1. Chapter 8 Chapter 8: Managing the Server Through Accounts and Groups

2. Chapter 8 Learning Objectives n Work with users on setting up their accounts n Set up account-naming guidelines n Develop guidelines for user account policies and set up account policies n Explain how to manage Windows NT domains continued

3. Chapter 8 Learning Objectives n Explain how groups are used in Windows NT Server, and create and configure group policies n Create, copy, disable, delete, and rename user accounts n Set up account auditing

4. Chapter 8 Obtaining Input from Users n Advantages u Secure user interest in making installation work u Ensure set up of server meets user needs n Key issues u Naming conventions for user accounts u User account policies u Use of server for home directories u Use and composition of groups u Group policies u Hours for server to be available

5. Chapter 8 Setting Up Account-naming Conventions n Based on account user’s actual name u ex. “rknauerh” or “robk” u use enough of name to be unique F ex. include middle initials u works well for E-mail as well n Based on function within organization u ex. “shift1mgr” or “retail-clerk7” F good if people often change jobs F possible security hole

6. Chapter 8 User Account Policies n Network administrator establishes general password and logon security stipulations for user accounts

7. Chapter 8 Password Security n Only effective if used properly n Account policy options u Password expiration u Password length u Password history u Account lockout

8. Chapter 8 User Home Directories n Home directory: A dedicated location on a file server or a workstation for a specific account holder to store files User home directories in a small office

9. Chapter 8 User Home Directories User home directories in a large organization

10. Chapter 8 Domain Services Management n Preserves idea of work groupings without managing them individually u Allows network administrator to manage resources and users as one unit n Saves time as administrator sets up users, privileges, and groups n Provides a powerful management tool u One domain can be home to 26,000 users and 250 groups

11. Chapter 8 Ethernet An Example of Two Domains Primary domain controller (domain A) Backup domain controller (B) Primary domain controller (B) Backup domain controller (A) Ethernet

12. Chapter 8 Domain Trust Relationships n Trusted domain: The domain that is granted security access to resources n Trusting domain: The domain that grants the access to its resources n One-way trust: One domain is trusted, the other trusting; not reciprocal n Two-way trust: Both domains are trusted and trusting u Universal trust: Two-way trusts among more than two domains

13. Chapter 8 n Trusting domain u Access to business server prohibited n Trusted domain u Access to manufacturing servers allowed One-way Trust Manufacturing domain Business domain

14. Chapter 8 Two-way Trust Business office domain Production branch domain n Trusted and trusting domain

15. Chapter 8 Domain Management n Single-master domain model u Management control of several domains centralized in only one domain u Works well for small organizations n Multiple-master domain model u Management of many domains located in two or more domains u Works well for larger organizations

16. Chapter 8 Advantages of the Single-master Domain n Accounts and resources are centrally managed n Resources are available to all users n One consistent security policy applies across organization n Groups can be tailored across organizational unit boundaries n SAM data is easy to maintain and keep synchronized within the master domain

17. Chapter 8 Advantages of the Multiple-master Domain n Administration can be centralized or decentralized n Thousands of users can share resources throughout the world n Groups can be formed to span domains n Security policies can be standardized for thousands of users and resources

18. Chapter 8 Multiple-master Domain Model

19. Chapter 8 Using Groups n Management of domain resources u By individual user: Most labor-intensive method u By resource: Still labor-intensive u By group: Saves time by eliminating repetitive steps in managing user and resource access

20. Chapter 8 Group Management Concept n Users belong to one or more groups having same access needs n Types of groups in Windows NT Server u Local groups: Used to manage accounts and resources within a single domain or on a single server u Global groups: Used to enable resource sharing across domains

21. Chapter 8 Local Groups n Used to help manage rights and permissions on a server within a domain n User accounts can be members of local groups n Domain resources can be assigned to local groups n Global groups can belong to local groups n Local groups can be used to make domain resources available to trusted domains

22. Chapter 8 Windows NT Predefined Local Groups

23. Chapter 8 Global Groups n Provide rights access across domains by linking rights from trusting domains to groups in trusted domains n Global groups can have domain user accounts as members but not local groups, to avoid circular group relationships n Global groups can be members of local groups n Global groups cannot have resources as members

24. Chapter 8 Windows NT Predefined Global Groups

25. Chapter 8 Adding Groups n New local and global groups can be added at any time Business group composition

26. Chapter 8 Managing Accounts n Creating accounts n Copying an account n Deleting an account n Disabling an account n Renaming an account

27. Chapter 8 Creating Accounts n Two accounts are created when Windows NT Server was installed u Administrator account: Provides complete access and control over the server u Guest account: Can be set up with controlled access for guest users

28. Chapter 8 Completing New Account Information

29. Chapter 8 Assigning Users to a Group n Accounts that have same security and access requirements can be assigned as members of a group

30. Chapter 8 Customizing User Access n User account environment can be customized through user profiles, logon scripts, and home directories u ex. make everyone run a virus checker u ex. user “fred” wants to always set up certain programs whenever/wherever he logs in

31. Chapter 8 Windows NT Logon Script Commands

32. Chapter 8 Configuring the Server Hours n Server administrator can set up user accounts so they cannot access server at designated times (e.g, during backups and other system work) Logon Hours dialog box

33. Chapter 8 Securing Account Access from Designated Workstations n Server administrator can limit where a user can log on to the domain n Ensures that certain accounts can only be accessed from designated workstations

34. Chapter 8 Account Expiration and Type n Expiration date is useful for an account that is needed for a specific time period (e.g., guests or temporary employees) n Can be designated global or local

35. Chapter 8 Copying an Account n Accounts can be modeled after a master account n Saves time when there are many accounts to create

36. Chapter 8 Deleting an Account n Completely erases account from security database n Before deleting an account, consider disabling it for a period of time in case there is a need to reactivate it for access at a later date

37. Chapter 8 Disabling an Account n Good security practice n A disabled account cannot be used to log on to the system but all other settings and configuration options remain intact

38. Chapter 8 Renaming an Account n To prevent intruders familiar with the default account names from gaining access to the system n To change an account name if an account is associated with a specific job is assigned to another individual n To comply with changes in organization’s naming convention n To reflect a user’s name change

39. Chapter 8 Account Auditing n Auditing: Tracking success or failure of events by recording selected types of events in an event log or a server or a workstation u use carefully; can overload system F disk space F CPU time available to programs

40. Chapter 8 Events that Can Be Audited n Logon and logoff activity n Access to files and objects n How often user rights are exercised n User and group management functions n Security policy changes n Restarting, shutting down, other activities n Starting processes or software applications

41. Chapter 8 Creating Groups n Organizational units, workgroups, or departments n Authorized users of network resources or applications n Events, projects, or special assignments n Geographical or location-based groups n Individual job descriptions or functions

42. Chapter 8 Setting Group Policies n Rights grant privileges to perform functions u Accessing server u Adding workstations to the domain u Changing system time u Backing up files

43. Chapter 8 Setting Group Policies n Standard rights: Apply to everyday users and groups (see next slide) n Advanced rights: For programmers and system developers who have technical access needs u Debugging programs u Gaining access to operating system internals u Controlling memory swapping

44. Chapter 8 Default NT Server User Rights continued

45. Chapter 8 Default NT Server User Rights continued

46. Chapter 8 Default NT Server User Rights

47. Chapter 8 Chapter Summary n Do some preliminary research before setting up accounts and groups. u User feedback helps to ensure accounts match user needs u Develop guidelines for account names u Develop account policies for setting up passwords and account lockout features continued

48. Chapter 8 Chapter Summary n Windows NT domains are a tool to help manage a server. u Local and global groups u Reduce time spent managing individual accounts continued

49. Chapter 8 Chapter Summary n Creating an account is multiple step process. u User and password information u Group assignments u Home directory assignments u Hours to access account u Security options