Managing User, Computer and Group Accounts
Lecture 5
Computer Accounts To access Windows 2008 domain a
computer needs an account
Joining a domain creates a computer account object in the AD
Each computer account has SID (other security principals, such as users and groups have SIDs as well)
User Accounts To access Windows 2008 network a
user needs an account
Account determines 3 factors:- when a user may log on- where within the domain/workgroup- what privilege level a user is assigned
User Accounts Each account has SID that serves as
security credentials
Any object trying to access resource must do it through a user account
Windows 2008 has 2 types of accounts: local and domain
Interactive Logon Process
Interactive Logon – a process to verify user’s credentials for logon to a Win2008 computer
If the local account – it’s checked against the local user account database.
Domain account – using encryption process, user credentials are verified at a DC, and after successful authentication a logon key/logon token is granted for the session
Network Authentication Process
Process of verifying user’s credentials to allow access to network resources
When a user attempts to access a resources, user’s credentials and session key/token are compared against resources’ ACL list to grant access
Local Accounts Supported on all Windows 2000, 2003 and 2008
systems except DCs (on member servers participating in domains and on standalone systems participating in workgroups )
Maintained on the local system, not distributed to other systemsLocal user account authenticates the user for local machine access only; access to resources on other computers is not supported
Built-in local accounts: Guest; Administrator
Domain User Accounts Permit access throughout a domain and
provide centralized user administration through AD
Created within a domain container in AD database and propagated to all other DCs
Once authenticated against AD database using GC, a user obtains an access token for the logon session, which determines permissions to all resources in the domain
Creating User Accounts • Domain accounts names must be
unique within the domain, although the same logon name can be used on several systems with local logon.
• Logon names are not case sensitive, must not contain more than 20 chars, and nust not contain: +,*,?,<,>,/,\,[,],:,;.
• Passwords are case sensitive, must be secure – not easy to guess
Copying, Moving, Disabling and
Renaming User Accounts • Renaming account doesn’t affect any of the
user account properties, except the name.• Accounts can be moved from one container
to another• Disabled accounts can’t be accessed• When account is copied, most properties are
copied, except the username, full name, password, logon hours, address/phone info, organization info, the Account is disabled option, and user rights and permissions.
Deleting User and Computer
Accounts • Deleting account – permanently
removes it, and all if its group memberships, permissions and user rights. The new account with the same name has different SID and GUID
• Disabling an account may be a better option!
• Administrator and Guest can be renamed, but not deleted
Understanding User Account Properties
As with all AD objects, user accounts have a number of associated properties or attributes
Once the account is created, those properties maybe modified using Computer Management tool (local accounts) or AD Users and Computers (domain accounts)
Group Accounts Group – AD objects that contain users,
computers and other entities. (have SIDS) Groups are used for easier management of
users/computers/resources Access token identifies groups to which a
users belongs/rights assigned 2 Types of groups:1. Distribution group for e-mail 2. Security groups to assign limited
permission to groups that need access to resources or to deny access
Example of Access Token
Group Accounts Rights and privileges are assigned
at the group level
Groups can be nested (membership by inheritance)
User’s rights and privileges through group memberships are cumulative
Group/User relationship
Group 1
Group 3
Group 2
Group 3 is a member
of Group 1
Group Scope Scope of influence (or scope)
Reach of a group for gaining access to resources in Active Directory
Types of groups and associated scopes: Local Domain local Global Universal
Local Groups Local security group
Used to manage resources on a stand-alone computer that is not part of a domain and on member servers in a domain (non-DCs)
Create using the Local Users and Groups MMC snap-in
Domain Local Groups Domain local security group
Used when Active Directory is deployed Manage resources in a domain
Give global groups from the same and other domains access to those resources
Scope of a domain local group Domain in which the group exists Can convert a domain local group to a
universal group
Domain Local Groups
Domain Local Group Example
User 1Engineering(Global Group)
User 1Engineering
User 2
Printer Group(Domain Local)
Printer Group - Print
Printer ACL
Domain CDomain BDomain A
User 2
Global Groups Contain user accounts from a single domain Can also be set up as a member of a domain
local group in the same or another domain Broader scope than domain local groups Can be nested Typical use: Add accounts that need access to resources in
the same or in another domain Make the global group in one domain a
member of a domain local group in the same or another domain
Nested Global Groups
Global Group Example
Group 2
User 1Group 1
Accountants(Global Group)
Domain A Domain B
Domain C
User1Group 1 Accountants
Accountants
Printer ACL
Universal Groups Universal security groups
Span domains and trees Can include
User accounts from any domain Global groups from any domain Other universal groups from any
domain Guidelines to help simplify how you
plan to use groups
Universal Groups
Group Strategy Put users into global domain group. A global group
can be thought of as an Accounts group. Put resources into domain local (or machine local)
groups. A local group can be thought of as a Resource group.
Put a global group into any domain local (or machine local) group in the forest
Assign permissions for accessing resources to the domain local (or machine local) groups that contain them
Use Universal groups to grant access to resources in multi-domain environments where access is needed across domain trees.
Group Strategy Example
Engineers(Global Group)
Domain A Domain B
Domain CDomain A EngineersDomain B EngineersDomain C Engineers
Database Access(Domain Local G.)
DatabaseACL
Database Access Allow Write/Read
Engineers(Global Group)
Engineers(Global Group)
Default User Account
Membership Built-in groups are automatically
created in Windows Server 2003 to reflect most common attributes and tasks
Domain Users/Users Domain Admins/Administrators
Special Groups EVERYONE Network Interactive Service System Authenticated Users SELF CREATOR OWNER
User Profiles Profiles customize user environment,
store profiles on server (roaming), restrict changes through mandatory profiles
Local profiles are stored on a computer when each user logs in.