Presentation on theme: "Introduction to NT Administration Objectives: How to use DOMAINS Create Users & Set Properties to user accounts Manage User Accounts & Assign Security."— Presentation transcript:
Introduction to NT Administration Objectives: How to use DOMAINS Create Users & Set Properties to user accounts Manage User Accounts & Assign Security Policies Use Shared Folder Permissions User Server Manager & Win NT Diagnostics Administer Local & Remote Printing Devices Use Event Viewer & Archive Logs
Compare Win NT Server 4.0 with Win NT Workstation 4.0 Server Allows a nearly unlimited number of users to connect to a shared resource at one time Tuned for file- and print-sharing performance Symmetric multiprocessing suport on up to four processors Can be a Domain Controller Workstation Allows up to 10 users to connect to a shared resource at one time Tuned for application responsiveness Symmetric multiprocessing support on up to two processors Cannot be a Domain Controller
Why Do We NETWORK? Share Resources More Computing Power Collaborate & Communicate More File Space Faster Access than a Sneaker Net
DOMAINS The concept behind NT Networks
Workgroups A workgroup is a collection of computers that form a peer-to-peer network. In a workgroup, each computer can act as both a server & a client for sharing resources. Each station in a Workgroup is Managed Separately. Advantages? Disadvantages?
A workgroup List of users NamePassword MaryFido BillPentium SueLogical List of users List of users List of users
PERMISSIONS The Rules that limit which users can use specified network resources
Permissions and permission sets Task nameTask Read (R) Display the folders data, attributes, owner, and permissions Write (W)Create new files or change the folders attributes Execute (X)Run files in the folder or open the folder Delete (D)Delete files in the folder Change Permissions (P)Change the folders permissions Take Ownership (O)Become the owner of the folder PermissionAllows No AccessDenies all access to the folder ListRX ReadRX AddXW Add & ReadRXW ChangeRXWD Full ControlRXWDPO Special Directory AccessAny custom combination of tasks Special File AccessSet independently
Layers of security NTFS security Share security User workstation Network request Shared folder
Unified logon for Microsoft networks OK Cancel Enter Network Password User name: Password: Enter your network password for Microsoft Networking OK Cancel Enter Network Password User name: Password: Enter your network password for Microsoft Networking Domain: Peer-to-peer network Windows NT domain
DOMAINS A DOMAIN is a collection of computers that can be used and managed as a single entity. Users can log on once to a domain & then have access to any computer or resource for which they have permissions. Usually, Domains are organized by a common use or purpose
A DOMAIN Requires the presence of at least one computer running Windows NT Server. This computer, called the Primary Domain Controler (PDC), maintiains a central accounts database called the directory database of its members. A Domain may have multiple servers, clients or domain controllers (maintains directory database & participates in validating logon requests)
A domain has a centralized directory database Rashads computerFreds computerSues computer List of users NamePassword SueLogical RashadPentium FredPassword Domain controller List of users
The role of Windows NT Server domain controllers client Windows NT Server PDC Windows NT Server BDC Processes user logons
The role of Windows NT Server domain controllers (cont.) client Windows NT Server PDC Windows NT Server PDC Update accounts database and perform directory replication
DOMAINS WHAT IF: –The PDC goes down? Can users logon to the network? Yes, BUT only if there is a Backup Domain Controller (server) with the current directory database.
DOMAINS Give two advantages of using a domain model for your network. Computers can be centrally administered The common directory database simplifies security administration Give one Disadvantage of using DOMAINS A DOMAIN requires a dedicated Network Administrator!
DOMAIN CONTROLLERS Primary Domain Controller (PDC) –The PDC database is the only copy that can be edited (User Manager). If the PDC is offline, you cannot change the directory database. –The first WinNT Server created in a Domain will automatically become the PDC. You can override this at a later time –AFTER adding a BDC (Backup Domain Controller). –You can ONLY have ONE PDC in a Domain.
Backup Domain Controller (BDC) A BDC assist the PDC by authenticating domain users. The BDC maintains a read-only version of the directory database (it cannot be edited) which it periodically updates with the PDC. You MUST specify during installation that a computer will act as a BDC. If you promote a BDC to a PDC, then the existing PDC will automatically be demoted to a BDC.
MEMBER SERVER A member server is not a domain controller. It merely makes resources available within the Domain. Because a member server does not maintain a copy of the directory database & does not participate in the logon validation process…it can better serve its resources to the domain. Member servers are created when you install the server software. Member servers cannot be promoted to a PDC or BDC unless you reinstall WinNT Server You can have multiple member servers in a Domain.
The role of application servers client application server Runs application in RAM
The role of application servers (cont.) client application server Responds to client requests Runs application in RAM
PLANNING A DOMAIN You cannot change the domain to which a domain controller belongs without reinstalling WinNT Server. Each Domain in a Network must have a unique name. SIDs (Security Identification Numbers) validate a resource to the Domain– NOT the computer or resource name. A Single Domain can span a routed connection (All campuses of a school district) or a Wide Area Network (WAN). Network Traffic Patterns NOT physical Design should determine how your Domains are setup. (I.E. BUSINESS APs versus PEIMS) WHAT ABOUT STUDENT FOLDERS? WHAT ABOUT AR DATABASE? WHAT ABOUT WEB Productivity Access?
LOGGING IN Ctrl & Alt & Del –Takes you to the Login Screen –Identify User Name, Password, & DOMAIN Ctrl & Alt & Del –Change Password –Lock Workstation –Task Manager
Types of traffic DHCP – Dynamic Addressing WINS registration – Resources on the Network Browser announcements – Master Browser HTTP – Web Access FTP – Files Transferred over Internet (Downloads) Media Streaming – Video broadcasts Logon – Logging Files Client Server Browse lists, DNS, File transfer, HTTP Trust, WINS replication, Domain synchronization, Directory replication Server
MANAGING USERS A USER ACCOUNT contains the information that allows a user access to the WINNT operating system and its resources. USER NAME – must be unique LOGON PASSWORD & Group Membership List are contained in the account BUILT-IN ACCOUNTS – Administrator Account Guest Account – May wish to disable or change the name & password to Training etc.
TOOLS for MANAGING USER ACCCOUNTS USER MANAGER Allows Administrator to Create a User Account Options: User Must Change Password At Next Logon User Cannot Change Password Password Never Expires Account Disabled – AUP Violations, Moves from District, Retires
Lets Practice Open USER MANAGER For the Domain (usrmgr) What are invalid characters in User Names in NT? Cannot Include Special Characters: / \ ? |, ; : [ ] + * User Name should be descriptive 05roussj (preferably no more than 8 characters) Password is case-sensitive – it may be up to 14 characters Initial Password like: Assign User to Groups
Lets Practice User Properties: Characteristics of a User Account User Name Full Name (may include spaces) Description Password Password Control Options Groups User Belongs to Profile Settings Hours During Which the User can log on to Computer Computers from which a user may log on Special Account Properties Dial-in Permissions -- RAS
Lets Practice Create a Home Folder Home Folders – network folder location that is used to store all the personal programs & data files for the user \\senior01\users\%username% When a Home folder is set in the users account, it becomes the users default folder for the Open & Save As dialog boxes in most applications. NTFS will create these folders & share them with the user FAT you must create & share home folders
Lets Practice Create a Home Folder Select User, Properties, Profile Enter the Universal Naming Convention (UNC) path next to Local Path textbox for the Home Directory \\senior01\users\%username% Two back slashes server name slash shared folder slash %username% The server & shared folder must first exist on the network. NT will create a subfolder using the User ID name for the folder name. Click OK.
Lets Practice Look through the HOURS options Observe the Grid Drag from Monday at 8:00 am to Friday at 5:00 pm Click Disallow Click OK What does this action accomplish? When would you use it?
Lets Practice Explore – Answer the following: How can you Restrict a users logon access to a single computer? How can you set an expiration date to an account?
Lets Check for Understanding Troubleshooting User Account Properties Create a User Account for your machine with the following properties Username: Student Password: Logical No account options enabled Home folder: D:\Users\Student\%username% Logon Hours: Monday to Friday, 9 to 5 Disabled Domain Users have the right to logon locally.
Lets Check for Understanding Troubleshooting User Account Properties Create a User Account for your machine with the following properties Username: Student Password: Logical No account options enabled Home folder: C:\Users\Student Domain Users have the right to logon locally. Logoff as administrator & log on as student Create a Notepad document & attempt to save it using Save As. Where does Notepad attempt to save the file by default?
User Profiles User PROFILES are files that store user configuration information, such as the desktop appearance. Profiles are created and maintained by the system. Each user is assigned a profile with information stored in a set of files and folders within the Windows (Winnt) Profiles folder. Profiles can reside on the client computer (or each client computer a user logs onto OR ROAMING Profiles may reside on the logon server. ROAMING Profiles follow a user from client to client. Roaming Profiles can be Personal OR Mandatory – on WINNT machines. Roaming Personal Profiles – User can change Roaming Mandatory Profiles – User cannot change
User Profiles When you assign a server location for user profiles, a copy of the users local profile is saved both locally & remotely on the server. Comparison of both profiles is made at the next logon the user is asked which profile to load. Create a roaming Profile Create a normal user profile by logging on as a user & changing your desktop Log off & logon as the Administrator. In Control Panel, open the System application & activate the USER PROFILE TAB. Select the users profile & click on Copy TO Enter the name of the destination network folder (\\senior01\users\%username% will work)\\senior01\users\%username% In the Permitted To Use box click on Change. Add appropriate User. Click OK
User Profiles In the USER MANAGER For DOMAINS, view properties for the user to whom you will be assigning this roaming profile. Click on Profiles to display the User Environment Profile dialog box Enter the Path to users roaming user profile using the UNC name Click OK.
User Profiles Roaming Mandatory User Profiles May NOT be modified. I.E. User CANNOT change the desktop color. To create a mandatory user profile, create a roaming personal user profile and rename the Ntuser.dat file to Ntuser.man This file is found WHERE?
User Profiles In a DOMAIN, where should you create your User Accounts? What tool do you use to create the accounts? Where does one get this tool? Where can this tool be placed? What are the three types of User Profiles? Where are they stored? User Profiles \windows\profiles, Roaming Personal Profiles & Roaming Mandatory Profiles – stored on the server.
Local & Global Groups Local Groups belong to the Domain & can be assigned permissions & rights Local Groups can contain Global Groups Global Groups do not have permissions or rights assigned to them, but they can become members of local groups that do have permissions & rights Global Groups can only contain Users from the Domain The Primary Reason for creating Global Groups is that they are to be assigned to a Local Group
Remember Local vs. global groups Users from a local database Users from other computers databases Users from outside of the domain Global groups Users from the domain database Local groupGlobal group Can contain:
A strategy for implementing network security (cont.) 1. Create user accounts. 2. Organize user accounts into global groups. (Domain Group) Domain Teachers Domain Students Domain Secretaries 3. Put global groups into local groups. Domain Teachers Domain Students WebMasters Local Groups Give Access To Resources
A strategy for implementing network security (cont.) 1. Create user accounts. 2. Organize user accounts into global groups. (Domain Group) Domain Teachers Domain Students Domain Secretaries 3. Put global groups into local groups. Domain Teachers Domain Students WebMasters 4. Grant permissions to the local group. OK to access
Groups in a trust relationship Users Global groups Local groups
Lets Practice Decide what Global Groups & Local Groups are needed for your campus. Decide this by looking at all the resources. File Servers Folders Plan a Folder Scheme Name of Folder Needed Subfolders Level of Sharing Application Servers CD ROM Towers Internet Access RAS Access Printers Client Hardware (Drives & Printers & Folders (Shared CD ROM Drives & Folders)
Lets Practice Decide what Global Groups & Local Groups are needed for your campus. Create Global & Local Groups to Manage Identified Resources Diagram Resource & those Local Groups & Global Groups
Lets Practice Assign Permissions to resources using your Local Groups Describe what Permissions you will need to assign for each resource per Local Group
In your own words, describe the difference between local & global groups A Local Group can contain Global Groups Global Groups cannot contain Local Groups Global Groups can contain ONLY users from within your Domain Local Groups can be used ONLY on the computer on which they were created (unless the computer is a Domain Controller)
Managing GROUPS Would you assign permissions to a specific user accounts or To a Group? You always assign permissions to groups rather than directly to user accounts. When new users need access to those resources, you simply add them to the appropriate group.
Managing GROUPS The Built-in Groups….page 3-4 Administrators Replicators Power Users Users Guests Backup Operators Account Operators Server Operators Print Operators
Managing GROUPS The Built-in Groups….page 3-4 Each Group has certain capabilities that are allowed by their default user rights.
Access this computer from the network XX Back up & Restore files & folders XXX Change the system time XX Force Shutdown from a remote system XX Load & Unload device drivers X Log on Locally XXXXX Manage auditing & security log X Shut down the system XXXXX Take ownership of files & other objects X X
Managing GROUPS TEST YOUR UNDERSTANDING 1.Can Account Operators modify a User Account that is a member of the Administrative Group? 2.Can Users create Local Groups on a server if they have access to the User Manager for Domains Application? 3.Which Built-in Groups can be modified by an Account Operator? The Users, Guests, and Replicator
Managing GROUPS TEST YOUR UNDERSTANDING 1.Which Built-in group is not available on WINNT Server Computers, but is available on Workstations? Power Users Group 2. Which built-in Groups are available only on Domain Controllers? Account Operators, Server Operators, & Print Operators 3. Which built-in Groups Can Backup & Restore Files? Administrators, Server Operators, & Backup Operators
BUILT-IN GLOBAL GROUPS Global Group Purpose Contain s by default Who can Modify Member of Which Local Group Domain Admins To enable members to perform administrative task on the local computer Administrator (user account) Administrators Administrators (local group) Domain Users To enable members to perform tasks granted to the Users group on every local computer in the Domain Administrator (user account) Administrators, Account Operators Users Domain Guests To enable members to perform tasks granted to the Guests group on every local computer in the Domain Guest (user account) Administrators, Account Operators Guests
Global Groups Global groups do not have inherent capabilities to perform system administration or other network functions as local groups do. Instead, global groups acquire their capabilities by being members of the appropriate local group.
Determining Memberships Practice: Log on as Administrator Open user Manager For Domains Notice that Global Groups begin with the globe icon and the word Domain (ie Domain Admins) Double-click on Administrators (Administrators is a user account & Domain Admins is a global group account) Who are the members of the Domain Users Global Account? Administrators, & any users
Built-in system groups Group Members & Purpose Example of a Use Interactive Users who log on to the system locally. To restrict local access to a resource, you could assign the NO ACCESS permission to the Interactive group Network Users that connect to a network available resource (a share) – permissions available to all To restrict network access to a resource while allowing local access, you could assign the NO ACCESS permission to the Network group Everyone All users that connect to the system, locally or across the network You can make a resource, such as a printer available to everybody by giving the EVERYONE group Full Control Rights. CreatorOwner A user that creates a resource (such as a file) is a member of this group. If the Administrator creates the resource, the Administrators group is made a member of this group. You can use this group to grant special privileges to the creators of objects, such as files or print jobs.
When might you Use each of these Groups? Anytime you wish to use default levels of user rights
Creating & Managing Groups – Must be created on PDC database Use Manager For Domains to create groups (must be Administrator or Account Operator) To create a global group –Choose User, New Global Group –Enter name of group (20 character limit) –Use Add button –Click OK If you need to add several users to a group, hold down the Ctrl key, select each user to add then choose User, New Global Group.
Creating Local Groups Use User Manager for Domains Choose User, New Local Group Enter name of your group (256 characters– however only the first 22 will be displayed) Use Add button Click OK
Lets Practice Create a Local Group & Add the Global Group to it. Perform this task at the PDC or BDC In the Groups list box select NetUsers (to ensure that no user accounts are automatically placed in the new local group) Choose User, New Local Group In the Group Name text box, enter LocalUsers Click Add In the Names list box, select NetUsers Click Add, Click OK After name is displayed in the Add Names List Box. (P 3-13)
4-1 Account Administration Copying User Accounts You can create a New User account by copying an existing user account (using existing user account as a template) Creating Templates for Users is helpful when you must add large numbers of new users Template that expires on graduation date for students. Templates usually begin with an underscore character _ to display it at the top of the User Name List
Lets Practice Log on as Administrator Open User Manager for Domains In the list of User Names double-click on Guest Observe the properties Click on Cancel Choose User, Copy Observe the information that is automatically entered in the Copy of Guest dialog box In the Username text box, type _copy In the Description text box type copy of Guest account Enter a password Click Add Click Close In the Username list box, double-click on your new use account to view properties Click Cancel
Modifying Multiple User Accounts If you need to modify two or more User Accounts in the same way, you can make the changes simultaneously. Use the Ctrl key to highlight those accounts – the accounts selected, choose User, Properties The User Properties dialog box for multiple user accounts is slightly different – you can modify descriptions, enable & disable the 4 user account options, and modify group memberships and profile information.
Lets Practice Page 4-4 Select your _copy Press Ctrl and select several users Choose User, Properties In the Description Box enter User Account Uncheck Users Cannot Change Password & password Never Expires Click OK Double-click on a User Account to check properites Click Cancel
RENAMING USER ACCOUNTS All user Accounts can be renamed. When might you want to RENAME a User Account? Select a User Choose User, Rename Type in New name Click OK
Deleting User Accounts All Users except the Administrator & Guest accounts can be deleted by using the User, Delete command. Once User Accounts have been deleted, they cannot be re-created. At creation each user account is given an SID which is unique. Creating the exact user account again DOES NOT assign the same SID to that account …therefore the system sees the exact user name & password as a NEW account When should you Delete a User Account?
Adding a User to the Account Group In the Username list box, double-click on a User Click on the Groups button Click on Account Operators Click Add Click OK Choose Policies, User Rights Which Rights are automatically assigned to the Account Operator? Click Cancel
Account Policies The Account Policy is used to control how passwords are used & maintained by users. Account Policy dialog box is divided into two sections –Password Restrictions –Account Lockout Explore these options When would you use each option?
5-1 Securing Network Resources Use Shared Folder Permissions to Secure Network Resources Use NTFS permissions to secure network resources Determine effective permissions on a file or folder, given set of group, user, and share permissions. OBJECTIVES:
Using Shared Folder Permissions Requirements for Sharing a Folder –Organize files & folders so that folders with the same security requirements are located within the same branch in the folder hierarchy. For example, if users require Read permissions to several folders, store those folders within the same folder –Member of Administrator Group –Server Services Must be Started –NTFS (New Technology File System) partition…Additional Considerations
Sharing a Folder By Using Windows NT Explorer Run Explorer Select and observe the Temp folder Choose File, Properties, Sharing, Share AS Accept the Defaults Observe the User Limit Box Click OK
Permissions versus Rights A Permission is a specific level of access a user or group is granted to a particular resource. Unlike rights, which apply to the system as a whole, permissions are associated with specific objects. Therefore a user right can override any object permissions that are also assigned to a user. For example, if you grant the user the right to back up files and folders, it automatically includes the ability to read all files, even if the file permissions have been set specifically denying the user access rights to the files.
Shared Folder Permissions Once you create a share for a folder, you must set remote access permissions to allow other users to access the folder. –Default is EVERYONE – FULL CONTROL –Use Permissions Button to set the Folder Properties to NO ACCESS, READ, CHANGE, FULL CONTROL NOW, Create a NOTEPAD.txt document in your own TEMP Folder and save it. SHARE your Temp Folder with only Mickey Type of ACCESS = READ Click OK
Accessing Shared Folders with Network Neighborhood Logoff as Administrator & Logon As Mickey Double-click on Network Neighborhood Double-click on Partners computer name Double-click on your Partners TEMP folder Access the NOTEPAD.txt document –Are you able to edit the text? –Can you save a copy of the edited text file to a different remote location where you have rights? To a local location? –Can you Delete the file? –Can you Move the file?
Accessing Local Resources Swap Computers with your Partner Logon As Mickey Access Document in TEMP Folder –Can you Edit? –Create A New Text File? –Delete a text file? Shared Folder Permissions apply ONLY to REMOTE connections AND DO NOT have any effect on what you can do if you are seated at the computer containing the shares.
Using the Run Command to Connect to Shared Folders In the Run Command box type the UNC path to the shared folder \\computer_name\shared_folder Hit Enter Hit Enter
Default Administrative Shares In a Network Environment (WINNT, 2000, XP) there are two automatic shares for remote access Admin$ & Drive_letter$ for each hard drive partition. Admin$ takes you to the \winnt_root folder drive_letter$ remotely takes you to each hard drive partition PRACTICE: Use the RUN Command Line & Type \\partners_computer\C$ \\partners_computer\C$ Can you Access your partners D: Drive?
Hidden Shares $ at the end of the administrator sharenames indicates that these are HIDDEN SHARES. The $ hides the shared folders from users who browse the computer Hidden Shares must be accessed remotely by their UNC path Practice Hide your TEMP Share & see if your partner can ACCESS IT Rename the folder without the $
Hidden Shares Open the Control Panel Open Server Click on Shares Observe the Hidden Shares Click Close. Cancel
Stopping the Sharing of a Folder You can stop the sharing of all folders by Right Clicking, Choose Sharing, Select NOT SHARED, Click OK YOU CANNOT stop the sharing of the Admin$ or Drive$
Using NTFS Permissions to Secure Network Resources Unlike FAT file system, which provides only shared folder permissions, NTFS file system provides security for files & folders NTFS also provides ownership priviledges that are important On NTFS volume, you can implement security on a per-file, per-folder, or per-drive basis by assigning various levels of permissions. THIS DOES EFFECT the ability of users to access the shared file LOCALLY AS WELL AS REMOTELY
Set FILE Permissions In WINNT EXPLORER use the Security tab in the Properties dialog box to set or view the permissions Permissions can be set on a per-group, or per-user basis Select the Temp folder Notepad.txt file Choose File, Properties, Security tab, Click Permissions – what are the defaults?
FILE PERMISSIONS READ (R) WRITE (W) EXECUTE (X) DELETE (D) CHANGE Permission (P) TAKE OWNERSHIP (O) (Special Access) To be able to change permissions on a file, you must take ownership of it (creator already has ownership) – then YOU can set the permissions
Inheriting Permissions File & Folder Permissions are separate. However, unless the permissions are explicitly set otherwise, files & folders will inherit the permissions of their parent folder. When you view permissions on a folder, you will see two sets of permissions in parenthese, for example (RXW) (RX). The first refers to the permissions on the folder itself & its subfolders; the second set applies to permissions on files in that folder. THERE ARE SOME folder permissions that files do not inherit. The FULL CONTROL folder permission overrides the file permission of not deleting.
PermissionAllows Files Inherit No Access Denies all access ListRX Not Specified ReadRXRX AddXW Add & Read RXWRX ChangeRXWDRXWD Full Control RXWDPORXWDPO Special Directory Access Any combo Set independently Special File Access Set independently Any combo
Changing Folder Permissions By default when you change permissions on a folder, you DO change permissions of any existing files in the folder, but NOT on the subfolders. New subfolders & files will inherit the new permission set. Take CARE in CHANGING Folder Permissions
Setting Folder Permissions Practice Open Windows NT Explorer Open the Temp folder & select the Notepad.txt file Choose File, Properties Click Security tab, Permissions (observe current permissions) Click Cancel Now Select the TEMP folder From the Type of Access drop-down list box, select LIST Click Add, Select Administrator, Click Add, From the Type of Access drop-down box Select Full Control, Click OK twice Now Select Notepad.txt, click File, Properties, Security Tab, Click Permissions – The original file permissions have been replaced by inherited permissions from the folder
Copying/Moving Shared Folders Observing permissions on copied and moved files Give Everyone FULL Control of your Temp folder, remove any other permissions Select \TEMP\Notepad.txt on your partners computer. Observe the permissions on the file Make sure your partners Share folder has given the Administrator Full Control, remove all other permissions Move the Notepad.txt file to the Share folder, Observe the new File Permissions Now Move the Notepad.txt file BACK to your partners TEMP folder, Observe the File Permissions
Mapping a Shared Folder Lets Practice Use Explorer to Find your Partners Shared Folder – TEMP Choose Tools, Map Network Drive Observe the Drive Drop-down Box, choose a letter for your Drive In the Path box, type your partners shared folder UNC \\computer\temp Click OK Right-click on the folder in the left pane Choose MAP NETWORK DRIVE Select the folder, create a NOTEPAD.text document & Save in the shared TEMP folder, Choose FILE SAVE AS & Browse for the Mapped folder
DISCONNECTING FROM A REMOTE RESOURCE In the WINNT Explorer choose Tools, Disconnect Network Drive Select the Network Drive to Disconnect From Click OK Choose the Folder, Right-Click Choose Disconnect, YES
Taking Ownership of Files If you create it – you own it…also, if you copy a file, you own the copy. The owner cannot assign ownership to anyone else. However, they grant the Take Ownership permission to others. You can take ownership of a file if you have Full Control permission OR you have been given Take Ownership permission
Taking Ownership of Files To take ownership of a file, display the files Properties dialog box, click on the Security tab, click on the Ownership, and Click on Take Ownership. You can also take Ownership of a Folder & all Subfolders.
Security System Interactions User & Group Permissions are cumulative. Permissions you can ultimately exercise are a combination of the permissions granted to you as a user & the permissions granted to any group to which you are a member EXAMPLE: The user is assigned READ permission to a particular folder. A group the user belongs to is assigned WRITE permissions to the same folder….the user has RW Permissions to that folder. There is ONE exception: The NO ACCESS permission overrides all others. HOWEVER, having NO ACCESS permission applied to a folder which contains a file for which the user has permissions does NOT prevent the user from opening the file from its respective application! The user can open the file, providing you use the local or UNC path to the file in the File Open dialog box of the application.
Consider this Scenario Chris Permissions Teacher Group Permissions Grade-level Group Permissions Chris Effective Permissions READADD Not specified Add & Read Not Specified Full Control No Access ReadChange Take Ownership ListAdd Not Specified Special Access: Read & Delete Not Specified Add & Read
REMEMBER The Individual Read, Execute, & Write permissions are slightly different from the Add & Read permissions because files do NOT inherit the List or Add permissions NTFS permissions affect file & folder access for a local user & remote user...this adds a second layer of security to the network.
REMEMBER A good rule of thumb to remember between the interaction share permissions & NTSF is that the most restrictive permission applies. This is because share & NTFS permissions are NOT cumulative, but provide two layers of access. If the share permission for a particular user is READ, and the NTFS permission is FULL CONTROL, the user will have READ access. Or the user could exercise the FULL CONTROL permission by accessing the file locally instead across the network.
Scenario Share Permissions NTFS Permissions Effective Permissions Read Add & Read Read Full Control Change No Access Add & Read ChangeRead Full Control
6-1Managing Network Resources
Features of the Client for Microsoft Networks Automatic setup of networking capabilities in Windows 98 Windows 98 GUI integrates the networking capabilities Client-side caching Plug and Play support (USB) Peer resource sharing services – Must be selected Automatic reconnection for lost server connections Long filenames for network resources --AVOID!
Monitoring and optimizing performance Four areas to monitor: ProcessorRAM Hard Drive Network
Troubleshooting tools Resource Kits Books Online TechNet Microsofts World Wide Web site Microsofts ftp site MSN Microsoft technical support Administrative tools (Event Viewer, Server Manager, etc.)
Creating partitions by using the FDISK & Disk Administrator utility unpartitioned disk (all free space) D: FDISK Extended partition Primary partition F: E: Logical drives C:
Installation sources Local drive sources: CD-ROM or floppy disk Network drive sources: Shared CD-ROM or hard disk
Virtual directories Actual structureClient sees C:\ InetPub\wwwroot Alias: D:\Data\Documents Alias:/Publishing \\Corpserver\Sales_Mkt\Files Alias: /Marketing D:\Data\Corp\Promos Alias: /Marketing/Promos /Publishing /Marketing /Promos
The role of file and print servers client file and print server printer Requests files and sends print jobs
The role of file and print servers (cont.) client file and print server printer Sends files Sends and monitors print jobs
Overview of the Windows NT printing process print request other clients printer driver spoolerprinting device Occurs on client Occurs on server print request Windows 95 or Windows NT client printer driver printing device Occurs on client Occurs on print server spooler
Setting priorities between printers printer1: priority 99 printer2: priority 1 user36s computer Presidents computer user36President printing device print server
Point and Print support Print Server Driver Names Location of Drivers Printer Info/Config Windows 98 X X X Windows NT X NetWare X X
The Windows NT print process 2. Print driver loaded (locally or from server). 3. Job partially rendered. 4. Client spooler receives job. 5. Client spooler calls server spooler. 1. Application generates print request. Print clientPrint server 6. Server spooler receives job. 7. Router determines destination print device. 8. Print processor formats for printer device. 9. Separator page processed. 10. Print monitor sends to device. 11. Print device produces output. can be same computer
Print troubleshooting guidelines Power on? On-line? Paper jam? Paper/toner? Correct printer driver? Default printer? Printer port? Print from other application? Print to port or to file? Disk space for spooler? Spooler service running? Printer Print server/ print client computer Network Physical network problems? Printer shared? Correct user logged on? Correct permissions assigned?
The Intel boot sequence Preboot sequence Boot sequence NTLDR If Windows NT is not chosen 1. Conduct Power On Self Test (POST) 2. Load Master Boot Record (MBR) 3. Load active partitions boot sector 4. Load NTLDR 1. Change processor to flat memory model 2. Start minifile system (FAT or NTFS) 3. Read BOOT.INI to build Boot Loader Menu 4. Load operating system 5. Load BOOTSECT.DOS 5. Call NTDETECT.COM to examine hardware 6. Begin Windows NT load phases If Windows NT is chosen
The RISC boot sequence Preboot sequence 1. Select boot device 2. Determine presence of bootable partition 3. Verify supported file system 4. Load OSLOADER.EXE Boot sequence 1. Initial boot sequence 2. Begin Windows NT load phases
The Windows NT load phases Kernel load(screen shows progress dots) Kernel initialization(screen turns blue) Service load(blue screen shows progress dots) Subsystem start(Begin Logon dialog box appears)
ARC naming MultiIDEESDISCSIwithBIOS enabl ed SCSISCSI witho ut BIOS disk(0) SCSI bus number for SCSI adapters or 0 for all non-SCSI adapters SCSI rdisk(0) First disk numbered 0 Second disk numbered 1 Used only in systems with non- SCSI disks (set to 0 with SCSI disks) partition(1) Partition on disk that stores NT files 0 = special partition and generally not used 1 = First partition 2 = Second partition. \WINNT = Folder that stores the Windows NT boot files NT Server Name of the operating system Appears in the boot menu (0) First adapter in system numbered 0 Second adapter in system numbered 1. multi(0)disk(0)rdisk(0)partition(1)\\WINNT= NT Server
Comparing file system characteristics Filename length File size Restricted filename characters Case in filenames File attributes Directory structure Supported operating systems Security Compression Formatting Maximum partition size Optimal partition size File system overhead NTFSFAT under NT
Filename length File size Restricted filename characters Case in filenames File attributes Directory structure Supported operating systems Security Compression Formatting Maximum partition size Optimal partition size File system overhead NTFSFAT under NT Comparing file system characteristics (completed) 255 characters 16 EB4 GB ? / \ * | : Case preserving; supports case sensitivity for POSIX Case preserving Elemental and extendedElemental (R,A,S,H) B-treeLinked list Windows NT Windows NT; Windows 95; OS/2; DOS Per-file and per-directoryNone Can format hard disks Can format floppy and hard disks 16 EB4 GB >400 MB<400 MB 1-5 MB; recommended minimum 50 MB partition <1 MB ? / \ * | : Per-file, per-folder, per-drive 3rd party utilities