43
Chapter Five Chapter Five Users, Groups, Users, Groups, Profiles, and Profiles, and Policies Policies
Chapter FiveChapter Five
Users, Groups, Users, Groups, Profiles, and Profiles, and
PoliciesPolicies
ObjectivesObjectives
Understand local users and groupsUnderstand local users and groups Understand user policiesUnderstand user policies Understand the local security Understand the local security
policiespolicies Create and manage user accountsCreate and manage user accounts Create user profilesCreate user profiles
Windows XP Professional Windows XP Professional User AccountsUser Accounts
Local user accountsLocal user accounts Exists on a single computer and cannot Exists on a single computer and cannot
be used in any manner with domain be used in any manner with domain resources or to gain domain access of resources or to gain domain access of any kindany kind
Domain user accountsDomain user accounts Exists in a domain by virtue of being Exists in a domain by virtue of being
created on a domain controllercreated on a domain controller
Windows XP Professional Windows XP Professional User AccountsUser Accounts
Local groupsLocal groups Group that exists only on the computer Group that exists only on the computer
where it was createdwhere it was created Can have users and global groups as Can have users and global groups as
membersmembers On a Windows XP Professional On a Windows XP Professional
system, user accounts are used to system, user accounts are used to govern or control accessgovern or control access
Windows XP Professional Windows XP Professional User AccountsUser Accounts
A Windows XP Professional system A Windows XP Professional system can exist as a:can exist as a: Standalone systemStandalone system Standalone systemStandalone system Workgroup memberWorkgroup member Domain network clientDomain network client
Windows XP Professional Windows XP Professional User AccountsUser Accounts
A Windows XP Professional local A Windows XP Professional local user account stores details about:user account stores details about: SecuritySecurity Access permissionsAccess permissions PreferencesPreferences
A user’s environmental settings and A user’s environmental settings and configuration preferences can be stored as configuration preferences can be stored as a a profileprofile
Windows XP Professional Windows XP Professional User AccountsUser Accounts
Password policyPassword policy Defines the restrictions on passwordsDefines the restrictions on passwords
Account lockout policyAccount lockout policy Defines the conditions that result in a Defines the conditions that result in a
user account being locked outuser account being locked out
Windows XP Professional Windows XP Professional User AccountsUser Accounts
Audit policyAudit policy Defines the events that are recorded in Defines the events that are recorded in
the Security log of the Event Viewerthe Security log of the Event Viewer Security optionsSecurity options
Defines and controls various security Defines and controls various security features, functions, and controls of the features, functions, and controls of the Windows XP environmentWindows XP environment
Windows XP Professional Windows XP Professional User AccountsUser Accounts
Windows XP implements its multiple-Windows XP implements its multiple-user system through the following:user system through the following: GroupsGroups ResourcesResources PoliciesPolicies ProfilesProfiles
Logging Onto Windows Logging Onto Windows XPXP
Windows XP uses Windows XP uses logon logon authenticationauthentication for two purposes: for two purposes: To maintain security and privacy within To maintain security and privacy within
a networka network To track computer usage by user To track computer usage by user
accountaccount
Logging Onto Windows Logging Onto Windows XPXP
Windows XP supports two types of Windows XP supports two types of logons:logons: Windows WelcomeWindows Welcome
Completely new logon method to the Completely new logon method to the Windows product lineWindows product line
ClassicClassic This method is Ctrl+Alt+DeleteThis method is Ctrl+Alt+Delete
AdministratorAdministrator
Administrator accountAdministrator account Most powerful user account possible Most powerful user account possible
within the Windows XP environmentwithin the Windows XP environment Administrator account has the Administrator account has the
following characteristics:following characteristics: It cannot be deletedIt cannot be deleted It cannot be It cannot be locked outlocked out
AdministratorAdministrator
Administrator account has the Administrator account has the following characteristics (cont.):following characteristics (cont.): It can be It can be disableddisabled It can have a blank passwordIt can have a blank password It can be renamedIt can be renamed It cannot be removed from the It cannot be removed from the
Administrator local groupAdministrator local group
GuestGuest
Guest accountGuest account One of the least privileged user One of the least privileged user
accounts in Windows XPaccounts in Windows XP Guest account has the following Guest account has the following
characteristics:characteristics: It cannot be deletedIt cannot be deleted It can be locked outIt can be locked out
GuestGuest
Guest account has the following Guest account has the following characteristics (cont.):characteristics (cont.): It can be disabledIt can be disabled It can have a blank passwordIt can have a blank password It can be renamedIt can be renamed It can be removed from the Guest local It can be removed from the Guest local
groupgroup
Naming ConventionsNaming Conventions
Predetermined process for creating Predetermined process for creating names on a network standalone systemnames on a network standalone system
Should incorporate a scheme for user Should incorporate a scheme for user accounts, computers, directories, accounts, computers, directories, network shares, printers, and serversnetwork shares, printers, and servers
Should be descriptive enough so that Should be descriptive enough so that anyone can figure out to which type of anyone can figure out to which type of object the name correspondsobject the name corresponds
Naming ConventionsNaming Conventions
Naming convention needs to address Naming convention needs to address the following four elements:the following four elements: Must be consistent across all objectsMust be consistent across all objects Must be easy to use and understandMust be easy to use and understand New names should be easily New names should be easily
constructed by mimicking the constructed by mimicking the composition of existing namescomposition of existing names
An object’s name should clearly identify An object’s name should clearly identify that object’s typethat object’s type
User Account AppletsUser Account Applets
Figure 5-1: User Accounts applet, User tab
User Account AppletsUser Account Applets
Figure 5-2: Add New User Wizard, user name and domain page
User Account AppletsUser Account Applets
Figure 5-3: Add New User Wizard, level of access page
User Account AppletsUser Account Applets
Imported user accountImported user account A local account created by duplicating A local account created by duplicating
the name and password of an existing the name and password of an existing domain accountdomain account
An imported account can be used only An imported account can be used only when the Windows XP Professional when the Windows XP Professional system is able to communicate with the system is able to communicate with the domain of the original accountdomain of the original account
Local Users and GroupsLocal Users and Groups
Figure 5-4: Local Users and Groups, Users node
UsersUsers
Figure 5-5: A user account’s Properties dialog box, General tab
UsersUsers
Figure 5-6: A user account’s Properties dialog box, Member Of tab
UsersUsers
Figure 5-7: A user account’s Properties dialog box, Profile tab
GroupsGroups
To provide the highest degree of To provide the highest degree of control over resources, Windows XP control over resources, Windows XP uses two types of groups:uses two types of groups: Local groupsLocal groups
Exist only on the computer where they are Exist only on the computer where they are createdcreated
Global groupsGlobal groups Exist throughout a domainExist throughout a domain
GroupsGroups
Figure 5-8: Local Users and Groups, Groups node
System Groups and System Groups and Other Important GroupsOther Important Groups
Windows XP has several built-in system Windows XP has several built-in system controlled groupscontrolled groups
System-controlled groups are pre-System-controlled groups are pre-existing groups that you cannot manage existing groups that you cannot manage but that appear in dialog boxes when but that appear in dialog boxes when assigned group membership or access assigned group membership or access permissionspermissions
These groups can be used by the system These groups can be used by the system to control or place restrictions on to control or place restrictions on specific groups of users based on their specific groups of users based on their activitiesactivities
User ProfilesUser Profiles
Collection of desktop and environmental Collection of desktop and environmental configurations on a Windows XP system configurations on a Windows XP system for a specific user or group of usersfor a specific user or group of users
By default, each Windows XP computer By default, each Windows XP computer maintains a profile for each user who has maintains a profile for each user who has logged on to the computer, except for logged on to the computer, except for Guest accountsGuest accounts
Optionally, an administrator can force Optionally, an administrator can force users to load a so-called users to load a so-called mandatory mandatory profileprofile
User ProfilesUser Profiles
Figure 5-9: User Profiles dialog box
Local ProfilesLocal Profiles
Set of specifications and preferences Set of specifications and preferences for an individual user, stored on a for an individual user, stored on a local machinelocal machine
Windows XP provides each user with Windows XP provides each user with a folder containing their profile a folder containing their profile settingssettings
Local profiles are established by Local profiles are established by default for each user who logs onto a default for each user who logs onto a particular machineparticular machine
Roaming ProfilesRoaming Profiles
A roaming profile resides on a network A roaming profile resides on a network server to make to broadly accessibleserver to make to broadly accessible
When a user whose profile is When a user whose profile is designated as roaming logs onto any designated as roaming logs onto any Windows XP system on the network, Windows XP system on the network, that profile is automatically that profile is automatically downloaded when the user logs ondownloaded when the user logs on This process avoids having to store a local This process avoids having to store a local
profile on each workstation that a user profile on each workstation that a user usesuses
Local Security PolicyLocal Security Policy
Windows XP has combined several Windows XP has combined several security and access controls into a security and access controls into a centralized policy:centralized policy: This centralized policy is called the This centralized policy is called the
group policygroup policy There are group policies for local There are group policies for local
computers, groups, domains, and computers, groups, domains, and organizational unitsorganizational units
Password PolicyPassword Policy
Figure 5-10: Local Security Settings, Password Policy selected
Account Lockout PolicyAccount Lockout Policy
The items in this policy are:The items in this policy are: Account lockout threshold: 0 Invalid Account lockout threshold: 0 Invalid
logon attemptslogon attempts Account lockout duration: Not DefinedAccount lockout duration: Not Defined Reset account counter after: Not Reset account counter after: Not
DefinedDefined
Audit PolicyAudit Policy
Defines the events that are recorded Defines the events that are recorded in the Security log of the Event in the Security log of the Event ViewerViewer
Auditing is used to track resource Auditing is used to track resource usageusage
Each item in this list can be set to Each item in this list can be set to audit the Success and/or Failure of audit the Success and/or Failure of the eventthe event
User Rights PolicyUser Rights Policy
Defines which groups or users can Defines which groups or users can perform the specific privileged perform the specific privileged actionaction
Troubleshooting user rights is a Troubleshooting user rights is a process of test, re-configure, and process of test, re-configure, and retestretest
For more details on user rights, For more details on user rights, consult the consult the Microsoft Windows XP Microsoft Windows XP Professional Resource KitProfessional Resource Kit
Security OptionsSecurity Options
Defines and controls various security Defines and controls various security features, functions, and controls of features, functions, and controls of the Windows XP environmentthe Windows XP environment
For more details on security options, For more details on security options, consult the consult the Microsoft Windows XP Microsoft Windows XP Professional Resource KitProfessional Resource Kit
Troubleshooting Cached Troubleshooting Cached CredentialsCredentials
Windows XP Professional automatically caches Windows XP Professional automatically caches a user’s credentials in the Registry when a a user’s credentials in the Registry when a domain logon or .NET passport logon is domain logon or .NET passport logon is performedperformed
Caching of credentials is used to enable a Caching of credentials is used to enable a single sign-on requirementssingle sign-on requirements
Caching of credentials can be disabled through Caching of credentials can be disabled through two means from the Windows XP Professional two means from the Windows XP Professional clientclient
Cached logons are stored within a utility Cached logons are stored within a utility named “Stored User Names and Passwords”named “Stored User Names and Passwords”
Troubleshooting Cached Troubleshooting Cached CredentialsCredentials
Problems can occur with stored Problems can occur with stored credentialscredentials If you discover that you are being If you discover that you are being
authenticated as the wrong user account or authenticated as the wrong user account or with the wrong access level, you should with the wrong access level, you should remove the stored account information for remove the stored account information for that server or domainthat server or domain
Another problem is being unable to access Another problem is being unable to access resources to which you previously had accessresources to which you previously had access
Yet another problem might occur when you Yet another problem might occur when you obtain access to a resource to which you obtain access to a resource to which you should not have accessshould not have access
File and Settings File and Settings Transfer WizardTransfer Wizard
Used to move your data files and Used to move your data files and personal desktop settings from personal desktop settings from another computer to your new another computer to your new Windows XP Professional systemWindows XP Professional system Must have some sort of network Must have some sort of network
connection between the two systemsconnection between the two systems Using this Wizard, you can transfer Using this Wizard, you can transfer
files from Windows 95, 98, SE, Me, files from Windows 95, 98, SE, Me, NT, 2000, or XP systemsNT, 2000, or XP systems
Chapter SummaryChapter Summary
Windows XP Professional can Windows XP Professional can employ three types of usersemploy three types of users
Users are collected into groups to Users are collected into groups to simplify management and grant simplify management and grant access or privilegesaccess or privileges
Users and groups are managed Users and groups are managed through the User Accounts applet through the User Accounts applet and the Local Users and Groups and the Local Users and Groups utilityutility
Chapter SummaryChapter Summary
User profiles can be local profiles when User profiles can be local profiles when working with local users or imported working with local users or imported users, or they can be roaming when using users, or they can be roaming when using a domain-user accounta domain-user account
User profiles store a wide variety of User profiles store a wide variety of personalized or custom data about a personalized or custom data about a user’s environmentuser’s environment
The Local Security Policy is used to The Local Security Policy is used to manage password, account lockout, audit, manage password, account lockout, audit, user rights, security options, and moreuser rights, security options, and more
