NT NETWORK ADMINISTRATION -- Account Administering

 


Contents

Chapter 1. Into to Administering Windows NT

Chapter 2. Setting Up User Accounts

Chapter 3. Setting Up Group Accounts

Chapter 4. Administering User and Group Accounts

Appendix: NT Security Structures

Exam Notes

 


Chapter 1. Into to Administering Windows NT

Key points about Domain / Workgroup model and Directory Services
Logging On to Windows NT
NT administrative tools
The NT Security Dialog Box

Key points about Domain / Workgroup model and Directory Services


Logging On to Windows NT

The Domain box in the Logon Information dialog box

To log on, the user must supply either a valid domain user account or a local user account, depending on whether the user is logging on to the domain or the local computer.

Note:


NT administrative tools

NT Workstation Administrative Tools are only used to administer the local computer. NT Server Administrative Tools are used to administer any computer in the domain.

NT Server Client-based Tools -- can be installed on any Windows 95 or NT Workstation computers. This gives an administrator the ability to perform domain administration from a client. The client-based tools are located on the NT Server CD in the Clients\Svrtools folder.


The NT Security Dialog Box

Use Ctrl+Alt+Del to gain access to NT Security Dialog box after logged on. It is used to perform these tasks:

Lock Workstation -- Secures the computer without logging off. All programs remain running. Lock your workstation when leaving momentarily. If a user forgets the password to unlock, an administrator can unlock the workstation, log the user off the system, and then reassign a new password.

Note: a locked workstation can only be unlocked by the authenticated user or by an administrator of the domain that this computer's account is in. This means other users cannot use the computer while it is locked.

Change Password -- Using the Windows NT Security dialog box is the ONLY way that users can change their passwords (by themselves). Users should change their passwords regularly.

Logoff -- Log off the current user, but leaves NT running. This means that network users can still connect to and use shared resources on the computer. Always log off when you no longer need to use the computer. Difference from Lock Workstation, Logoff logs the current user off -- closes all his programs)

Another way to log off ->Start >>Shut Down >>Close all programs and log on as a different user.

Task Manager -- Lists programs that running, a summary of overall CPU and memory usage, and quick view of how each program, program components, or system process is using CPU and memory. It is also used to switch or stop programs.

Shut Down --

Cancel --


Chapter 2. Setting Up User Accounts

Types of User Accounts
Tools for managing Accounts
Domain User Account
Local User Account
Planning New User Accounts -- Considerations
Creating User Accounts -- important points
Precedures for creating a Home Folder on a server
Home Directory
Assigning Logon Script Name
Assigning User Profile Path (press the Profile button)
what can be done with the Account button
Granting Dial-in Permision
Deleting and Renaming User Accounts
Creating User Profiles

Types of User Accounts -- common to both NT Server and NT Workstation

Three types of user accounts; one is the types of accounts that you create, and two are built-in accounts when NT Server or NT Workstation is installed -- Guest and Administrator:


Tools for managing Accounts

User Manager, on NT Workstation -- is used for managing the accounts of that computer ONLY. Accounts created by User Manager are local accounts. (Global can only created on DCs with User Manager for Domains)

User Manager for Domains, on NT Server -- is used to managing the accounts on the local domain or on any computer, member server, or other domains to which you have access. Accounts created by User Manager for Domains can be local accounts or domain accounts.

Note: User Manager for Domains, "built-in in NT Server", can also be installed on NT Workstation or Windows 95 using the client-based administration tools.


Domain User Account

Local User Account


Planning New User Accounts -- Considerations

Considerations for storing home folders on a server -- to simplify backing up user data and maintain sentitive data centrally.

Considerations for storing home folders on users' computer


Creating User Accounts -- important points

to create a user account

->User Manager /for Domains >>User >>New User ...choose the options in the New User dialog box. (the Hours, Logon To, Account, buttons available only in NT Server).

Password Never Expires

Precedures for creating a Home Folder on a server

  1. on a server, create a folder named Users

  2. share the folder and assign the Full Control permission to all users so that they can connect to it.
    (when a folder is shared, Full Control permission is automatically assigned to Everyone group. You may need to change this default permission setting)

  3. the Profile button, specify a home folder name and location for a user account in the User Environment Profile dialog box.

    to assign home folder to multiple user accounts at one time automatically --
    in the User Profile dialog box, use %Username% in place of the home folder name, e.g. type \\Server1\Users\%Username%, NT will substitute %username% with the user account name

    Note: in a workgroup, you must specify the home folder for a local user account while sitting at the local computer. Enter the local path in the Local Path box, e.g. C:\folder_name.

  4. specify a network drive letter that will be used to connect to the user's home folder automatically when the user logs on.

Home Directory

An assigned home directory becomes a user's default directory for the File Open and Save As dialog boxes, for command prompt, and for all applications that do not have a defined working directory. Home directories make it easier for an administrator to back up user files and delete user accounts by collecting many or all of the files in one location.

The home directory can be a local directory on a user’s computer or a shared network directory, and can be assigned to a single user or many users.

Usually, User Manager for Domains automatically creates the home directory if you set a path for it. If not, a message appears, instructing you to manually create the directory. If you do not assign a home directory to a user account, the system uses the default local home directory (\USERS\DEFAULT) on the user's local drive where NT Workstation or NT Server is installed or upgraded.

to Use %USERNAME% in the Home Directory Path (press the Profile button)

When typing the path for a home directory, %USERNAME% can be entered as the last subdirectory in the path, and the system later substitutes the user name of each user account for %USERNAME%. This is useful when multiple user accounts are selected.

For example, to administer six user accounts you might click the Connect option, select the drive letter H and, in To, type the path \\airedale\users\%username%. As the changes are saved, the system substitutes the actual user name for the %USERNAME% entry for each user account.

Notes:


A Note on Logon Hours -- a user who is connected to a network on the domain is NOT disconnected when the user's logon hours run out. However, the user will be unable to make any new connections.

what is the Logon To button for -- is used to set workstation restrictions for a user account, which allows to control which computers (maximum 8) a user can use to log on to the domain.


to assigning Logon Script Name (press the profile button)

is used to assign a logon script to selected users. If the logon script is located in a subdirectory of the logon script path, that relative path precedes the filename.

If a logon script is assigned to a user account, it runs each time the user logs on. It can be a batch file (.cmd or .bat filename extension) or an executable program (.exe filename extension). One logon script can be assigned to one or more user accounts. When a user logs on, the server authenticating the logon locates the logon script by following the server's logon script path (usually \winnt\System32\Repl\Import\Scripts).

For example, you might type clerks.cmd; or, admins\ernesta.bat

Note: Computers running MS Network Client for MS-DOS (version 3.0), WfW, NT 3.1, and LAN Manager 2.x must use the .bat filename extension for logon script.


to assign the User Profile Path (press the Profile button)

Used to enter a network path when enabling a roaming or mandatory user profile for a selected user. The path you enter follows the form: \\server name\profiles folder name\user name. For example, \\puma\profiles\jeffho.

When assigning a mandatory user profile, open Control Panel >>System >>User Profiles tab and copy a preconfigured user profile to the user profile path location. Then, rename the NTUser.dat file in the user profile as NTUser.man.

To specify many users to use the same roaming profiles at one time -->>select multiple accounts >>User menu >>Properties >>Profile


Skill to configure multiple users to have same properties at one time:

User Manager (for Domains) >>select multiple accounts >>User menu >>Properties ...


what can be done with the Account button -- for setting account info. Two options:

-- Account Expire -- Never, or specify an expire date.

-- Account Type -- use this when need to create a local account for a user from an untrusted domain who needs to access to a network resource in your domain.

Note: A local account can be used to connect to a resource over the network. But it cannot be used to log on from a computer in the domain where it is created !

Global Account
......for regular user accounts in this domain

Local Account
......for users from untrusted domains

Granting Dial-in Permision (the Dialin button) -- options

Grant dialin permission to user

Call Back
No Call Back --
user pays for the telephone charges for the session
Set By Caller --
RAS server calls the user back using the phone number specified by the user. User saves the charge.
Preset To: --
restrict users to dialing from only one phone number. This reduce the rish of an unauthorized person using the user's account. Use this option in high-security networks.

Deleting and Renaming User Accounts -- Every user account is assigned a unique secuity identifier (SID) when the account is first created. Internal NT processes refer to an account's SID rather than the account's user or group name.

Deleting permanently removes the account and permissions and rights associated with it. If you delete an account, then create an account with the same user name, the new account will NOT have the rights or permissions previously granted to the old account because their SID numbers are different.

Renaming an account retains the permissions, rights and group memberships associated with it because the SID was not deleted.


Creating User Profiles

The user profile contains all user-definable settings for the work environment of an NT computer, including display, regional, mouse, and sounds settings, and network and printer connections.

A local profile is created and stored on the computer where the user logs on and is only applied to that computer for the user. A roaming profile is stored in a shared folder on a network server and is applied at whichever computer the user logs on from.

When a user logs on for the first time from an NT computer, a default user profile is created for that user and saved in the Profiles folder of that computer, typically systemroot\Profiles\logged_on_user_name

Note: User profiles cannot be set for users who log on from LAN Manager, MS-DOS, WfW, or Windows 3.x clients. For these clients, you can write a logon script to configure the user's network and printer connections.

Use roaming user profiles if users frequently log on from different computers.

Unlike default user profiles, roaming user profiles are stored centrally on a network server rather than on the user's local computer. Roaming user profiles provide users with the same working environment, no matter which NT computer a user logs on to. For a user account, you can specify one of the following two roaming profiles:

Roaming personal user profile -- named Ntuser.dat. User can change it, and is updated to include any changes made by the user when he logs off. If use this type of profile, each user should be assigned his own profile.

Roaming mandatory user profile -- named with an .man extension. Preconfigured user profile that user cannot change. One for many users who require identical desktop configuration -- for example, bank tellers.

You can make a personal profile mandatory just by renaming it -- for example, Ntuser.man

Note: NT user profiles are not compatible with Windows 95 user profiles. Win95 client profiles (and System Policy) MUST be created on a computer running Windows 95.


Chapter 3. Setting Up Group Accounts

 


Introduction

Group accounts are collection of user accounts that share similiar needs. Adding a user account to a group makes the user a member and gives the user all the rights and permissions granted to the group. Group membership provides an easy way to assign permissions and user rights to sets of uers at one time.


Permissions are rules that regulate which users can use a resource, such as a folder, files, or printer. Because maintaining permissions for group is easier than maintaining permissions for many user accounts, you generally want use groups to manage access to resources.

User rights are rules that regulate which users can perform certain tasks on the system, such as creating a user account, logging on to the local computer, or shutting down a server.

A user can be a member of one or more groups. A user is a member of more than one group possesses all user rights and permissions of all groups of which he is a member.


A group is a collection of user accounts. Groups simplify administration by providing an easy way to grant rights and permissions to multiple users at one time.

There are two types of groups: local and global.

Local groups are used to manage access to resources. If a local group is created on an NT member server or an NT Workstation computer, it can only be assigned to resources on the local computer. If a local group is created on a PDC, it can be assigned to resources on any domain controller in the domain.

Global groups are used to organize domain user accounts. They provide a way to give users in one domain access to resources in another domain. Global groups are always created on the PDC. They cannot contain user accounts from a different domain. To give global group members access to a resource, the global group is added to the local group where the resource is located.

More info on feature of local and global groups --

Local Groups

Global Groups


Using Groups -- Examples

-- a single-domain example

Scenario: XYA company has a single-domain network with a PDC, a BDC (has Database1) and a member server (has Database2). All users need to access to both database.

Q1. On which computer would you create a global group for organizing the user accounts? Why?

A global group can be created on the PDC from any computer running User Manager for Domains.

User Manager for Domains creates the global group on the PDC because global groups always reside in the domain's directory database.

Q2. On which computer would you create a local group to provide users with access to the Database1? Why?

Create a local group from any computer running User Manager for Domains.

User Manager for Domains creates the local group on the PDC even though the Database1 is on the BDC. This is all domain controllers share account info with each other and maintain a common directory database (the domain's).

Q3. On which computer would you create a local group to provide users with access to the Database2? Why?

In this case, a local group must be created on the member server because that is where Database2 resides. The local group is then stored in the local directory database.

Remember to access a resource on a non-domain controller NT (i.e. NT Workstation or NT member server) computer, the local group must be created/stored on that computer.

Q4. How to give the members of the global group access to both database?

Add the global group to both local groups, the one created for the Database1 and the other created for the Database2. Members of the local groups now have access to both databases, assuming the appropriate permissions are assigned to the local groups.

multiple domain example I

Scenario: A company has two domains. A color printer is located in one domain, but want the sales personnel from both domains to use.

Solution:

1> create a global group and add the user accounts for the sales personnel in each domain.

2> create a local group

3> assign the appropriate permissions for the printer to the local group.

4> add the global groups from both domains to the local group (can be done prior to step3).

multiple domain example II

Scenario: A company has two offices, one in Paris and one in Landon, and each has its own domain. Both offices maintain an Inventory database on a member server. All users in each office need access to the other office's Inventory database. The appropriate trust relationship exists between the two domains.

Solution:

  1. Create two global groups -- one in the Paris domain and the other in the Paris domain, from any computer (in either domain) running User Manager for Domains.

  2. In each domain, create a local group on the member server, because each member server has its own local directory database. (can be done from any domain controller computer? is it possible to use Server Manager>>Select Domain >>select that computer in either or both domain? then create the local group for that computer or you have to sit physically on that member server computer? refer to)

  3. Assign appropriate permissions to both local groups.

  4. Add the global group created for Paris users to the local group created for the London Inventory database.

    Add the global group created for London users to the local group created for the Paris Inventory database.


Guidlines for Implementing Groups

For better control over user and resource management, first organize users into global groups, and then add global groups to local groups. Steps to follow:

  1. Logically organize domain users based on their common needs ->> create a global group for each logical group of users ->> add the appropriate user accounts to the appropriate global groups.

  2. Create local groups based on resource access needs, and assign the appropriate permissions to the local groups.
  1. Add the global groups to the local groups (Note: if adding global groups from to local groups in another domain, the appropriate trust relationship must have been established)

Creating Groups

Global groups are created to logically organize domain user accounts; Local groups are created to give sets of users permissions to access a resource.

In a domain, local and global groups are created using User Manager for Domains. In a workgroup, local groups are created using User Manager. Global groups cannot be created in a workgroup.

The Select Domain menu command (only in User Manager for Domains) allows an administrator to select a different domain or computer in which to create or manage local or global group.


Server Manager >>Computer >>Select Domain


When User Manager for Domains starts, it displays the domain in which your user (the logged_on_user) account is defined. Use Select Domain to display a different domain.

Optionally, use Select Domain to display an individual computer. However, you can display only a computer that maintains its own directory database, such as an NT Workstation or NT member server or a Microsoft LAN Manager

Note: when need to create the local group on a computer that is not a domain controller, seletct the computer first. To select a computer, use the Select Domain command (type the computer name in the Domain box).

Note: when need to add global groups from another domain, select that domain from List Names From box. If that domain does not appear, either there is no such domain in your network, or the appropriate trust relationship in not set up.


Built-in Groups

Built-in groups are predifined groups that have predetermined set of user rights (global group is the only exception, it has no inherent user right). User rights determine the system tasks that a user or member of a built-in group can perform.

Built-in groups (unlike built-in user accounts) cannot be deleted or renamed, only their permissions and rights can be changed.

Three types of built-in groups on all NT computers:

type of groups on computers what for
local groups all NT give users rights to perform system tasks, such as backing up and restoring files, changing the system time, and administering system resources
System groups all NT automatically organizes users for system use. Administrators do not assign users to them. Rather, users are either members by default or become members during network activity.
global groups DCs only give administrator an easy way of controlling all users in a domain

Note: by default, only the built-in global groups do not have any inherent rights. They get rights when they are added to local groups or when they are assigned user rights or permissions.


When this group is created it is automatically added to Its member by default
Domain Admins Local Administrators group** the Administrator account
Domain Users Local Users group the Administrator account***
Domain Guests Local Guests group the Guest account

* remember global group can contain only user accounts
** members of the Domain Admins group can then perform (domain-wide?) administrative tasks ?from/on the local computer. (refer to)
*** note the default member of global group Domain Users is Administrator, NOT Users (Users is a local group account).


System groups are installed on all NT computers. Unlike other built-in groups, users become members of system groups during network activity. Membership of system groups cannot be altered.

System group Description
the key system groups used for network administration
Everyone Includes all local and remote users who have connected to the computer, including those who connect as Guest. You cannot control who become a member of the Everyone group. However, you can assign permissions and rights to the Everyone group. The Everyone group is useful when you do not need to restrict the access to a resource.
Creator Owner Includes the user that created or took owership of a resource. If a member of the Administrator group takes owership of a resource, the new ower is the Administrator group. This group can be used to manage access to files and folders on NTFS volumes.
the system groups NOT used for network administation
Network Includes any user whois currently connected from another computer on the network to a shared resource on your computer
Interactive Includes a user who logs on to the computer locally. Interactive members access resources on the computer at which they are physically sitting. They log on and access resources by "interactive" with the computer

Where are they? -- System groups do not appear in User Manager /for Domains. To view system groups (depends on the volume format -- NTFS or FAT), locate the Permissions tab by one of:


Even though individual user rights can be assigned directly to a user, in most cases, it is not recommanded.

  1. For local Administration: to give a user the administrative privileges on a local computer --

add the user's account to the built-in local Administrators group.

This will give the user administrative privileges on the local computer. This is useful when you want to let a user administer his own computer.

Note! if you add a user account to the Administrators group on a PDC, the user will have administrative privileges on all domain controllers in the domain.


  1. For Centralized Administration: to give members of an Administrators group in one domain the ability to administer resources in another domain --

use the built-in global group Domain Admins: on the PDC of a domain, add the global Domain Admins group from another domain to the local Administrators group.

This will give members of the Domain Admins from the other domain the ability to administer domain user accounts and resource security on any domain controller.

Note:

  1. the difference between Domain Users and Everyone groups ---

    Domain Users is a built-in global group on domain controllers that only contains domain accounts. Everyone is a system/special group on all computers and contains all local and remote users that have connected to the computer, including guest users.

    For increased security, use the global group Domain Users instead of the system/special group Everyone, because Domain Users group contains only all the accounts in the domain, and not the Guest or other accounts that have connected to the network.

    In addition, membership of Everyone, as a system group, cannot be changed, while membership of global group Domain Users can be changed.

  1. If no built-in group could meet your needs, create a local group and assign it appropriate user rights as you wish.

    For example, if you want a user to have the right to back up but not the right to restore files, create a local group named Backupers Only and assign it the Back up files and directories right.


Chapter 4. Administering User and Group Accounts

Introduction to Accounts Administering
Setting Password and Account Lockout Options
Password Restrictions
Account Lockout
Modifying Multiple User Accounts
Maintaining Domain Controllers
Synchrozing Domain Controllers Manually
Troubleshooting Logon Problems

Introduction to Accounts Administering

Some of the most useful procedures for efficient account administering


Setting Password and Account Lockout Policy Options

The Account policy (refers to the contents in >>Policies >>Account >>Account Policy dialog box) determines how passwords must be used by ALL user account for a computer or a whole domain. (Note: most of the settings made in the Policies menu are for the system, either the computer or a whole domain, NOT only to a specific user)

Maximum Password Age -- ...
Minimum Password Age -- ...
Minimum Password Length -- ...

Password Uniqueness -- the number of new passwords that must be used before an old password can be reused. For uniqueness to be effective, do not allow immediate changes by the Minimum Password Age parameter (i.e. clear the chech box Allow Changes Immediately).

-- choose if to lock out accounts after multiple failed attempts, so as to secure from hackers who try to log on by guessing the passwords of existing user accounts:

Reset Count After -- specify the maximum number of minutes that can occur between any two failed logon attempts for lockout to occur. The range is 1 to 99999.

Note: Failed password attempts against workstations or member servers that have been locked using either Ctrl+Alt+Delete, or password protected screen savers do not count against account lockout settings entered in User Manager for Domains.

Forcibly disconnect remote users from server when logon hours expire
Users must log on in order to change password



Modifying Multiple User Accounts

to modify multiple user accounts in the same manner at one time:
>>select all the user accounts (with Shift, Ctrl keys) >>User >>Properties ...

This method is especially useful for moving user home folders to a different server or volume.


Maintaining Domain Controllers

Because the PDC maintains the master copy of the domain's directory database, when it goes offline, you will be no longer to do any account administration. However, users can still be able to log on and be validated by the BDCs.

Make sure the PDC is always online and all copies of the directory database on BDCs are current.

Server Manager is the NT Server tool used to maintain domain controllers.


Synchrozing Domain Controllers Manually

By default, NT synchronizes domain controllers every few minutes (5 mins, by default). You only need to manually synchronize DCs when you want to:

Event Viewer >>Log menu >>System >>View menu >>Filter Events... >>Filter box, Source: NetLongon events.

Most of the functionality of NT is implemented as a service. For example,

Also remeber that, some services are dependent on other services. For example, the Server service must be started before the Net Logon service can start.

to find out which services are running -- use one of

->>command prompt >>net start
->>Control Panel >>Services (local computer only)
->>Server Manager >>Computer >>Services (local or remote computer)

Troubleshooting Logon Problems

Common error messages and solutions to logon problems

User error message Solution
blah, blah, blah,blah, blah,

put shortly, depends on the specific error message appears when a user failed to log on, check if:

are the user name and password entered correct?

if it is a new user account, has it been synchronized with BDCs? If not, syschronize DCs manually using Server Manager.


Appendix: NT Security Structures

NT Objects
Access Token
Customizing Logon Process
Account Lockout
More Facts

NT Objects

NT represents all resources as objects, and all objects have an access control list, so you can set access permissions for any NT resource based on a user's account or group membership.

Some common object types are:

An object is featured by its type, functions (services) and attributes. For instance, a document object has:

Every object has access control list (ACL), that NT uses to determine whether a certain user has the authority to access that object.

All resource level securities are controlled by ACLs.


Access Token

When a user logs on, NT assigns an access token that represents the username and the group to which the user belogns to. This access token remains valid until the user logs off, which NT use to compares against entries in an object's ACL to determine if the user is permitted to reqested services (function).

Access tokens are also NT objects. They have these important attributes:

The access token is generated by Security Accounts Manager.


Customizing Logon Process

All logon options are controlled by editing the WinLogon Key in the Registry:

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\Winlogon


Account Lockout

To thwart intrusion by anyone attempting to guess passwords, set the accunt policy to lockout a user account after a specified number of failed logon attempts. To enable account lockout:

>>User Manager /for Domains >>Policies >>Account ...

Note:


More Facts

The WinLogon process implements the security user interface, and pass on the user's log on info (username and password to the Security Accounts Manager.

Access Token, which identifies the logged on user to all subsequent processes, is created by the Security Accounts Manager.

The ACL (access control list) describes which user or group accounts have access to an object and what type of the access.

Permissions changed while a user is logged on take effect when the user has logge out and back on agian.


Exam Notes

Default user accounts (Administrator and Guest) can be renamed by cannot be deleted.

The Account Locked Out option in User Properties dialog box cannot be checked manually! You can clear it to restore access to this account, but it cannot be set. It will be checked automatically if currently locked out due to failed logon attempts (if you have set the Account lockout in >>Policies >>Account Policies ...).

Account Lockout does not apply to the built-in Administrator user account.

Changing the name of a account does not change any other of its other properties

you can give rights to everyone by assigning those access rights to the built-in group Users (NT Server and Workstation) or Everyone (only in NT Server, Workstation does not has this special/system group)

A Member of the Backup Operators can bypass security to back up and restore all files.

Power Users group by default can share directories and printers, create user and group accounts and can delete the users and groups that they created.

(Security) Policies are managed from the User Manager /for Domains, and only an Administrator can manage them

When setting Account Policy, if check the "User must log on in order to change password" option, and if the password has expired, then the user can not log on and cannot change his password. He will have to ask help from an administrator.

User and group permissions are cumulative. However, NO ACCESS overrides all. Another exception is if share permission and NTFS user access permissions differ, then the most restrictive of the two are used.

Where to set up Audit Policy and where to view the audit results? -- User Manager /for Domains >>Policies >>Audit... to choose the events to be audited -- that are saved to the Security Log. Use Evernt Viewer to view the Security Log.

What does it mean "Security Policy" -- includes Account Policy, User Right Policy and Audit Policy. If put it in detail, anything that is related to the events listed in the Audit Policy dialog box (accessed via User Manager /for Domains >>Policies >>...