Windows XP Users, Groups, Profiles and Policies 70-270: MCSE Guide to Microsoft Windows XP...

Windows XP Users, Groups, Profiles and Policies

70-270: MCSE Guide to Microsoft Windows XP Professional

Windows XP Professional User Accounts

Designed for use as a network client for: Windows NT Windows 2000 Windows Server 2003

Member of a workgroup Standalone operating system when more

than one user is using the computer Home or business environment

Types of Windows XP Professional User Accounts

Local user account Exists on a single computer Can provide access to resources if the user

is a member in a workgroup No domain access

Domain user account Created on a domain controller using "Active

Directory" and exists throughout the domain Available on any domain member computer

User Account Details

Uniquely identified to the system by user account name and password Provides secure access to authorized users

Preferences are environmental settings that are stored in a profile Desktop, Favorites, My Documents, Start

Menu, Internet files and Cookies, etc.

Accounts Interaction with an XP Professional System (Page 1)

Standalone system, automatic logon— All users access local resources through a

"common user account" that automatically logins in when computer starts

Standalone system— Each user logs into system with access to

"their own" local resources

Accounts Interaction with an XP Professional System (Page 2)

Workgroup member— Users login to an account both local and

shared resources Domain network client—

Users login to system with a unique domain user account to gain access to local and domain resources

Supporting More Than One User

Multiple-user systems—support more than one user on the same machine, either on a single computer or in a domain

Implemented through: Groups Resources Policies Profiles

Groups

Named collections of user accounts One user account may be a member of

more than one group Members of group receive access rights

and restrictions for that group Local groups are created using Windows

XP professional and provide privileges at the machine level

Resources

Useful objects including printers, shared directories, software applications, etc.

Limited to a single user, group or all users on a machine or within a network

Policies

A set of configuration options for a user, computer or group: Define password restrictions, i.e.

Is the user required to change their password at prescribed intervals?

Account lockouts, i.e. What happens if a user enters an incorrect

login several times in sequence? User rights Event auditing

Profiles

User environmental settings including Desktop, Favorites, My Documents, Start Menu, etc.

A local profile exists on local computer A domain profile follows a user no matter

which computer he/she logons to in the domain

Types of Logon

Two types: Windows Welcome Logon Method Classic Logon Method

Changing between the login types is found in "User Accounts" applet in Control Panel

Logon authentication has two purposes: Maintain security Track computer usage

Windows Welcome Logon Method (Page 1)

Completely new logon method designed for use on standalone or workgroup member systems

Not available when the Windows XP client is a member of a domain

Displayed as a list of user accounts each with its own icon which the user clicks

For accounts with password, user is prompted for it before access is granted

View Windows Welcome Logon Screen


Last slide viewed


To turn the Welcome screen on or off:1. Open User Accounts in Control Panel

2. Click Change the way users log on or off command

3. Do one of the following: Specify that users log onto computer using the

Welcome screen, select the Use the Welcome screen check box

Specify that users log onto computer using "Windows Classic Logon" dialog, clear the Use the Welcome screen check box

View Classic Logon DialogView Windows Welcome Logon Screen


Fast User Switching: Allows switching from one user to another

without logging off (not in a domain and only for Welcome Screen logon)

Also updated in "User Accounts" from Change the way users log on or off

From "Start" menu, select the Log Off… command; then in the "Logoff Windows" dialog click the <Switch User> button

When switching back, environment and all programs that were active are restored

Activity

Turn on Fast User Switching in the "User Accounts" applet

Activate the Guest account and then practice switching between it and your user account

Classic Logon Method

Press the <Ctrl>+<Alt>+<Delete> key combination to access the "WinLogon" security dialog box

Required for domain member systems Selected automatically when a Windows

XP system becomes part of a domain No user switching available

Must log off computer to make it available to the next user

View Classic Logon Dialog

Classic Logon Method

Last slide viewed

Activity

In the "User Accounts" applet change between the "Windows Welcome" and "Classic" logon methods

Try logging on using each

Logging On to Windows XP

When Windows XP Professional first is installed, two accounts are automatically created Administrator Guest

Administrator (Page 1)

Most powerful user account possible Unlimited access and unrestricted

privileges to manage users, groups, O/S environment, printers, shares, storage devices, etc.

Must be protected from misuse Complicated password should be used Account should be renamed

Administrator (Page 2)

The original Administrator account: Cannot be deleted Cannot be locked out (occurs when user

attempts to logon unsuccessfully) Can be disabled (only performed manually by

another administrator account) Can have a blank password (not recommended) Can be renamed (recommended) Cannot be removed from Administrators local

group

Guest (Page 1)

One of the least privileged user accounts Limited access to resources and computer

activities Account should be renamed Member of the "Everyone" group Recommended to leave account disabled

since by default all new objects and shares give full control for group "Everyone"

Guest (Page 2)

The original Guest account: Cannot be deleted Can be locked out Can be disabled (disabled by default) Can have a blank password (blank by default) Can be renamed (recommended) Can be removed from the Guests local group

Naming Conventions (Page 1)

A predetermined process should be used for creating names on either a network or a standalone system A convention is an accepted practice

within an organization or even industry-wide

Important since networks usually tend to grow very quickly


Should incorporate a schemes for naming: User accounts Computers Directories Network shares Printers Servers


Two common conventions: User name employs first and last name,

and a code indicating user's department Group name represents the organization of

the firm: department, location, project name, and/or combination of the above


Needs to be: Consistent Easy to use and understand Easy to create new names using the

convention (variations are predetermined) Clearly identify the object's type

Managing Local User Accounts

Two types of local accounts: Accounts created from scratch locally Local representations of domain/network

user accounts User Accounts applet

Used to create local representation (only for a domain client)

In a standalone system, applet becomes a task wizard with easy-to-follow tasks

User Accounts Applet in a Domain

Users tab Lists active users Add New User wizard to add users

Advanced tab Access to

Password and passport management Advanced user management Secure logon settings


Last slide viewed

Add a User in a Domain

User Accounts applet

To find the userin the domain

To find the userin the domain

Add a User in a Domain


Properties in a Domain


User Accounts Applet for a Standalone Computer

Activity

Create a new user account named Jan Walters using the "User Accounts" applet Limited privileges No password

Local Users and Groups Console

Found in "Computer Management" applet of Administrative Tools Console tree nodes (in left frame) are Users and Groups The list frame (on the right) shows the names of the user and/or

group accounts "Local Users and Groups" MMC snap-in also can be used to create

and manage user accounts and groups

Local Users and Groups (Computer Management Console)

Local Users and Groups MMC Console

Users Node (Page 1)

Creating a new user account:1. Select User node within the Local Users and Groups node

2. With no user selected, click Action New User… from the menu bar Or right-click on any white space in list (right) frame and select New

User…

3. Fill-in form and click the <Create> button

Users Node (Page 2)

Select any user account and click Action from menu bar (or right-click any user account name) to: Set (reset) password Delete user account Rename user account View user account properties Help

Users Node (Page 3)

The Properties window for user accounts has three tabs: General – update Fullname and Description, modify

password properties, enable/disable the account, and manage locked out accounts

Member Of – list of group memberships with <Add…> and <Remove> buttons

Users Node (Page 4)

The Properties (con.): Profile – defines:

Alternate location for the user's profile By default stored in "c:\Documents and Settings\username"

Name of an optional logon script that executes after successful login Alternate home directory, either a local folder or mapped network drive

By default "c:\Documents and Settings\username\My Documents"

Activity

Create an MMC console with the "Local Users and Groups" snap-in

Save it on the Desktop as filename "Local Users and Groups.msc"

Activity 5-4

Create a local account with the "Local Users and Groups" MMC console snap-in Username – BobTemp Full Name – Bob Smith Description – A temporary account for Bob Password – provide and confirm User must change password at next logon –

deselected

Activity 5-5

Add BobTemp account to the PowerUsers group from "User Accounts" Found on the Members Of tab of Properties Requires clicking the <Advanced> button,

then the <Find Now> button

Planning Groups and System Groups

Plan well in advance how to groups are to be managed

Pair groups with resources Some sample organizational groupings:

Organizational units or departments Authorized users of applications Events, projects or special assignments Location or geography Individual function or job description

Working with Default Groups (Page 1)

Administrators Full access; the local Administrator account is

always a member Backup Operators

Has the ability to backup and restore all files and folders; no default members

Guests Can operate the computer and save files;

cannot install programs or alter system settings; default member of group Guest


Network Configuration Operators Able to configure network components; no

default members Power Users

Can modify the computer and create user accounts, share resources and install programs; cannot access files that belong to others; no default members

Remote Desktop Users Can logon remotely; no default users


Replicator Facilitates directory replication between systems

and domains; no default users Users

Able to operate computer and save files; cannot install programs; modify user accounts, share resources, or alter system settings; all new users are default members

HelpServicesGroup Used by Microsoft's "Help and Support" center to

provide remote support

Groups Node (Page 1)

Creating a new group account:1. Select Group node within the Local Users and Groups node

2. With no group selected, click Action New Group… from the menu bar Or right-click on any white space in list (right) frame and select New Group…

3. Fill-in Group Name and Description

4. The <Add…> button is for adding user accounts to the group

5. Click <Create> button when finished


Select any group account and click the Action command from menu bar (or right-click any group account name) to: Add (new user accounts) to group Delete group account Rename group account View group account properties Help


The Properties window for user accounts has one tab: General – update the Description, and display

list of group members with <Add…> and <Remove> buttons

Activity 5-6

Create a local group account and add user account BobTemp to group with the "Local Users and Groups" MMC console snap-in Group name – SalesGroup Description – Members of the Sales

Department Requires first clicking the <Add…> button in

"Properties", then the <Advanced> button, and then the <Find Now> button

User Profiles

Collection of desktop and environmental configurations

Computer maintains profile for each user Material such as Application data, My

Documents, cookies, etc. A new profile is created for a user at the

first successful logon Even for the Guest account

Local Profiles

Set of specifications and preferences for an individual user

Stored on the local machine residing in the %username% subdirectory beneath the \Documents and Settings directory

Set up by example As the user modifies the system

Saved on logout

Roaming Profiles (Page 1)

Roaming profiles are user profiles that are stored in the server

Each time the user logs on, their profile is requested and sent to whatever machine makes the request

Default path designation: \\computername\username

Roaming Profiles (Page 2)

To create a roaming profile:1. Click Start, right-click My Computer, and

select Properties from shortcut menu

2. Click the Advanced tab, and then click Settings under "User Profiles"

3. In the Profiles stored on this computer list, click the profile that you want

4. To change the type of profile, click Change Type, click Roaming profile, and then click <OK> button

Activity

On the Desktop create a shortcut for the previously created "Local Users and Groups" MMC console

Now move the console itself (not the shortcut) to your "My Documents" folder

Create a new folder named Consoles in "C:\Documents and Settings\username\Start Menu\Programs"; move the shortcut to it

Now click Start menu Programs etc.

Application of Local and Group Policies

Several security and access controls Local computer group policy is managed

from a Windows XP Professional system Found in "Local Security Settings" dialog of

Administrative Tools applet in Control Panel Group policies (GPOs) can be defined for

the domain, sites, and organizational units (OUs) from Active Directory

Local Security Settings Console

Password Policy (Page 1)

Defines the restrictions on passwords Restrictions include:

Enforce password history – to prevent reuse of old passwords Maximum password age – how often it must be reset Minimum password age – how long before it can be changed

Password Policy screen

Password Policy (Page 2)

Restrictions include (con.): Minimum password length – minimum characters in the

password Password must meet complexity requirements – as

defined by Microsoft, i.e. minimum number of alphabetic characters, plus minimum number of numeric characters

Password Policy screen

Password Policy

Last slide viewed

Activity 5-11 (Part 1)

Update password policies: Security Settings

Account PoliciesPassword Policy

Enforce password history – 5 Maximum password age – 60 Minimum password age – 2 Minimum password length – 6

Account Lockout Policy (Page 1)

Conditions that result when a user account is locked out from too may failed login attempts

Used to prevent brute force attacks against user accounts

Account Lockout Policy

Account Lockout Policy (Page 2)

Policy items include: Account lockout threshold – number of

failed logins before account locked out Account lockout duration – minutes

account remains locked out; if set to zero, requires administrative action to unlock

Reset account lockout counter after – length of time before lockout counter resets



Last slide viewed



Account PoliciesAccount Lockout Policy

Account lockout threshold – 3 Account lockout duration – 30 Reset account lockout after – 15

Audit Policy

Defines events recorded in Security log of Event Viewer (covered in Chapter 6)

Used to track resource usage Items (not full list):

Audit directory service access (access to "Active Directory")

Audit logon events Audit account logon events Audit system events

Audit Policy

Audit Policy

Last slide viewed



Local PoliciesAudit Policy

Audit logon events – Failure Audit system events – Failure

User Rights Assignment

Defines who (which groups or users) can perform the specific privileged action

Items (not full list): Access this computer from the network Add workstations to domain Back up files and directories Change the system time Load and unload device drivers Profile single process Shut down the system



Last slide viewed

Activity 5-12


Local PoliciesUser Rights Assignment

Add workstations to domain – Power Users

Security Options

Controls a wide variety of security features, functions, and controls of environment

Items (not full list): Accounts—including enabling and

renaming Administrator and Guest accounts Devices—access to and installation options Domain member—requirements Interactive logon—modifying logon process Microsoft network server—behaviors

Security Options

Security Options

Last slide viewed

Customizing the Logon Process

The Administrator can alter the default logon process by modifying Winlogon, the process that produces the logon dialog, i.e. Deactivating Ctrl+Alt+Delete to start logon Disabling display of the last username Adding a security warning message Disabling the shutdown button Changing the shell Automating logons Automatic account lockout

Deactivating <Ctrl>+<Alt>+<Delete> to Start Logon

Access to Windows Classic logon window usually is initiated by pressing together the keys <Ctrl>+<Alt>+<Delete>

Forces the XP security logon sequence However requirement can be disabled Edit with Local Security Policy dialog in

"Administrative Tools" (Security Options): Interactive logon: Do not require

Ctrl+Alt+Delete set to "Enabled"

Activity

Deactivate <Ctrl>+<Alt>+<Delete> for Windows Classic logon dialog: Security Settings

Local PoliciesSecurity Options

Interactive logon: Do not require CTRL + ALT + DELETE – Enabled

Disabling the Default Username (Page 1)

By default the Classic Logon Window displays name of the last user to logon

May not be secure if the workstation often is left unattended

Edit with Local Security Policy dialog in "Administrative Tools" (Security Options): Interactive logon: Do not display last

username set to "Enabled"

Activity 6-3

Disabling the default username for Windows Classic logon dialog: Security Settings


Interactive logon: Do not display last username – Enabled


Many security values also can be viewed and even updated directly in the Registry

To view display of last username value in the registry, run the "regedit" command from Start menu Run


Locate the key at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\

Windows NT\CurrentVersion\Winlogin

Select the DontDisplayLastUserName value and change it: Enabled = "0" Disabled = "1"

Adding Security Warning Message (Page 1)

Might be legally obligated to add a warning message for unauthorized usage

Edit with Local Security Policy dialog in "Administrative Tools" (Security Options): Interactive logon: Message text for

users attempting to logon–set to any warning message

Interactive logon: Message title for users attempting to logon–title bar text

Activity 6-4

Adding a security warning caption and message before logon: Security Settings


Interactive logon: Message text for users attempting to logon – Authorized CS28 users only! Unauthorized access will be punished to the full extent of the law

Interactive logon: Message title for users attempting to logon – Warning!

Adding Security Warning Message (Page 2)

To modify the warning title and text in the registry, locate their keys at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\


Select the following: LegalNoticeCaption – title bar text LegalNoticeText – the text message

Disabling the Shutdown Button (Page 1)

Windows XP logon window includes Shutdown button Eliminates the potential for unwanted

system shutdowns Edit with Local Security Policy dialog in

"Administrative Tools" (Security Options): Shutdown: Allow system to be shut down

without having to log on set to "Disabled" Machine still can be physically powered-off

Activity

Disable the shutdown button: Security Settings


Shutdown: Allow system to be shut down without having to log on – Disabled

Disabling the Shutdown Button (Page 2)

To disable the shutdown button in the registry, locate the key at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\


Select the ShutdownWithoutLogon value and change it: Enabled = "1" Disabled = "0"

Automating Logons (Page 1)

Values for username and password can be coded into Registry to automate logons

When enabled, the login dialog is bypassed Execute "regedit" from Start menu Run Locate the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogin


Registry settings: DefaultDomainName – only when logging into a

domain DefaultUserName – your logon name DefaultPassword – delete this key if automatic

logon is not turned on AutoAdminLogon – value set to "1" to automate

login (Keys that do not exist must be created – right-click

on parent node and select the command New String)

Activity

Turn on automatic logon: DefaultDomainName – not required

(should be your computer name) DefaultUserName – your account name DefaultPassword – create this key if it

already does not exist; leave blank if there is no password

AutoAdminLogon – 1


Dialog window to control automatic logons: Execute "control userpasswords2 " from Start

menu Run In new window select the account you wish to

make the primary logon Unselect "Users must enter a username and

password..." checkbox Click <Apply> and a dialog box will appear

asking you to confirm password Click <OK> when you are done

Files and Settings Transfer Wizard

Move data files and personal desktop settings from another computer to new Windows XP Professional system

Must have some sort of network connection between the two systems

Transfer files from Windows 95, 98, SE, Me, NT, 2000, or XP systems

Transfer process can take considerable time

Activity 5-13

Transfer files and settings using the "Files and Settings Transfer Wizard"

Start menu Programs Quit at the Auto detect

User State Migration Tool (USMT) (Page 1)

Alternate to "Files and Settings Transfer Wizard" which also supports migration of user data from: Windows 9x Windows NT Workstation 4.0 Windows 2000 Professional

… to a Windows XP Professional system Permits administrators to fully customize

specific settings such as modifications to the registry

User State Migration Tool (USMT) (Page 2)

The utilities are: ScanState.exe – collects user data and settings

based on the information that is contained in the Migapp.inf, Migsys.inf, Miguser.inf and Sysfiles.inf files

LoadState.exe – deposits user-state data on computer running clean (not upgraded) installation of Windows XP Professional

Requires client computer be connected to a Microsoft Windows server-based domain controller

Project--not from the textbook

Windows XP Users, Groups, Profiles and Policies 70-270: MCSE Guide to Microsoft Windows XP...

Documents

Transcript of Windows XP Users, Groups, Profiles and Policies 70-270: MCSE Guide to Microsoft Windows XP...