Unit4 NMA working with user accounts WINDOWS SERVER 2008

S.RANGARAJAN

COMPUTER DEPT

Working with User Accounts

INDEX 4.1.working with user accounts

4.2.working with security groups

4.3 working with shares

4.4 working with printers

4.5 working with windows backup

4.6 using windows servers backup software

Network Management Tasks and Activities Managing user access to the network is a major

challenge of network administration

Access to resources and data must be controlled but not overly restricted

Assigning users to groups will make the

administration of user rights much easier

Managing Access and Accounts Setting up user accounts is less complicated than

assigning access rights Every OS has procedures and/or an interface for

setting up accounts It is better to add privileges than to take them away

from users Start with fairly restrictive account policies

User Accounts A user account holds information about the

specific user

It can contain basic information such as name, password, and the level of permission the user in granted

It can also contain much more specific information such as the department the user works in, a home phone number, and the days and hours the user is allowed to log on to specific workstations

Managing Groups Groups are created to make the sharing of

resources more manageable

A group contains users that share a common need for access to a particular resource

Even though the connotations may differ with each operating system, all of these terms still refer to the access that a user or group account is granted

Administrator Account All operating systems have an administrative

account

The administrative account should be used only for the purpose of administering the server

Granting users this type of access is a disaster waiting to happen

Most operating systems set up the administrative account during installation

Default Accounts Windows has several accounts set up by default

No matter which system is used, it is important to know what accounts are installed by default and what access each account has

The purpose of the guest account is to allow temporary access for a user that doesn’t have an account set up

The Guest Account The guest account has limited access, but many

times is disabled to keep intruders from accessing the machine

Passwords Allowing users to create simple passwords

produces an unsecured environment

If the passwords are too difficult to remember, users will probably write them down and may even post them

A weak password might be very short or only use alphanumeric characters or contain information easily guessed by someone profiling the user

Strong Passwords Strong passwords can be derived from events or things

the user knows

For example, the phrase "Going to the Bahamas on June 6, 2006 with Jean” can be converted to gtB6606@J

This creates a complex password that is easy for the user to remember

Password Policies Password policies help protect the network from

hackers and define the responsibilities of users who have been given access to company resources

All users should read and sign security policies as part of their employment process

Many times it is necessary to restrict logon hours for maintenance purposes.

Access to Files Auditing is the process of keeping track of who is

logging in and accessing what files

Network administrators assign user access rights and set permissions

Limited group access overrides unlimited access in another group

Types of Groups Groups may be nested Active Directory Services provides flexibility by

allowing two types of groups: Security groups Distribution groups

Both types of groups have what is called a scope Scope determines where the group can be used in

the network and who can be a member

Group Scope The three group scopes available in a Windows 2000

network are: domain local

global

universal

The acronym GULP will help you remember how groups are placed into other groups.

Permission Assignment For a user-based model, permissions are assigned

to each user account

For group-based access control, permissions are assigned to groups

For role-based access control, a role is associated with a job and permissions are assigned to these roles

Rule-based access control is based on access control lists (ACLs)

Group Policy After you create groups, group policy can be used

for ease of administration in managing the environment of users

The group policy object (GPO) is used to apply group policy to users and computers

A GPO is a virtual storage location for group policy settings, which are stored in the Group Policy container or template

Managing Access and Accounts Group policy allows you to set consistent common

security standards Group policies are applied in a specific order or

hierarchy By default, group policy is inherited and

cumulative Use the acronym LSDOU (local, site, domain,

organizational unit) to remember the order that a group policy is applied.

Managing Network Performance As your network changes, its performance must be

monitored and improved

A measure of normal activity is known as a baseline

Baselines must be updated on a regular basis, when the network has changed, or new technology has been deployed

FILE SHARING1.Connect both ends of Ethernet cable to the

two computers.

2. Change the Adapter Settings. Go the Control Panel > Network and Sharing Center and then

Click Change Adapter Settings.

3. Right click the Local Area Connection then click properties.

4. Choose the Internet Protocol Version4 then click properties.

5. Choose both the Obtain an IP address and DNS server address

automatically then Click Ok.

6. Open the Command Prompt.

7. Determine the IP Address of the computer you will share of.

8. To determine if the computer already connected to the other

computer, type ping and IP Address of it.

9. Right click the folder then choose Share with the Specific

people and click Ok.

10. From the drop down menu, choose Everyone then add. Don’t

forget to change the category from Read to Read/Write. Last. Click share

then done.

11. Right click again the desired folder then chooses Properties.

12. Click Sharing then choose Advanced sharing.

13. Check the Share This Folder, then Apply and click Ok.

14. Click Permissions then Click Full Control, then Apply, Click

Caching then Ok.

15. Check if the folder has been already shared. Go to Start

menu> Computer> and then network.

4.1 working with user accountsFor anyone—including the administrator—

to gain access to a server running Windows Server 2008, the user must have an account established on the server or in the domain

The account defines the user name and the user’s password.

To maintain user accounts, you use the Active Directory Users and Computers console.

You can open this console startprogramsadministrative tools.

Create a user account 1. Click Start, click Administrative Tools, and then

click Active Directory Users and Computers.

2. In the details pane, right-click the folder in which you want to add a user account.

3. Where?Active Directory Users and Computers/domain node/folder

4. Point to New, and then click User.

5. In First name, type the user's first name.

6. In Initials, type the user's initials.

7.In Last name, type the user's last name.

8.Modify Full name to add initials or reverse the order of first and last names.

9.In User logon name, type the user logon name. Click Next.

10.In New Object - User, in Password and Confirm password, type the user's password, and then select the appropriate password options.

11.Click Next, review the new user account settings, and then click Finish.

Options while user account creation User Must Change Password at Next Logon Selecting this checkbox

forces users to choose their own password when they first log in to the system.

User Cannot Change Password You might select this option for resource accounts if you do not want to allow users to change their passwords.

Generally, however, you should not select this option; most sites allow users to change their own passwords, and you want to permit them to do so if you’ve also set passwords to automatically expire.

Password Never Expires Choose this option to allow the password to remain viable for as long as the user chooses to use it. Activating this option for most users is generally considered a poor security practice.

Account Is Disabled Selecting this option disables the new account. The administrator can enable the account when needed by clearing the checkbox.

Enable or disable a user account To enable or disable a user account Open the Windows

SBS(small business server) Console.

On the navigation bar, click the Users and Groups tab, and then click Users.

From the list of user accounts, click the user account that you want enable or disable.

Under <User Account> Tasks, do one of the following: To enable a user account that is currently disabled, click

Enable user account.

To disable a user account that is currently enabled, click Disable user account.

Remove a user account from the network

To remove user account Open the Windows SBS Console.


In the list of user accounts, click the user account that you want to remove, and then click Remove user account. A warning message appears.

In the warning message, do the following: Clear the Delete Mailbox check box if you do not want to

delete the mailbox for the user account. Clear the Delete Shared Folder check box if you do not want

to delete the shared folder for the user account.

Change general information for a user account

To change general information for a user account Open the Windows SBS Console.


From the list of user accounts, right-click the user account that you want modify the general information for, and then click Edit user account properties.

On the <User Account> Properties page, click the General tab, and then update any of the following information for this user account: First name, Last name, User name, E-mail address, Description, or Phone number.

Click Apply, and then click OK.

Change Remote Access permissions for a user account To change Remote Access permissions for a user account

Open the Windows SBS Console. On the navigation bar, click the Users and Groups tab, and

then click Users. In the list of user accounts, right-click the user account that you

want modify the Remote Access permissions for, and then click Edit user account properties.

On the <User Account> Properties page, click the Remote Access tab, and then do one of the following: Select the User can access Remote Web Workplace check box to

allow the user account to access the network resources from a remote location by using Remote Web Workplace.

Clear the User can access Remote Web Workplace check box to prevent the user account from accessing the network resources from a remote location by using Remote Web Workplace.


Change virtual private network permissions for a user account Open the Windows SBS Console. On the navigation bar, click the Users and Groups tab,

and then click Users. In the list of user accounts, click the user account that you

want modify the virtual private network permissions for, and then click Edit user account properties.

On the <User Account> Properties page, click the Remote Access tab, and then do one of the following: Select the User can access virtual private network check

box to allow the user account to create a VPN connection to the network.

Clear the User can access virtual private network check box to stop the user account from creating a VPN connection to the network.


Change e-mail information for a user account

Open the Windows SBS Console.

On the navigation bar, click the Users and Groupstab, and then click Users.

In the list of user accounts, click the user account that you want modify e-mail information for, and then click Edit user account properties.

On the <User Account> Properties page, click the General tab, and then do one or both of the following:

To change the first name or last name for the user account, type a new first name or last name.

to change the user's e-mail address, type a new e-mail address.


Change group memberships for a user account

Open the Windows SBS Console. On the navigation bar, click the Users and Groups tab,

and then click Users. In the list of user accounts, click the user account that you

want modify the group memberships for, and then under tasks, click Change group membership.

On the <User Account>’s Group Membership page, do one of the following:

To add this user account to a group, select the group from the Groups list, and then click Add.

To remove this user account from a group, select the group in the <User Account>'s Groups list, and then click Remove.

Understanding User Accounts Three types of user accounts can be created and

configured in Windows Server 2008:

Local accounts.

Domain accounts.

Built-in user accounts.

Local Accounts Used to access the local computer only and are stored

in the local Security Account Manager (SAM) database on the computer where they reside.

Never replicated to other computers, nor do these accounts have domain access.

Domain Accounts Accounts used to access Active Directory or

network-based resources, such as shared folders or printers.

Account information for these users is stored in the Active Directory database and replicated to all domain controllers within the same domain.

A subset of the domain user account information is replicated to the global catalog, which is then replicated to other global catalog servers throughout the forest.

Built-in User Accounts Automatically created when Microsoft Windows

Server 2008 is installed.

Built-in user accounts are created on a member server or a standalone server.

When you install Windows Server 2008 as a domain controller, the ability to create and manipulate these accounts is disabled.

Built-in User Accounts By default, two built-in user accounts are created on a

Windows Server 2008 computer:

Administrator account.

Guest account.

Built-in user accounts can be local accounts or domain accounts, depending on whether the server is configured as a standalone server or a domain controller.

Creating and Managing User Accounts User accounts are usually created and managed with

Active Directory Users and Computers.

User Account Properties

Group Accounts Groups are implemented to allow administrators to

assign rights and permissions to multiple users simultaneously.

A group can be defined as a collection of user or computer accounts that is used to simplify the assignment of rights or permissions to network resources.

Group Accounts When a user logs on, an access token is created that

identifies the user and all of the user’s group memberships.

This access token is used to verify a user’s permissions when the user attempts to access a local or network resource.

By using groups, multiple users can be given the same permission level for resources on the network.

Since a user’s access token is only generated when they first log on to the network from their workstation, if you add a user to a group, they will need to log off and log back on again for that change to take effect.

Group Types Distribution groups – Non-security-related groups

created for the distribution of information to one or more persons.

Security groups - Security-related groups created for purposes of granting resource access permissions to multiple users.

Group Nesting Users can be members of more than one group.

Groups can contain other Active Directory objects, such as computers, and other groups.

Groups containing groups is called group nesting.

Group Scopes Global

Domain Local

Universal

Using Global and Domain Local Groups Global

These groups can include users, computers, and other global groups from the same domain.

You can use them to organize users who have similar functions and therefore similar requirements on the network.

Domain local These groups can include users, computers, and

groups from any domain in the forest. They are most often utilized to grant permissions

for local resources and may be used to provide access to any resource in the domain in which they are located.

Using Global and Domain Local Groups Assign users within a domain to global groups.

Add global groups to domain local groups.

Assign permissions to domain local group.

Universal Groups These groups can include users and groups from any

domain in the AD DS forest and can be employed to grant permissions to any resource in the forest.

A universal group can include users, computers, and global groups from any domain in the forest.

Changes to universal group membership lists are replicated to all global catalog servers throughout the forest.

AGUDLP Microsoft approach to using groups:

add Accounts to Global groups.

add those global groups to Universal groups.

Add universal groups to Domain Local groups.

Finally, assign Permissions to the domain local groups.

Creating and Managing Groups Creating and managing groups is usually done with

Active Directory Users and Computers.

Group Properties

Working with Default Groups Account Operators – Can create, modify and delete

accounts for users, groups, and computers in all containers and OUs.

Cannot modify administrators, domain admins and enterprise admin groups.

Administrators – Complete and unrestricted access to the computer or domain controller.

Backup Operators - Can back up and restore all files on the computer.

Working with Default Groups Guests – Same privileges as members of the Users

group. Disabled by default

Print Operators – Can manage printers and document queues.

Server Operators – Can log on a server interactively, create and delete shares, start and stop some services, back up and restore files, format the disk, shutdown the computer and modify the system date and time.

Working with Default Groups Users – Allows general access to run applications, use

printers, shut down and start the computer and use network shares for which they are assigned permissions.

DNSAdmins – Permits administrative access to the DNS server service.

Working with Default Groups Domain Admins – Can perform administrative tasks

on any computer anywhere in the domain.

Domain Computers – Contains all computers. Used to make computer management easier through

group policies.

Domain Controllers – Contains all computers installed in the domain as a domain controller.

Working with Default Groups Domain Guests – Members include all domain guests.

Domain Users – Members include all domain users. Used to assign permissions to all users in the domain.

Enterprise Admins – Allows the global administrative privileges associated with this group, such as the ability to create and delete domains.

Working with Default Groups Schema Admins – Members can manage and modify

the Active Directory schema.

Special Identity Groups and Local Groups Authenticated Users – Used to allow controlled access

to resources throughout the forest or domain.

Everyone – Used to provide access to resource for all users and guest.

Not recommended to not assign this group to resources.

Group Implementation Plan A plan that states who has the ability and

responsibility to create, delete, and manage groups.

A policy that states how domain local, global, and universal groups are to be used.

A policy that states guidelines for creating new groups and deleting old groups.

A naming standards document to keep group names consistent.

A standard for group nesting.

Creating Users and Groups Active Directory Users and Computers.

Batch files.

Comma-Separated Value Directory Exchange (CSVDE).

LDAP Data Interchange Format Directory Exchange (LDIFDE).

Windows Script Host (WSH).

Overview of network printer Understand network printing concepts.

Understand Windows network printing.

Understand NetWare network printing.

Understand Network PrintingConcepts The network should be configured for sharing printers

to enable network printing.

Local printer, shared printer, and network printerare the three basic printing configurations used while designing a network and configuring printers.

Basic printing configurations for networked computers

Understand Network PrintingConcepts

Local print devices.

Shared print devices.

Understand Network PrintingConcepts

Local Print Devices A printer is referred to as the print device, and is used for providing

printed outputs.

It is essential to install the necessary drivers to ensure proper

working of the print device.

A software called printer is required to control the printing process.

The printer determines where and when the output should be sent.

Local print devices provide the most convenient way of printing from a workstation computer.

Local Print Devices

Local Print Devices

Add Printer Wizard

Khan

Local Print Devices

Selecting a Printer port

Local Print Devices

Installing the Printer software

Local Print Devices

Printer Sharing window

Local Print Devices

Printers and Faxes window

Shared Print Devices Sharing a locally attached printer.

Sharing print devices directly connected to the network.

Sharing a Locally Attached Printer Repeated interruptions by multiple users may affect

the productivity of the user.

There is a reduction in speed and response time, since the computer’s resources are used for providing the required output for multiple users.

Sharing Print Devices Directly Connected to the Network Print devices connected to the network have their own

internal network interface card that provides network identification to the device.

Print devices are generally configured on a centralized network to provide convenient access to multiple users.

Sharing of print devices decreases the purchase, installation, and maintenance cost of the printer.

Understand Windows NetworkPrinting

On a workgroup, a shared print device’s attributes are stored locally on the computer.

On a domain, the print device’s information is added to the Active Directory (AD).

The AD can be used when configuring the network-printing capabilities on Windows 2000 Server and Windows XP Professional Workstation.

On non-domain Windows XP computers, information about the print device can be obtained over the network using the NetCrawler feature.

The NetCrawler searches for and automatically adds all available shared network objects.


Add Printer Wizard


Selecting a Printer port


The following information has to be provided while installing a network-capable print device:

The print device’s IP address.

The print device’s manufacturer and printer type.

A share name for the print device.


Understand NetWare Network Printing

The NetWare 6.0 operating system’s printing service includes a new printing option called iPrint.

The iPrint service is Internet-based, and it uses the Internet Printing Protocol (IPP) to make printing available from any computer having an Internet browser.

It uses the Novell Distributed Print Services (NDPS) to distribute the print process to all networked users.

The NDPS effectively combines older print components like the printer, print queue, and print server into one print object called the Printer Agent.

It manages the configuration of the printer through Novell Directory Services (NDS).

The NDPS also handles the drivers used at the workstations.

Understand NetWare NetworkPrinting

NDPS includes the following components:

Broker

Manager

Printer

Gateway

Client

Understand NetWare NetworkPrinting

Windows Server Backup Windows Server 2008 introduces a new technology for

performing backups, called Windows Server Backup.

Similar to Shadow Copies of Shared Folders, Windows Server Backup uses the Volume Shadow Copies Service (VSS) to perform snapshots of the items being protected by backup.

Windows Server Backups Unlike previous versions of Windows, the new

Windows Server Backup tool does not allow you to back up individual files or directories.

You must back up the entire volume that hosts the files that you want to protect.

This means that you must configure a backup destination that is at least as large as the volume or volumes that you wish to back up.

Windows Server Backups Windows Server 2008 supports two types of backup:

Manual backup - This backup can be initiated by using Server Backup or the Wbadmin.exe command-line tool when a backup is needed. You must be a member of the Administrators group or the

Backup Operators group to launch a manual backup.

Scheduled backup - Members of the local Administrators group can schedule backups using the Windows Server Backup utility or the Wbadmin.exe command-line tool. Scheduled backups will reformat the target drive that hosts the

backup files, and thus can be performed only on a local physical drive that does not host any critical volumes.

One-Type Backup Options

Specifying the Backup Type

Selecting Volumes to Back Up

Specifying the Destination Type

Selecting the Backup Destination

Specifying the VSS Backup Type

Confirming Backup Selections

Viewing an In-Progress Backup

Scheduling a Backup

Confirming Backup Destination

Restoring from Backups Whether you need to restore an individual file or

folder that a user has inadvertently deleted, or if you need to restore all of the data stored on an entire volume due to a hardware failure on a server, restores of Windows Server 2008 can be performed using the Windows Server Backup MMC snap-in, as well as the wbadmin command-line utility.

Restoring from Backups You can also perform a bare-metal restore of a server

that has experienced a catastrophic hardware failure by using the Windows Recovery Environment (WinRE), a special boot mode that provides a centralized platform for operating system recovery.

Unlike traditional restores in which data files are restored onto an existing operating system, a bare-metal restore allows you to restore operating system and data files onto a server that does not have a pre-existing operating system.

Selecting the Recovery Type

Recovery Options

Inspiration Credits:My Students

Unit4 NMA working with user accounts WINDOWS SERVER 2008

Engineering

Transcript of Unit4 NMA working with user accounts WINDOWS SERVER 2008