Working with Users Working with Users and Groupsand Groups

Lesson 5

Skills MatrixSkills Matrix

Technology Skill Objective Domain Objective #

Introducing User Account Control

Configure and troubleshoot User Account Control

3.1

Understanding User Account Control

Configure and troubleshoot User Account Control

3.1

Understanding Recommended UAC Practices

Configure user accounts to run as standard users

3.1

Skills MatrixSkills Matrix

Technology Skill Objective Domain Objective #

Performing Administrative Tasks with a Standard User Account

Elevate user privileges 3.1

Configuring User Account Control

• Use local security policies to configure User Account Control• Disable Secure Desktop

3.1

Chapter 5Chapter 5

Understanding Local and Domain Users

Workgroups

Domains

Chapter 5Chapter 5

Local User Accounts

5

Chapter 5Chapter 5

Domain User Accounts

6

Chapter 5Chapter 5

Introducing Built-In Local Users

Administrator

New User Account

Guest

Chapter 5Chapter 5

Understanding Groups

8

Chapter 5Chapter 5

A collection of user accounts on a local computer

Assign permissions to resources on that computer

Created in the local security database

Understanding Local Groups

9

Chapter 5Chapter 5

Using Built-In Local Groups

Administrators

Backup Operators

Power Users

Guests

Remote Desktop Users

Users

Chapter 5Chapter 5

Introducing Special Identities

Everyone

Interactive

Network

Anonymous Logon

Authenticated Users

Creator Owner

Dialup

Chapter 5Chapter 5

Creating and Managing Users and Groups

User Accounts control panel

Local Users And Groups MMC snap-in

Chapter 5Chapter 5

Creating a New User Account -User Accounts Control Panel

Intended for users with less experience

Simplified interface

Limited access

Cannot create or manage groups

Chapter 5Chapter 5

Creating a New User Account –Local Users and Groups Snap-in

Gives more access to user account properties

Allows you to create and manage groups

Chapter 5Chapter 5

Creating a Local Group

Chapter 5Chapter 5

User Profile Types

Local user profile

Roaming user profile

Mandatory user profile

Chapter 5Chapter 5

User Account Control (UAC)

Because many users logon to the system using Administrative Accounts (leaving the system vulnerable to malware attacks) Microsoft implemented UAC

Administrative accounts are required to confirm when they want to perform tasks that require administrative access

Chapter 5Chapter 5

Configuring UAC Local Security Policies

You can configure the UAC Local Security Policy in Administrative Tools > Local Security Policy > Scroll down to the User Account Control policies

Chapter 5Chapter 5

Configuring Password Policies

Chapter 5Chapter 5

You Learned

The user account is the fundamental unit of identity in the Windows operating systems.

A group is an identifying token that Windows uses to represent a collection of users.

Chapter 5Chapter 5

You Learned (cont.)

A workgroup is a collection of computers that are all peers. A peer network is one in which every computer can function as both a server, by sharing its resources with other computers, and a client, by accessing the shared resources on other computers.

A domain is a collection of computers that all utilize a central directory service for authentication and authorization.

Chapter 5Chapter 5

You Learned (cont.)

Windows Vista includes a number of built-in local groups that are already equipped with the permissions and rights needed to perform certain tasks.

A special identity is essentially a placeholder for a collection of users with a similar characteristic.

Chapter 5Chapter 5

You Learned (cont.)

Windows Vista provides two separate interfaces for creating and managing local user accounts: the User Accounts control panel and the Local Users And Group snap-in for the Microsoft Management Console (MMC).

A roaming user profile is simply a copy of a local user profile that is stored on a network share so that the user can access it from any computer on the network.

Chapter 5Chapter 5

You Learned (cont.)

A mandatory user profile is simply a read-only roaming user profile.

On a Windows Vista computer running User Account Control (UAC), a standard user still receives a standard user token, but an administrative user receives two tokens: one for standard user access and one for administrative user access.

Chapter 5Chapter 5

You Learned (cont.)

When a standard user attempts to perform a task that requires administrative privileges, the system displays a credential prompt, requesting that the user supply the name and password for an account with administrative privileges.

Chapter 5Chapter 5

You Learned (cont.)

When an administrator attempts to perform a task that requires administrative access, the system switches the account from the standard user token to the administrative token. This is known as Admin Approval Mode.

Chapter 5Chapter 5

You Learned (cont.)

Before the system permits the user to employ the administrative token, it requires the human user to confirm that he or she is actually trying to perform an administrative task. To do this, the system generates an elevation prompt.

Chapter 5Chapter 5

You Learned (cont.)

The secure desktop is an alternative to the interactive user desktop that Windows normally displays. When Vista generates an elevation or credential prompt, it switches to the secure desktop, suppressing the operation of all other desktop controls and permitting only Windows processes to interact with the prompt.

Chapter 5Chapter 5

You Learned (cont.)

User Account Control is enabled by default in all Windows Vista installations, but it is possible to configure several of its properties, or even disable it completely, using Local Security Policy.