
Chapter 3: Supporting Local Users and Groups 13
DEFAULT GROUP ACCOUNTS
There are several default, built-in groups in Windows XP Professional Edition. The most common of these are: Administrators group
Backup Operators group
Guest group
Power Users group
Users group
Chapter 3: Supporting Local Users and Groups 15
SECURITY IDENTIFIERS (SIDS)
User accounts and groups are considered security principals. Meaning that you can grant them access on a computer. Every security principal has a unique Security Identifier (SID) assigned to it at the time of creation.
Basically a number associated with a user or a group used for tracking security settings. It is easier for the OS to track a number rather than a Name.
Chapter 3: Supporting Local Users and Groups 16
LIMITATIONS OF WINDOWS XP HOME EDITION
Cannot create local groups
Local Users And Groups tool is not available—must use User Accounts tool
Supports only two types of accounts: Computer Administrator
Limited
Does not have an account named Administrator
Cannot join a domain
Chapter 3: Supporting Local Users and Groups 17
USER PROFILES
User profiles store user-specific configuration settings, such as customized desktops and personalized application settings
Chapter 3: Supporting Local Users and Groups 18
Types of profiles Windows XP supports
Local – available only on the PC it was created on. XP pro and Home support this
Roaming – stored in a shared folder on a network server and are accessible from any location in a network. Only XP Pro.
Mandatory – roaming profiles that users cannot make permanent changes to. Mandatory profiles are used to enforce configuration settings. Only XP Pro.
Chapter 3: Supporting Local Users and Groups 19
DOCUMENTS AND SETTINGS FOLDER – Storage Location for Local Profiles
Windows stores local user profiles in the Documents And Settings folder. This folder stores several files and folders containing configuration information and data for each user profile.
Chapter 3: Supporting Local Users and Groups 20
LOCAL USER PROFILES
A local user profile is available only from the system on which it was created
A unique local user profile is created and stored on each computer a user logs on to
Chapter 3: Supporting Local Users and Groups 21
HANDLING MULTIPLE PROFILES FOR THE SAME USER NAME
If a Windows XP Professional Edition computer is a member of a Windows domain, two users with the same user account name can log on to the same system.
If there were 2 Matts that logged onto a local machine 2 separate folders would be created. 1. C:\documents and settings\matt2. C:\documents and settings\matt.<computer_name>
where <computer_name> is the name of the local PC
Chapter 3: Supporting Local Users and Groups 22
ROAMING USER PROFILES – stored on a network server - this helps avoid the following 2 problems
Users will have a different profile on each machine they log on to
Without regular backup, if the local machine crashes, the profile could be lost
Chapter 3: Supporting Local Users and Groups 23
ENABLING ROAMING PROFILES
Create and share a folder on the server that will hold the roaming profiles
Make sure that the users have access to the shared folder
Specify the location of the roaming profile folder
Chapter 3: Supporting Local Users and Groups 24
ADDITIONAL POINTS ON ROAMING PROFILES
Roaming profiles are generally used in a domain environment
In a domain account, a roaming profile is created and configured once on a domain controller
Chapter 3: Supporting Local Users and Groups 25
MANDATORY USER PROFILES
Mandatory user profiles are applied to roaming user profiles. When a profile is made mandatory, users are unable to save changes to desktop settings.
Used when you don’t want users to change settings, such as desktop backgrounds and icons.
Chapter 3: Supporting Local Users and Groups 26
FAST USER SWITCHING
Allows multiple local user accounts to log on to a computer simultaneously
Users can switch sessions without logging off or closing programs
Running programs still consume computer resources
This can really slow down the PC. I would not recommend using it.
Chapter 3: Supporting Local Users and Groups 27
TROUBLESHOOTING PASSWORD PROBLEMS
The user is mistyping the user name, password, or both
The user has the CAPS LOCK key engaged
Chapter 3: Supporting Local Users and Groups 28
SECURITY POLICY
Security policy is a combination of security settings that affect the security on a computer
Computers that are members of a workgroup are subject only to Local Security Policy
Computers that are members of a domain are subject to both Local Security Policy and Group Policy
Chapter 3: Supporting Local Users and Groups 29
ORDER OF POLICY APPLICATION
1. Local Computer Policy is applied to the computer
2. Group Policy settings are applied for the Active Directory site of which the computer is a member
3. Group Policy settings are applied for the Active Directory domain of which the computer is a member
4. Group Policy settings configured for the Active Directory OU of which the computer is a member are applied
Chapter 3: Supporting Local Users and Groups 30
RESULTANT SET OF POLICY
Policy settings are cumulative, so all settings contribute to effective policy. The effective policy is called the Resultant Set of Policy (RSoP).
Chapter 3: Supporting Local Users and Groups 32
CONFIGURABLE SECURITY OPTIONS
There are quite a few configurable security options in Windows XP
Including: Shutdown: Allow System To Be Shut Down Without
Having To Log On Microsoft Network Server: Amount Of Idle Time
Required Before Suspending A Session Network Security: Force Logoff When Logon Hours
Expire Other security options
Chapter 3: Supporting Local Users and Groups 33
PASSWORD POLICY
Enforce password history
Maximum password age
Minimum password age
Minimum password length
Passwords must meet complexity requirements
Store password using reversible encryption for all users in the domain
Chapter 3: Supporting Local Users and Groups 34
ACCOUNT LOCKOUT POLICY
Account Lockout Policy allows you to configure the computer to stop responding to logon requests from a user who has a valid logon name but who keeps entering the incorrect password. The policy settings are as follows: Account Lockout Duration
Account Lockout Threshold
Reset Account Lockout After
Chapter 3: Supporting Local Users and Groups 35
AUDITING
Auditing consists of two major components: Audit policy
Audit entries
Chapter 3: Supporting Local Users and Groups 36
CHOOSING EVENTS TO AUDIT
There are several types of events that can be audited based on the specific security needs of the given system.
Table 3-1 lists these Auditable events
Chapter 3: Supporting Local Users and Groups 37
POTENTIAL EVENTS TO AUDIT
Shutting down and restarting the computer
Users logging on at odd hours
Users logging on to computers they wouldn’t normally log on to
Users attempting to log on unsuccessfully
Changes to user and group accounts
Printer usage
Access to particular files and folders
Chapter 3: Supporting Local Users and Groups 38
CONFIGURING AUDIT POLICY
Configure the audit policy
Enable auditing on specific resources
Chapter 3: Supporting Local Users and Groups 40
CHAPTER SUMMARY
Local user accounts are used to gain initial access to a computer and to control local resources.
Local groups are used to simplify the assignment of security features by associating user accounts that have common needs.
User profiles store user-specific configuration settings, such as customized desktops and personalized application settings.
Chapter 3: Supporting Local Users and Groups 41
CHAPTER SUMMARY (CONTINUED)
Windows stores local user profiles in the Documents And Settings folder. This folder stores several files and folders containing configuration information and data for each user profile.
Password problems are a common issue with users. Make sure that they are typing their logon information correctly and that the Caps Lock key is not engaged.
Chapter 3: Supporting Local Users and Groups 42
CHAPTER SUMMARY (CONTINUED)
Security policy is a combination of security settings that affect the security on a computer. Computers that are members of a workgroup are subject only to Local Security Policy. Computers that are members of a domain are subject to both Local Security Policy and Group Policy.