Windows XP Users, Groups, Profiles and Policies 70-270: MCSE Guide to Microsoft Windows XP...
-
Upload
leonard-willis -
Category
Documents
-
view
217 -
download
3
Transcript of Windows XP Users, Groups, Profiles and Policies 70-270: MCSE Guide to Microsoft Windows XP...
Windows XP Users, Groups, Profiles and Policies
70-270: MCSE Guide to Microsoft Windows XP Professional
Windows XP Professional User Accounts
Designed for use as a network client for: Windows NT Windows 2000 Windows Server 2003
Member of a workgroup Standalone operating system when more
than one user is using the computer Home or business environment
Types of Windows XP Professional User Accounts
Local user account Exists on a single computer Can provide access to resources if the user
is a member in a workgroup No domain access
Domain user account Created on a domain controller using "Active
Directory" and exists throughout the domain Available on any domain member computer
User Account Details
Uniquely identified to the system by user account name and password Provides secure access to authorized users
Preferences are environmental settings that are stored in a profile Desktop, Favorites, My Documents, Start
Menu, Internet files and Cookies, etc.
Accounts Interaction with an XP Professional System (Page 1)
Standalone system, automatic logon— All users access local resources through a
"common user account" that automatically logins in when computer starts
Standalone system— Each user logs into system with access to
"their own" local resources
Accounts Interaction with an XP Professional System (Page 2)
Workgroup member— Users login to an account both local and
shared resources Domain network client—
Users login to system with a unique domain user account to gain access to local and domain resources
Supporting More Than One User
Multiple-user systems—support more than one user on the same machine, either on a single computer or in a domain
Implemented through: Groups Resources Policies Profiles
Groups
Named collections of user accounts One user account may be a member of
more than one group Members of group receive access rights
and restrictions for that group Local groups are created using Windows
XP professional and provide privileges at the machine level
Resources
Useful objects including printers, shared directories, software applications, etc.
Limited to a single user, group or all users on a machine or within a network
Policies
A set of configuration options for a user, computer or group: Define password restrictions, i.e.
Is the user required to change their password at prescribed intervals?
Account lockouts, i.e. What happens if a user enters an incorrect
login several times in sequence? User rights Event auditing
Profiles
User environmental settings including Desktop, Favorites, My Documents, Start Menu, etc.
A local profile exists on local computer A domain profile follows a user no matter
which computer he/she logons to in the domain
Types of Logon
Two types: Windows Welcome Logon Method Classic Logon Method
Changing between the login types is found in "User Accounts" applet in Control Panel
Logon authentication has two purposes: Maintain security Track computer usage
Windows Welcome Logon Method (Page 1)
Completely new logon method designed for use on standalone or workgroup member systems
Not available when the Windows XP client is a member of a domain
Displayed as a list of user accounts each with its own icon which the user clicks
For accounts with password, user is prompted for it before access is granted
View Windows Welcome Logon Screen
Windows Welcome Logon Method (Page 1)
Last slide viewed
Windows Welcome Logon Method (Page 2)
To turn the Welcome screen on or off:1. Open User Accounts in Control Panel
2. Click Change the way users log on or off command
3. Do one of the following: Specify that users log onto computer using the
Welcome screen, select the Use the Welcome screen check box
Specify that users log onto computer using "Windows Classic Logon" dialog, clear the Use the Welcome screen check box
View Classic Logon DialogView Windows Welcome Logon Screen
Windows Welcome Logon Method (Page 3)
Fast User Switching: Allows switching from one user to another
without logging off (not in a domain and only for Welcome Screen logon)
Also updated in "User Accounts" from Change the way users log on or off
From "Start" menu, select the Log Off… command; then in the "Logoff Windows" dialog click the <Switch User> button
When switching back, environment and all programs that were active are restored
Activity
Turn on Fast User Switching in the "User Accounts" applet
Activate the Guest account and then practice switching between it and your user account
Classic Logon Method
Press the <Ctrl>+<Alt>+<Delete> key combination to access the "WinLogon" security dialog box
Required for domain member systems Selected automatically when a Windows
XP system becomes part of a domain No user switching available
Must log off computer to make it available to the next user
View Classic Logon Dialog
Classic Logon Method
Last slide viewed
Activity
In the "User Accounts" applet change between the "Windows Welcome" and "Classic" logon methods
Try logging on using each
Logging On to Windows XP
When Windows XP Professional first is installed, two accounts are automatically created Administrator Guest
Administrator (Page 1)
Most powerful user account possible Unlimited access and unrestricted
privileges to manage users, groups, O/S environment, printers, shares, storage devices, etc.
Must be protected from misuse Complicated password should be used Account should be renamed
Administrator (Page 2)
The original Administrator account: Cannot be deleted Cannot be locked out (occurs when user
attempts to logon unsuccessfully) Can be disabled (only performed manually by
another administrator account) Can have a blank password (not recommended) Can be renamed (recommended) Cannot be removed from Administrators local
group
Guest (Page 1)
One of the least privileged user accounts Limited access to resources and computer
activities Account should be renamed Member of the "Everyone" group Recommended to leave account disabled
since by default all new objects and shares give full control for group "Everyone"
Guest (Page 2)
The original Guest account: Cannot be deleted Can be locked out Can be disabled (disabled by default) Can have a blank password (blank by default) Can be renamed (recommended) Can be removed from the Guests local group
Naming Conventions (Page 1)
A predetermined process should be used for creating names on either a network or a standalone system A convention is an accepted practice
within an organization or even industry-wide
Important since networks usually tend to grow very quickly
Naming Conventions (Page 2)
Should incorporate a schemes for naming: User accounts Computers Directories Network shares Printers Servers
Naming Conventions (Page 3)
Two common conventions: User name employs first and last name,
and a code indicating user's department Group name represents the organization of
the firm: department, location, project name, and/or combination of the above
Naming Conventions (Page 4)
Needs to be: Consistent Easy to use and understand Easy to create new names using the
convention (variations are predetermined) Clearly identify the object's type
Managing Local User Accounts
Two types of local accounts: Accounts created from scratch locally Local representations of domain/network
user accounts User Accounts applet
Used to create local representation (only for a domain client)
In a standalone system, applet becomes a task wizard with easy-to-follow tasks
User Accounts Applet in a Domain
Users tab Lists active users Add New User wizard to add users
Advanced tab Access to
Password and passport management Advanced user management Secure logon settings
User Accounts Applet in a Domain
Last slide viewed
User Accounts Applet in a Domain
Add a User in a Domain
User Accounts applet
To find the userin the domain
To find the userin the domain
Add a User in a Domain
User Accounts applet
Properties in a Domain
User Accounts applet
User Accounts Applet for a Standalone Computer
User Accounts Applet for a Standalone Computer
Activity
Create a new user account named Jan Walters using the "User Accounts" applet Limited privileges No password
Local Users and Groups Console
Found in "Computer Management" applet of Administrative Tools Console tree nodes (in left frame) are Users and Groups The list frame (on the right) shows the names of the user and/or
group accounts "Local Users and Groups" MMC snap-in also can be used to create
and manage user accounts and groups
Local Users and Groups (Computer Management Console)
Local Users and Groups MMC Console
Local Users and Groups MMC Console
Users Node (Page 1)
Creating a new user account:1. Select User node within the Local Users and Groups node
2. With no user selected, click Action New User… from the menu bar Or right-click on any white space in list (right) frame and select New
User…
3. Fill-in form and click the <Create> button
Users Node (Page 2)
Select any user account and click Action from menu bar (or right-click any user account name) to: Set (reset) password Delete user account Rename user account View user account properties Help
Users Node (Page 3)
The Properties window for user accounts has three tabs: General – update Fullname and Description, modify
password properties, enable/disable the account, and manage locked out accounts
Member Of – list of group memberships with <Add…> and <Remove> buttons
Users Node (Page 4)
The Properties (con.): Profile – defines:
Alternate location for the user's profile By default stored in "c:\Documents and Settings\username"
Name of an optional logon script that executes after successful login Alternate home directory, either a local folder or mapped network drive
By default "c:\Documents and Settings\username\My Documents"
Activity
Create an MMC console with the "Local Users and Groups" snap-in
Save it on the Desktop as filename "Local Users and Groups.msc"
Activity 5-4
Create a local account with the "Local Users and Groups" MMC console snap-in Username – BobTemp Full Name – Bob Smith Description – A temporary account for Bob Password – provide and confirm User must change password at next logon –
deselected
Activity 5-5
Add BobTemp account to the PowerUsers group from "User Accounts" Found on the Members Of tab of Properties Requires clicking the <Advanced> button,
then the <Find Now> button
Planning Groups and System Groups
Plan well in advance how to groups are to be managed
Pair groups with resources Some sample organizational groupings:
Organizational units or departments Authorized users of applications Events, projects or special assignments Location or geography Individual function or job description
Working with Default Groups (Page 1)
Administrators Full access; the local Administrator account is
always a member Backup Operators
Has the ability to backup and restore all files and folders; no default members
Guests Can operate the computer and save files;
cannot install programs or alter system settings; default member of group Guest
Working with Default Groups (Page 2)
Network Configuration Operators Able to configure network components; no
default members Power Users
Can modify the computer and create user accounts, share resources and install programs; cannot access files that belong to others; no default members
Remote Desktop Users Can logon remotely; no default users
Working with Default Groups (Page 3)
Replicator Facilitates directory replication between systems
and domains; no default users Users
Able to operate computer and save files; cannot install programs; modify user accounts, share resources, or alter system settings; all new users are default members
HelpServicesGroup Used by Microsoft's "Help and Support" center to
provide remote support
Groups Node (Page 1)
Creating a new group account:1. Select Group node within the Local Users and Groups node
2. With no group selected, click Action New Group… from the menu bar Or right-click on any white space in list (right) frame and select New Group…
3. Fill-in Group Name and Description
4. The <Add…> button is for adding user accounts to the group
5. Click <Create> button when finished
Groups Node (Page 2)
Select any group account and click the Action command from menu bar (or right-click any group account name) to: Add (new user accounts) to group Delete group account Rename group account View group account properties Help
Groups Node (Page 3)
The Properties window for user accounts has one tab: General – update the Description, and display
list of group members with <Add…> and <Remove> buttons
Activity 5-6
Create a local group account and add user account BobTemp to group with the "Local Users and Groups" MMC console snap-in Group name – SalesGroup Description – Members of the Sales
Department Requires first clicking the <Add…> button in
"Properties", then the <Advanced> button, and then the <Find Now> button
User Profiles
Collection of desktop and environmental configurations
Computer maintains profile for each user Material such as Application data, My
Documents, cookies, etc. A new profile is created for a user at the
first successful logon Even for the Guest account
Local Profiles
Set of specifications and preferences for an individual user
Stored on the local machine residing in the %username% subdirectory beneath the \Documents and Settings directory
Set up by example As the user modifies the system
Saved on logout
Roaming Profiles (Page 1)
Roaming profiles are user profiles that are stored in the server
Each time the user logs on, their profile is requested and sent to whatever machine makes the request
Default path designation: \\computername\username
Roaming Profiles (Page 2)
To create a roaming profile:1. Click Start, right-click My Computer, and
select Properties from shortcut menu
2. Click the Advanced tab, and then click Settings under "User Profiles"
3. In the Profiles stored on this computer list, click the profile that you want
4. To change the type of profile, click Change Type, click Roaming profile, and then click <OK> button
Activity
On the Desktop create a shortcut for the previously created "Local Users and Groups" MMC console
Now move the console itself (not the shortcut) to your "My Documents" folder
Create a new folder named Consoles in "C:\Documents and Settings\username\Start Menu\Programs"; move the shortcut to it
Now click Start menu Programs etc.
Application of Local and Group Policies
Several security and access controls Local computer group policy is managed
from a Windows XP Professional system Found in "Local Security Settings" dialog of
Administrative Tools applet in Control Panel Group policies (GPOs) can be defined for
the domain, sites, and organizational units (OUs) from Active Directory
Local Security Settings Console
Password Policy (Page 1)
Defines the restrictions on passwords Restrictions include:
Enforce password history – to prevent reuse of old passwords Maximum password age – how often it must be reset Minimum password age – how long before it can be changed
Password Policy screen
Password Policy (Page 2)
Restrictions include (con.): Minimum password length – minimum characters in the
password Password must meet complexity requirements – as
defined by Microsoft, i.e. minimum number of alphabetic characters, plus minimum number of numeric characters
Password Policy screen
Password Policy
Last slide viewed
Activity 5-11 (Part 1)
Update password policies: Security Settings
Account PoliciesPassword Policy
Enforce password history – 5 Maximum password age – 60 Minimum password age – 2 Minimum password length – 6
Account Lockout Policy (Page 1)
Conditions that result when a user account is locked out from too may failed login attempts
Used to prevent brute force attacks against user accounts
Account Lockout Policy
Account Lockout Policy (Page 2)
Policy items include: Account lockout threshold – number of
failed logins before account locked out Account lockout duration – minutes
account remains locked out; if set to zero, requires administrative action to unlock
Reset account lockout counter after – length of time before lockout counter resets
Account Lockout Policy
Account Lockout Policy
Last slide viewed
Activity 5-11 (Part 2)
Update password policies: Security Settings
Account PoliciesAccount Lockout Policy
Account lockout threshold – 3 Account lockout duration – 30 Reset account lockout after – 15
Audit Policy
Defines events recorded in Security log of Event Viewer (covered in Chapter 6)
Used to track resource usage Items (not full list):
Audit directory service access (access to "Active Directory")
Audit logon events Audit account logon events Audit system events
Audit Policy
Audit Policy
Last slide viewed
Activity 5-11 (Part 3)
Update password policies: Security Settings
Local PoliciesAudit Policy
Audit logon events – Failure Audit system events – Failure
User Rights Assignment
Defines who (which groups or users) can perform the specific privileged action
Items (not full list): Access this computer from the network Add workstations to domain Back up files and directories Change the system time Load and unload device drivers Profile single process Shut down the system
User Rights Assignment
User Rights Assignment
Last slide viewed
Activity 5-12
Update password policies: Security Settings
Local PoliciesUser Rights Assignment
Add workstations to domain – Power Users
Security Options
Controls a wide variety of security features, functions, and controls of environment
Items (not full list): Accounts—including enabling and
renaming Administrator and Guest accounts Devices—access to and installation options Domain member—requirements Interactive logon—modifying logon process Microsoft network server—behaviors
Security Options
Security Options
Last slide viewed
Customizing the Logon Process
The Administrator can alter the default logon process by modifying Winlogon, the process that produces the logon dialog, i.e. Deactivating Ctrl+Alt+Delete to start logon Disabling display of the last username Adding a security warning message Disabling the shutdown button Changing the shell Automating logons Automatic account lockout
Deactivating <Ctrl>+<Alt>+<Delete> to Start Logon
Access to Windows Classic logon window usually is initiated by pressing together the keys <Ctrl>+<Alt>+<Delete>
Forces the XP security logon sequence However requirement can be disabled Edit with Local Security Policy dialog in
"Administrative Tools" (Security Options): Interactive logon: Do not require
Ctrl+Alt+Delete set to "Enabled"
Activity
Deactivate <Ctrl>+<Alt>+<Delete> for Windows Classic logon dialog: Security Settings
Local PoliciesSecurity Options
Interactive logon: Do not require CTRL + ALT + DELETE – Enabled
Disabling the Default Username (Page 1)
By default the Classic Logon Window displays name of the last user to logon
May not be secure if the workstation often is left unattended
Edit with Local Security Policy dialog in "Administrative Tools" (Security Options): Interactive logon: Do not display last
username set to "Enabled"
Activity 6-3
Disabling the default username for Windows Classic logon dialog: Security Settings
Local PoliciesSecurity Options
Interactive logon: Do not display last username – Enabled
Disabling the Default Username (Page 2)
Many security values also can be viewed and even updated directly in the Registry
To view display of last username value in the registry, run the "regedit" command from Start menu Run
Disabling the Default Username (Page 3)
Locate the key at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogin
Select the DontDisplayLastUserName value and change it: Enabled = "0" Disabled = "1"
Adding Security Warning Message (Page 1)
Might be legally obligated to add a warning message for unauthorized usage
Edit with Local Security Policy dialog in "Administrative Tools" (Security Options): Interactive logon: Message text for
users attempting to logon–set to any warning message
Interactive logon: Message title for users attempting to logon–title bar text
Activity 6-4
Adding a security warning caption and message before logon: Security Settings
Local PoliciesSecurity Options
Interactive logon: Message text for users attempting to logon – Authorized CS28 users only! Unauthorized access will be punished to the full extent of the law
Interactive logon: Message title for users attempting to logon – Warning!
Adding Security Warning Message (Page 2)
To modify the warning title and text in the registry, locate their keys at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogin
Select the following: LegalNoticeCaption – title bar text LegalNoticeText – the text message
Disabling the Shutdown Button (Page 1)
Windows XP logon window includes Shutdown button Eliminates the potential for unwanted
system shutdowns Edit with Local Security Policy dialog in
"Administrative Tools" (Security Options): Shutdown: Allow system to be shut down
without having to log on set to "Disabled" Machine still can be physically powered-off
Activity
Disable the shutdown button: Security Settings
Local PoliciesSecurity Options
Shutdown: Allow system to be shut down without having to log on – Disabled
Disabling the Shutdown Button (Page 2)
To disable the shutdown button in the registry, locate the key at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogin
Select the ShutdownWithoutLogon value and change it: Enabled = "1" Disabled = "0"
Automating Logons (Page 1)
Values for username and password can be coded into Registry to automate logons
When enabled, the login dialog is bypassed Execute "regedit" from Start menu Run Locate the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogin
Automating Logons (Page 2)
Registry settings: DefaultDomainName – only when logging into a
domain DefaultUserName – your logon name DefaultPassword – delete this key if automatic
logon is not turned on AutoAdminLogon – value set to "1" to automate
login (Keys that do not exist must be created – right-click
on parent node and select the command New String)
Activity
Turn on automatic logon: DefaultDomainName – not required
(should be your computer name) DefaultUserName – your account name DefaultPassword – create this key if it
already does not exist; leave blank if there is no password
AutoAdminLogon – 1
Automating Logons (Page 3)
Dialog window to control automatic logons: Execute "control userpasswords2 " from Start
menu Run In new window select the account you wish to
make the primary logon Unselect "Users must enter a username and
password..." checkbox Click <Apply> and a dialog box will appear
asking you to confirm password Click <OK> when you are done
Files and Settings Transfer Wizard
Move data files and personal desktop settings from another computer to new Windows XP Professional system
Must have some sort of network connection between the two systems
Transfer files from Windows 95, 98, SE, Me, NT, 2000, or XP systems
Transfer process can take considerable time
Activity 5-13
Transfer files and settings using the "Files and Settings Transfer Wizard"
Start menu Programs Quit at the Auto detect
User State Migration Tool (USMT) (Page 1)
Alternate to "Files and Settings Transfer Wizard" which also supports migration of user data from: Windows 9x Windows NT Workstation 4.0 Windows 2000 Professional
… to a Windows XP Professional system Permits administrators to fully customize
specific settings such as modifications to the registry
User State Migration Tool (USMT) (Page 2)
The utilities are: ScanState.exe – collects user data and settings
based on the information that is contained in the Migapp.inf, Migsys.inf, Miguser.inf and Sysfiles.inf files
LoadState.exe – deposits user-state data on computer running clean (not upgraded) installation of Windows XP Professional
Requires client computer be connected to a Microsoft Windows server-based domain controller
Project--not from the textbook