NT NETWORK ADMINISTRATION -- Account Administering
|
In workgroup model, resource administration tasks are distributed to each computer in the network. To administer a workgroup, changes are made on each computer. For example, user accounts are created on every computer that the user will access either locally or over the network. Each time a user changes his password, the user must change the password at every computer that the user has an account (this is one shortcoming of the workgroup mode). This can be a time-intensive endeavor.
The Domain box in the Logon Information dialog box
- If the computer is participating in a domain, the Domain box lists both the computer name and the domain name, as well as any domains trusted by the computer account's domain.
- If the computer is participating in a workgroup, the Domain box contains only the local computer name. The user name and password must reside in the local computer's directory database. This is the only place where user accounts can be authenticated.
To log on, the user must supply either a valid domain user account or a local user account, depending on whether the user is logging on to the domain or the local computer.
Note:
- Not everyone with an account in a domain can log on locally at the domain’s controller servers. By default, only members of the Administrators, Server Operators, Print Operators, Account Operators, and Backup Operators groups (ie. Administrators and the all the 4 xxx Operators) can do so. For other users or group members to log on locally at a DC computer, they must be assigned the Log on locally user right.
Note: the Log on locally is specific to the computer on that you assigned this user right. For example, if a user is assigned this right only on the PDC, he can log on at the PDC, but cannot log on at a BDC without assinging the right again on that BDC computer! physically?!
- NT Servers configured as domain controllers do not maintain a local accounts database separate from the accounts in the directory database. The user must log on to a domain account.
- An NT-based client keeps track of the last 10 successful logon attempts (cached logon info that is downloaded from a domain controller's directory database). On subsequent logons, if a domain controller is not available, the user can log on to the domain account using the cached logon info. The credentials for users who log on to the local computer are also stored in that computer’s local directory database.
This means that if the user account cannot be validated by a domain controller, but has been validated from that client within the last 10 (the default number) previous successful logon attempts, the user will still have access to the local computer and the domain??.
Note: above-mentioned cached logon info feature is available on NT Server and NT Workstation computers ONLY, not in Win9x, DOS, etc.
- Use Ctrl+Alt+Del to prevent Trojan Horse attacks -- Trojan Horse program is an MS-DOS program that tries to trick users into typing their user ID and password. Because most operating systems use Ctrl+Alt+Del to restart a computer, it is difficult for programs to stay resident during this operatin.
To ensure effective security, educate users to always press Ctrl+Alt+Del before logging on at a computer, even if the logon window already appears.
- A password can contain up to 14 characters and can include uppercase and lowercase letters. If you do not want to log on with a password, your system administrator can disable the service. Passwords are case sentitive (while user names are not case-sentitive)
If prefer to not use password for a user account (such as for the Guest), clear the Password and Confirm Password box in the User Properties dialog box.
- Enable the password protection on the computer's screen savers. This ensures that workstations will lock automatically when left attended.
NT Workstation Administrative Tools are only used to administer the local computer. NT Server Administrative Tools are used to administer any computer in the domain.
- User Manager for Domains -- included in NT Server only; but can be installed on NT Workstation or Windows 95 by installing the NT client-based administration tools.
- User Manager -- included in NT Workstation only
NT Server Client-based Tools -- can be installed on any Windows 95 or NT Workstation computers. This gives an administrator the ability to perform domain administration from a client. The client-based tools are located on the NT Server CD in the Clients\Svrtools folder.
Use Ctrl+Alt+Del to gain access to NT Security Dialog box after logged on. It is used to perform these tasks:
Lock Workstation -- Secures the computer without logging off. All programs remain running. Lock your workstation when leaving momentarily. If a user forgets the password to unlock, an administrator can unlock the workstation, log the user off the system, and then reassign a new password.
Note: a locked workstation can only be unlocked by the authenticated user or by an administrator of the domain that this computer's account is in. This means other users cannot use the computer while it is locked.
Change Password -- Using the Windows NT Security dialog box is the ONLY way that users can change their passwords (by themselves). Users should change their passwords regularly.
Logoff -- Log off the current user, but leaves NT running. This means that network users can still connect to and use shared resources on the computer. Always log off when you no longer need to use the computer. Difference from Lock Workstation, Logoff logs the current user off -- closes all his programs)
Another way to log off ->Start >>Shut Down >>Close all programs and log on as a different user.
Task Manager -- Lists programs that running, a summary of overall CPU and memory usage, and quick view of how each program, program components, or system process is using CPU and memory. It is also used to switch or stop programs.
Shut Down --
Cancel --
Three types of user accounts; one is the types of accounts that you create, and two are built-in accounts when NT Server or NT Workstation is installed -- Guest and Administrator:
- accounts that you create, and --
two built-in accounts:
- Guest -- built-in account used to give occasional users the ability to log on and gain access to resources on the local computer.
As a best practice, only enable Guest account in low-security networks and always assign it a password.
- Administrator -- built-in account used to manage the overall computer and domain configuration and resources management.
As a best practice, rename the Administrator account, especially when the server is on an Internet. This will help to deter hackers.
Note: the two built-in user accounts (Guest,Administrator) can be renamed, but CANNOT be deleted!
User Manager, on NT Workstation -- is used for managing the accounts of that computer ONLY. Accounts created by User Manager are local accounts. (Global can only created on DCs with User Manager for Domains)
- In User Manager, you create, modify, delete or disable local user accounts on the local computer in a workgroup.
User Manager for Domains, on NT Server -- is used to managing the accounts on the local domain or on any computer, member server, or other domains to which you have access. Accounts created by User Manager for Domains can be local accounts or domain accounts.
- In User Manager for Domains, you create, modify, delete or disable domain user accounts on the PDC or local user accounts on the any computer in the domain.
Note: User Manager for Domains, "built-in in NT Server", can also be installed on NT Workstation or Windows 95 using the client-based administration tools.
- maximum 20 characters; not case-sensitive. Some special characters cannot be included
- must be unique, to the domain (if domain user account), or to the local computer (if local user account)
- easy to organize, and manage
- administrator account should always assign passwords
- determine whether to prevent users from changing the password -- this gives control to administratora, or require them change it the first time they log on -- this gives control to users.
- determine if an account needs to expire. e.g. for temporary empolyees, better to set the expire date when their contract ends.
- maximum 14 characters; case-sensitive. Better including numbers, and avoiding an obvious association in a password.
- by default, there is no restriction on logon hours
- should be implemented where it is a condition for security certification, such as in a government network;
- and where there are multiple shifts -- e.g. allow night shift workers to log on only during their working hours.
- used to restrict which users can log on from what computer, in a high-security network where sensitive data is stored on the local computers.
- by default, any user with a valid account can log on to the network from any NT computer.
- A home folder is a user's folder for storing his (personal) files and programs. It makes it easy to locate files to back up or delete to clean up the hard disk.
- A home folder is the default folder whenever the user performs any of the following tasks: >>File >>Open; >>File >>Save as; and Starts a command prompt
- if you do not assign a home to a user, the default folder is Users\Default on the local computer.
Considerations for storing home folders on a server -- to simplify backing up user data and maintain sentitive data centrally.
- backup and restore -- would be much easier if files are located in a central location on a server, than to perform regular backups on each computer
- Security -- easier to maintain security on data if it is in a central location
- Remote access -- Use RAS or share computers -- having a home folder on a server makes the users' data available from any location or computer.
- Space on the server, However -- NT does not provide the ability to limit the amount of hard disk space used by each user. If there enough HD space on the server?
- if it is not important to have a central location for maintaining/backup/secure data, and users have enough space on their computer
- Performance -- will be less network traffic
to create a user account
->User Manager /for Domains >>User >>New User ...choose the options in the New User dialog box. (the Hours, Logon To, Account, buttons available only in NT Server).
Password Never Expires
- choose this option for the user accounts that will be used by NT services, such as the Replicator services.
- this option override the selection of User Must Change Password at Next Logon.
on a server, create a folder named Users
share the folder and assign the Full Control permission to all users so that they can connect to it.
(when a folder is shared, Full Control permission is automatically assigned to Everyone group. You may need to change this default permission setting)the Profile button, specify a home folder name and location for a user account in the User Environment Profile dialog box.
to assign home folder to multiple user accounts at one time automatically --
in the User Profile dialog box, use %Username% in place of the home folder name, e.g. type \\Server1\Users\%Username%, NT will substitute %username% with the user account nameNote: in a workgroup, you must specify the home folder for a local user account while sitting at the local computer. Enter the local path in the Local Path box, e.g. C:\folder_name.
- specify a network drive letter that will be used to connect to the user's home folder automatically when the user logs on.
An assigned home directory becomes a user's default directory for the File Open and Save As dialog boxes, for command prompt, and for all applications that do not have a defined working directory. Home directories make it easier for an administrator to back up user files and delete user accounts by collecting many or all of the files in one location.
The home directory can be a local directory on a user’s computer or a shared network directory, and can be assigned to a single user or many users.
Usually, User Manager for Domains automatically creates the home directory if you set a path for it. If not, a message appears, instructing you to manually create the directory. If you do not assign a home directory to a user account, the system uses the default local home directory (\USERS\DEFAULT) on the user's local drive where NT Workstation or NT Server is installed or upgraded.
to Use %USERNAME% in the Home Directory Path (press the Profile button)
When typing the path for a home directory, %USERNAME% can be entered as the last subdirectory in the path, and the system later substitutes the user name of each user account for %USERNAME%. This is useful when multiple user accounts are selected.
For example, to administer six user accounts you might click the Connect option, select the drive letter H and, in To, type the path \\airedale\users\%username%. As the changes are saved, the system substitutes the actual user name for the %USERNAME% entry for each user account.
Notes:
- On FAT volumes, MS-DOS client computers are not able to access the home directory if the user name of or at least one of the selected user accounts is longer than 8 characters (or has an extension name longer than 3 characters). These computers can access the root directory of the share instead.
- On NTFS volumes, you can use %USERNAME% regardless of the user-name length.
A Note on Logon Hours -- a user who is connected to a network on the domain is NOT disconnected when the user's logon hours run out. However, the user will be unable to make any new connections.
what is the Logon To button for -- is used to set workstation restrictions for a user account, which allows to control which computers (maximum 8) a user can use to log on to the domain.
to assigning Logon Script Name (press the profile button)
is used to assign a logon script to selected users. If the logon script is located in a subdirectory of the logon script path, that relative path precedes the filename.
If a logon script is assigned to a user account, it runs each time the user logs on. It can be a batch file (.cmd or .bat filename extension) or an executable program (.exe filename extension). One logon script can be assigned to one or more user accounts. When a user logs on, the server authenticating the logon locates the logon script by following the server's logon script path (usually \winnt\System32\Repl\Import\Scripts).
For example, you might type clerks.cmd; or, admins\ernesta.bat
Note: Computers running MS Network Client for MS-DOS (version 3.0), WfW, NT 3.1, and LAN Manager 2.x must use the .bat filename extension for logon script.
to assign the User Profile Path (press the Profile button)
Used to enter a network path when enabling a roaming or mandatory user profile for a selected user. The path you enter follows the form: \\server name\profiles folder name\user name. For example, \\puma\profiles\jeffho.
When assigning a mandatory user profile, open Control Panel >>System >>User Profiles tab and copy a preconfigured user profile to the user profile path location. Then, rename the NTUser.dat file in the user profile as NTUser.man.
To specify many users to use the same roaming profiles at one time -->>select multiple accounts >>User menu >>Properties >>Profile
Skill to configure multiple users to have same properties at one time:
User Manager (for Domains) >>select multiple accounts >>User menu >>Properties ...
what can be done with the Account button -- for setting account info. Two options:
-- Account Expire -- Never, or specify an expire date.
-- Account Type -- use this when need to create a local account for a user from an untrusted domain who needs to access to a network resource in your domain.
Note: A local account can be used to connect to a resource over the network. But it cannot be used to log on from a computer in the domain where it is created !
Global Account
......for regular user accounts in this domainLocal Account
......for users from untrusted domainsGranting Dial-in Permision (the Dialin button) -- options
Grant dialin permission to user Call Back
No Call Back -- user pays for the telephone charges for the session
Set By Caller -- RAS server calls the user back using the phone number specified by the user. User saves the charge.
Preset To: -- restrict users to dialing from only one phone number. This reduce the rish of an unauthorized person using the user's account. Use this option in high-security networks.
Deleting and Renaming User Accounts -- Every user account is assigned a unique secuity identifier (SID) when the account is first created. Internal NT processes refer to an account's SID rather than the account's user or group name.
Deleting permanently removes the account and permissions and rights associated with it. If you delete an account, then create an account with the same user name, the new account will NOT have the rights or permissions previously granted to the old account because their SID numbers are different.
Renaming an account retains the permissions, rights and group memberships associated with it because the SID was not deleted.
The user profile contains all user-definable settings for the work environment of an NT computer, including display, regional, mouse, and sounds settings, and network and printer connections.
A local profile is created and stored on the computer where the user logs on and is only applied to that computer for the user. A roaming profile is stored in a shared folder on a network server and is applied at whichever computer the user logs on from.
When a user logs on for the first time from an NT computer, a default user profile is created for that user and saved in the Profiles folder of that computer, typically systemroot\Profiles\logged_on_user_name
Note: User profiles cannot be set for users who log on from LAN Manager, MS-DOS, WfW, or Windows 3.x clients. For these clients, you can write a logon script to configure the user's network and printer connections.
Use roaming user profiles if users frequently log on from different computers.
Unlike default user profiles, roaming user profiles are stored centrally on a network server rather than on the user's local computer. Roaming user profiles provide users with the same working environment, no matter which NT computer a user logs on to. For a user account, you can specify one of the following two roaming profiles:
Roaming personal user profile -- named Ntuser.dat. User can change it, and is updated to include any changes made by the user when he logs off. If use this type of profile, each user should be assigned his own profile.
Roaming mandatory user profile -- named with an .man extension. Preconfigured user profile that user cannot change. One for many users who require identical desktop configuration -- for example, bank tellers.
You can make a personal profile mandatory just by renaming it -- for example, Ntuser.man
Note: NT user profiles are not compatible with Windows 95 user profiles. Win95 client profiles (and System Policy) MUST be created on a computer running Windows 95.
Create a template user profile with the appropriate configuration. Do this by creating a user account, and then configuring the appropriate desktop settings (simply by modify the settings).
Create and share a folder named Profiles, to allow users to access the profiles from a remote computer.
Copy the template user profile to a network server and specify the users who are permitted to use the profile ->.
>>Control Panel >>System >>System Properties dialog box; User Profile tab >>Copy To... type \\computer_name\profiles\user_name)
Also, in the Copy To dialog box, specify the users who are permitted to use this profile
Important -- if want to make the copied profile mandatory:
rename the Ntuser.dat to
Ntuser.man.
If you did not specify a user name, Ntuser.dat would
be located in the Profile folder.
Specify the path to the profile for the user account in the User Environment Profile dialog box (User Manager for Domains >>New User /or double-click a account name >>User Profile dialog box >>User Profile ). In the User Profile Path box, specify the server location of the user profile.
if it is a roaming personal profile, enter the name of the server, the share name to the Profiles folder, and %Username%. For example, \\Server1\Profiles\%Username% (if use %Username%, NT will substitute it with the user account name).
Group accounts are collection of user accounts that share similiar needs. Adding a user account to a group makes the user a member and gives the user all the rights and permissions granted to the group. Group membership provides an easy way to assign permissions and user rights to sets of uers at one time.
permissions
= for accessing resources (file, folder, printer) |
Permissions are rules that regulate which users can use a resource, such as a folder, files, or printer. Because maintaining permissions for group is easier than maintaining permissions for many user accounts, you generally want use groups to manage access to resources.
User rights are rules that regulate which users can perform certain tasks on the system, such as creating a user account, logging on to the local computer, or shutting down a server.
A user can be a member of one or more groups. A user is a member of more than one group possesses all user rights and permissions of all groups of which he is a member.
A group is a collection of user accounts. Groups simplify administration by providing an easy way to grant rights and permissions to multiple users at one time.
There are two types of groups: local and global.
Local groups are used to manage access to resources. If a local group is created on an NT member server or an NT Workstation computer, it can only be assigned to resources on the local computer. If a local group is created on a PDC, it can be assigned to resources on any domain controller in the domain.
Global groups are used to organize domain user accounts. They provide a way to give users in one domain access to resources in another domain. Global groups are always created on the PDC. They cannot contain user accounts from a different domain. To give global group members access to a resource, the global group is added to the local group where the resource is located.
More info on feature of local and global groups --
Local Groups
Local groups are used to provide users with permission to access resource and with rights to perform system tasks.
You assign resource permissions to a local group, and then add user accounts or global groups to the local group from one or more domains. Once you assign a group permission to a resource, all user accounts added to the group automatically have permission to access the resource.
Local groups can contain user accounts and global groups from any domain (with appropriate trust realtionship). However, local groups cannot contain other local groups.
NT includes several built-in local groups with pre-assigned user rights.
- Where Local Groups are Created /and Reside
- if the resource resides on an NT member server or NT Workstation computer, the local group must be create on that computer, using User Manager for Domian or User Manager.
The local group reside (is stored) in the local directory database of that computer.
- if the resource resides on any domain controller, the local group is created on the PDC from any computer running User Manager for Domain. The PDC will then provides its user account and security info to all other domain controllers in the domain.
The local group resides (are stored) in the domain's directory database, which is common to all the DCs in the domain.Global Groups
Global groups are used to organize domain user accounts, for example, by job function or geographical location. They are useful in single-domain networks with many users and in multiple-domain networks, when users from one domain need to access resources in another domain.
Best to use global groups only for grouping domain user accounts, although global groups can be assigned permissions to resources. Members of global groups obtain resource permissions when the global group is added to a local group.
To give global group members access to a resource, add the global group to the local group where the resource is located. The local group can be located in any domain with the appropriate trust relationship.
Global groups can contain only user accounts from the domain where the global group is created. A global group cannot contain user accounts from a different domain; nor it can contain local groups or other global groups.
- NT includes several built-in global groups -- for example, the Domain Users group. By default, all domain user account are added to this group.
Unlike built-in local groups, built-in global groups do NOT have any inherent user rights.
- Where Global Groups are Created / and Reside -- global groups are always created on the PDC in the domain where the user accounts reside, from any computer running User Manager for Domain.
Global groups reside only in the domain's directory database.
-- a single-domain example
Scenario: XYA company has a single-domain network with a PDC, a BDC (has Database1) and a member server (has Database2). All users need to access to both database.
Q1. On which computer would you create a global group for organizing the user accounts? Why?
A global group can be created on the PDC from any computer running User Manager for Domains.
User Manager for Domains creates the global group on the PDC because global groups always reside in the domain's directory database.
Q2. On which computer would you create a local group to provide users with access to the Database1? Why?
Create a local group from any computer running User Manager for Domains.
User Manager for Domains creates the local group on the PDC even though the Database1 is on the BDC. This is all domain controllers share account info with each other and maintain a common directory database (the domain's).
Q3. On which computer would you create a local group to provide users with access to the Database2? Why?
In this case, a local group must be created on the member server because that is where Database2 resides. The local group is then stored in the local directory database.
Remember to access a resource on a non-domain controller NT (i.e. NT Workstation or NT member server) computer, the local group must be created/stored on that computer.
Q4. How to give the members of the global group access to both database?
Add the global group to both local groups, the one created for the Database1 and the other created for the Database2. Members of the local groups now have access to both databases, assuming the appropriate permissions are assigned to the local groups.
multiple domain example I
Scenario: A company has two domains. A color printer is located in one domain, but want the sales personnel from both domains to use.
Solution:
1> create a global group and add the user accounts for the sales personnel in each domain.
2> create a local group
- If the color printer is attached to a domain controller, created the local group on the PDC of the domain where the printer is located.
- If the printer were attached to an NT member server or NT Workstation computer, created the local group on that computer.
3> assign the appropriate permissions for the printer to the local group.
4> add the global groups from both domains to the local group (can be done prior to step3).
multiple domain example II
Scenario: A company has two offices, one in Paris and one in Landon, and each has its own domain. Both offices maintain an Inventory database on a member server. All users in each office need access to the other office's Inventory database. The appropriate trust relationship exists between the two domains.
Solution:
Create two global groups -- one in the Paris domain and the other in the Paris domain, from any computer (in either domain) running User Manager for Domains.
In each domain, create a local group on the member server, because each member server has its own local directory database. (can be done from any domain controller computer? is it possible to use Server Manager>>Select Domain >>select that computer in either or both domain? then create the local group for that computer or you have to sit physically on that member server computer? refer to)
Assign appropriate permissions to both local groups.
Add the global group created for Paris users to the local group created for the London Inventory database.
Add the global group created for London users to the local group created for the Paris Inventory database.
For better control over user and resource management, first organize users into global groups, and then add global groups to local groups. Steps to follow:
Logically organize domain users based on their common needs ->> create a global group for each logical group of users ->> add the appropriate user accounts to the appropriate global groups.
- Create local groups based on resource access needs, and assign the appropriate permissions to the local groups.
- if the resource in on an NT member server or an NT Workstation computer, create the local group on that computer
- if the resource in on a domain controller (whether the PDC or any BDC), create the local groups on the PDC
- Add the global groups to the local groups (Note: if adding global groups from to local groups in another domain, the appropriate trust relationship must have been established)
Global groups are created to logically organize domain user accounts; Local groups are created to give sets of users permissions to access a resource.
In a domain, local and global groups are created using User Manager for Domains. In a workgroup, local groups are created using User Manager. Global groups cannot be created in a workgroup.
The Select Domain menu command (only in User Manager for Domains) allows an administrator to select a different domain or computer in which to create or manage local or global group.
Server Manager >>Computer >>Select Domain
When User Manager for Domains starts, it displays the domain in which your user (the logged_on_user) account is defined. Use Select Domain to display a different domain.Optionally, use Select Domain to display an individual computer. However, you can display only a computer that maintains its own directory database, such as an NT Workstation or NT member server or a Microsoft LAN Manager
To create groups, you must be a member of the built-in administrator or built-in Account Operator group on the computer where the group is being created.
A local group can be created on any NT computer
A global group can only be created on a PDC, but can be created from any computer running User Manger for Domains. This includes:
- a BDC
- an NT member server that is part of the domain
- an NT Workstation or Windows 95 computer with the client-based administration tools installed.
- Group names must be unique to the domain. They cannot be identical to other user names or group names in the same domain.
Note: when need to create the local group on a computer that is not a domain controller, seletct the computer first. To select a computer, use the Select Domain command (type the computer name in the Domain box).
Note: when need to add global groups from another domain, select that domain from List Names From box. If that domain does not appear, either there is no such domain in your network, or the appropriate trust relationship in not set up.
Built-in groups are predifined groups that have predetermined set of user rights (global group is the only exception, it has no inherent user right). User rights determine the system tasks that a user or member of a built-in group can perform.
Built-in groups (unlike built-in user accounts) cannot be deleted or renamed, only their permissions and rights can be changed.
Three types of built-in groups on all NT computers:
type of groups on computers what for local groups all NT give users rights to perform system tasks, such as backing up and restoring files, changing the system time, and administering system resources System groups all NT automatically organizes users for system use. Administrators do not assign users to them. Rather, users are either members by default or become members during network activity. global groups DCs only give administrator an easy way of controlling all users in a domain
- All NT computers have built-in Administrators, Users, Guests, and Backup Operators groups.
- NT member server and NT Workstation computers also have a Power Users group.
3 additional built-in local groups: Account Operators, Server Operators, and Print Operators (they are all XXX Operators: account, server and print)
- 3 additional built-in global groups: Domain Admins, Domain Users, and Domain Guests (they are all Domain xxxs, admins, users and guests)
Note: by default, only the built-in global groups do not have any inherent rights. They get rights when they are added to local groups or when they are assigned user rights or permissions.
When this group is created it is automatically added to Its member by default Domain Admins Local Administrators group** the Administrator account Domain Users Local Users group the Administrator account*** Domain Guests Local Guests group the Guest account
* remember global group can contain only user accounts
** members of the Domain Admins group can then perform (domain-wide?) administrative tasks ?from/on the local computer. (refer to)
*** note the default member of global group Domain Users is Administrator, NOT Users (Users is a local group account).
System groups are installed on all NT computers. Unlike other built-in groups, users become members of system groups during network activity. Membership of system groups cannot be altered.
System group Description the key system groups used for network administration Everyone Includes all local and remote users who have connected to the computer, including those who connect as Guest. You cannot control who become a member of the Everyone group. However, you can assign permissions and rights to the Everyone group. The Everyone group is useful when you do not need to restrict the access to a resource. Creator Owner Includes the user that created or took owership of a resource. If a member of the Administrator group takes owership of a resource, the new ower is the Administrator group. This group can be used to manage access to files and folders on NTFS volumes. the system groups NOT used for network administation Network Includes any user whois currently connected from another computer on the network to a shared resource on your computer Interactive Includes a user who logs on to the computer locally. Interactive members access resources on the computer at which they are physically sitting. They log on and access resources by "interactive" with the computer
Where are they? -- System groups do not appear in User Manager /for Domains. To view system groups (depends on the volume format -- NTFS or FAT), locate the Permissions tab by one of:
on NTFS volumes, use NT Explorer>> directory_name Properties >>Security >>Permissions >>Add...
- on NTFS volumes, use File Manager (winfile.exe) >> Security >>Permissions >>Add...
Note: Security tab is available only on NTFS volume
- on FAT or NTFS volumes, use NT Explore>> directory_name Properties >>Sharing >>Permissions >>Add...
Even though individual user rights can be assigned directly to a user, in most cases, it is not recommanded.
- For local Administration: to give a user the administrative privileges on a local computer --
add the user's account to the built-in local Administrators group.
This will give the user administrative privileges on the local computer. This is useful when you want to let a user administer his own computer.
Note! if you add a user account to the Administrators group on a PDC, the user will have administrative privileges on all domain controllers in the domain.
- For Centralized Administration: to give members of an Administrators group in one domain the ability to administer resources in another domain --
use the built-in global group Domain Admins: on the PDC of a domain, add the global Domain Admins group from another domain to the local Administrators group.
This will give members of the Domain Admins from the other domain the ability to administer domain user accounts and resource security on any domain controller.
Note:
In a domain with NT Workstation or NT member server computers, the Domain Admins is automatically added to the local Administrator group of each NT Workstation and member server computer, you do not need to do it manually.
- Only when you want Domain Admins from a different domain to administer NT Workstation or NT member server computers in your domain, you need to add that Domain Admins to each computer's Administrators group.
- the difference between Domain Users and Everyone groups ---
Domain Users is a built-in global group on domain controllers that only contains domain accounts. Everyone is a system/special group on all computers and contains all local and remote users that have connected to the computer, including guest users.
For increased security, use the global group Domain Users instead of the system/special group Everyone, because Domain Users group contains only all the accounts in the domain, and not the Guest or other accounts that have connected to the network.
In addition, membership of Everyone, as a system group, cannot be changed, while membership of global group Domain Users can be changed.
- If no built-in group could meet your needs, create a local group and assign it appropriate user rights as you wish.
For example, if you want a user to have the right to back up but not the right to restore files, create a local group named Backupers Only and assign it the Back up files and directories right.
Some of the most useful procedures for efficient account administering
The Account policy (refers to the contents in >>Policies >>Account >>Account Policy dialog box) determines how passwords must be used by ALL user account for a computer or a whole domain. (Note: most of the settings made in the Policies menu are for the system, either the computer or a whole domain, NOT only to a specific user)
Password Uniqueness -- the number of new passwords that must be used before an old password can be reused. For uniqueness to be effective, do not allow immediate changes by the Minimum Password Age parameter (i.e. clear the chech box Allow Changes Immediately).
-- choose if to lock out accounts after multiple failed attempts, so as to secure from hackers who try to log on by guessing the passwords of existing user accounts:
Reset Count After -- specify the maximum number of minutes that can occur between any two failed logon attempts for lockout to occur. The range is 1 to 99999.
Note: Failed password attempts against workstations or member servers that have been locked using either Ctrl+Alt+Delete, or password protected screen savers do not count against account lockout settings entered in User Manager for Domains.
Forcibly disconnect remote users from server when logon hours expire
Users must log on in order to change password
the next time the user logs on, or
- the next time the user makes a change covered by the new policy. For example, the new minimum password length option does not apply to the existing passwords, but it will apply the next time a user changes his password, even if he doesn't logoff and logon again after the new policy was made.
to modify multiple user accounts in the same manner at one time:
>>select all the user accounts (with Shift, Ctrl keys) >>User >>Properties ...This method is especially useful for moving user home folders to a different server or volume.
Because the PDC maintains the master copy of the domain's directory database, when it goes offline, you will be no longer to do any account administration. However, users can still be able to log on and be validated by the BDCs.
Make sure the PDC is always online and all copies of the directory database on BDCs are current.
Server Manager is the NT Server tool used to maintain domain controllers.
Note: promote a BDC while the original PDC is still online. This is to make sure the directory database in the new PDC is current with the original PDC.
when the original PDC is brought back online, promote it back to a PDC, which automatically force the temporary PDC to demote itself to a BDC.
Note: when the original PDC is brought back online, there is already a PDC in the domain. The original PDC detects, at its system boot, that a PDC is already running in the domain, so its Netlog service will fail to start -- it cannot validate logon requests before being demoted to a BDC.
Note: The directory database on the current (temporary) PDC was automatically synchronized with the directory database on the current BDC (the woul-be PDC) before it is promoted to a PDC. This ensure any change made to while the original PDC was down is not lost.
By default, NT synchronizes domain controllers every few minutes (5 mins, by default). You only need to manually synchronize DCs when you want to:
- to immediately apply the changes you made to the domain's directory database.
- to solve problems related to password mismatches (In a large domain, if users change their passwords, it takes time for new passwords to be distributed automatically to all the BDCs)
Event Viewer >>Log menu >>System >>View menu >>Filter Events... >>Filter box, Source: NetLongon events.
Most of the functionality of NT is implemented as a service. For example,
- Workstation (redirector) service must be running before you can connect to resource on other computer
- Server service must be running before you can share resources
- Net Logon service must be running on domain controllers before user logon attempts can be validated
Also remeber that, some services are dependent on other services. For example, the Server service must be started before the Net Logon service can start.
to find out which services are running -- use one of
- ->>command prompt >>net start
- ->>Control Panel >>Services (local computer only)
- ->>Server Manager >>Computer >>Services (local or remote computer)
Common error messages and solutions to logon problems
User error message Solution blah, blah, blah,blah, blah,
put shortly, depends on the specific error message appears when a user failed to log on, check if:
are the user name and password entered correct?
if it is a new user account, has it been synchronized with BDCs? If not, syschronize DCs manually using Server Manager.
NT represents all resources as objects, and all objects have an access control list, so you can set access permissions for any NT resource based on a user's account or group membership.
Some common object types are:
- directory
- file
- sysbolic link
- printer
- process
- thread
- network share
- port
- device
- window
An object is featured by its type, functions (services) and attributes. For instance, a document object has:
- Type: document
- Functions: open, close, read, write, change, delete
- Attributes: file name, data, access control list
Every object has access control list (ACL), that NT uses to determine whether a certain user has the authority to access that object.
All resource level securities are controlled by ACLs.
When a user logs on, NT assigns an access token that represents the username and the group to which the user belogns to. This access token remains valid until the user logs off, which NT use to compares against entries in an object's ACL to determine if the user is permitted to reqested services (function).
Access tokens are also NT objects. They have these important attributes:
- Security ID representing the logg-on user
- Group IDs representing the logged on user's group memberships
- Permissions allowed to the user
The access token is generated by Security Accounts Manager.
- Every object has its ACL
- Every process has its access token, even those started by the system or by automatic software
All logon options are controlled by editing the WinLogon Key in the Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\Winlogon
Disable the displaying last logged-on user name: modify the value of DontDisplayLastUserName to 1
Add a logon security warning: add LegalNoticeCaption and LegalNoticeText subkeys, then assing appropriate text to each, e.g.
value of LegalNoticeCaption: Unauthorized Access Warning!
value of LegalNoticeText: Unauthorized access to this system constitutes a felony punishable by a maximum fine of $1000,000 dollars and sixty years in prision.
Change the NT shell (application launched by NT at the startup): simply change the value of Shell from EXPLORER.EXE to the name of the applicaiton (e.g. PROGMAN.EXE -- the Program Manager) you would like to launch at startup.
Enable the Shutdown button on the WinLogon dialog box: change the ShutdownWithoutLogon value to 1.
Automate logon -- i.e. supply a username and password through the Registry. NT will then bypass the WinLogon dialog box and proceed directly to the shell application:
- specify values for DefaultDomainName and DefaultUserName
- add/specify the DefaultPassword for the user
- add a new string value AutoAdminLogon, and assign value 1 to it.
To disable automatic logon, set the value of AutoAdminLogon to 0, or delete the String and delete or clear the DefaultPassword value at the same time.
To thwart intrusion by anyone attempting to guess passwords, set the accunt policy to lockout a user account after a specified number of failed logon attempts. To enable account lockout:
>>User Manager /for Domains >>Policies >>Account ...
Note:
a account is locked out automatically by the system; you cannot choose to lock out a user account manually.
account lockout does not apply to the Administrator account
a member of the Administrators group can clear any locked accounts
The WinLogon process implements the security user interface, and pass on the user's log on info (username and password to the Security Accounts Manager.
Access Token, which identifies the logged on user to all subsequent processes, is created by the Security Accounts Manager.
The ACL (access control list) describes which user or group accounts have access to an object and what type of the access.
Permissions changed while a user is logged on take effect when the user has logge out and back on agian.
Default user accounts (Administrator and Guest) can be renamed by cannot be deleted.
The Account Locked Out option in User Properties dialog box cannot be checked manually! You can clear it to restore access to this account, but it cannot be set. It will be checked automatically if currently locked out due to failed logon attempts (if you have set the Account lockout in >>Policies >>Account Policies ...).
Account Lockout does not apply to the built-in Administrator user account.
Changing the name of a account does not change any other of its other properties
you can give rights to everyone by assigning those access rights to the built-in group Users (NT Server and Workstation) or Everyone (only in NT Server, Workstation does not has this special/system group)
A Member of the Backup Operators can bypass security to back up and restore all files.
Power Users group by default can share directories and printers, create user and group accounts and can delete the users and groups that they created.
(Security) Policies are managed from the User Manager /for Domains, and only an Administrator can manage them
When setting Account Policy, if check the "User must log on in order to change password" option, and if the password has expired, then the user can not log on and cannot change his password. He will have to ask help from an administrator.
User and group permissions are cumulative. However, NO ACCESS overrides all. Another exception is if share permission and NTFS user access permissions differ, then the most restrictive of the two are used.
Where to set up Audit Policy and where to view the audit results? -- User Manager /for Domains >>Policies >>Audit... to choose the events to be audited -- that are saved to the Security Log. Use Evernt Viewer to view the Security Log.
What does it mean "Security Policy" -- includes Account Policy, User Right Policy and Audit Policy. If put it in detail, anything that is related to the events listed in the Audit Policy dialog box (accessed via User Manager /for Domains >>Policies >>...