Chapter Five Users, Groups, Profiles, and Policies

Objectives Understand local users and groups Understand local users and groups Understand user policies Understand user policies Understand the local security policies Understand the local security policies Create and manage user accounts Create and manage user accounts Create user profiles Create user profiles

Windows XP Professional User Accounts Local user accounts Local user accounts Exists on a single computer and cannot be used in any manner with domain resources or to gain domain access of any kind Exists on a single computer and cannot be used in any manner with domain resources or to gain domain access of any kind Domain user accounts Domain user accounts Exists in a domain by virtue of being created on a domain controller Exists in a domain by virtue of being created on a domain controller

Windows XP Professional User Accounts Local groups Local groups Group that exists only on the computer where it was created Group that exists only on the computer where it was created Can have users and global groups as members Can have users and global groups as members On a Windows XP Professional system, user accounts are used to govern or control access On a Windows XP Professional system, user accounts are used to govern or control access

Windows XP Professional User Accounts A Windows XP Professional system can exist as a: A Windows XP Professional system can exist as a: Standalone system Standalone system Workgroup member Workgroup member Domain network client Domain network client

Windows XP Professional User Accounts A Windows XP Professional local user account stores details about: A Windows XP Professional local user account stores details about: Security Security Access permissions Access permissions Preferences Preferences A user’s environmental settings and configuration preferences can be stored as a profile A user’s environmental settings and configuration preferences can be stored as a profile

Windows XP Professional User Accounts Password policy Password policy Defines the restrictions on passwords Defines the restrictions on passwords Account lockout policy Account lockout policy Defines the conditions that result in a user account being locked out Defines the conditions that result in a user account being locked out

Windows XP Professional User Accounts Audit policy Audit policy Defines the events that are recorded in the Security log of the Event Viewer Defines the events that are recorded in the Security log of the Event Viewer Security options Security options Defines and controls various security features, functions, and controls of the Windows XP environment Defines and controls various security features, functions, and controls of the Windows XP environment

Windows XP Professional User Accounts Windows XP implements its multiple-user system through the following: Windows XP implements its multiple-user system through the following: Groups Groups Resources Resources Policies Policies Profiles Profiles

Logging Onto Windows XP Windows XP uses logon authentication for two purposes: Windows XP uses logon authentication for two purposes: To maintain security and privacy within a network To maintain security and privacy within a network To track computer usage by user account To track computer usage by user account

Logging Onto Windows XP Windows XP supports two types of logons: Windows XP supports two types of logons: Windows Welcome Windows Welcome Completely new logon method to the Windows product line Completely new logon method to the Windows product line Classic Classic This method is Ctrl+Alt+Delete This method is Ctrl+Alt+Delete

Administrator Administrator account Administrator account Most powerful user account possible within the Windows XP environment Most powerful user account possible within the Windows XP environment Administrator account has the following characteristics: Administrator account has the following characteristics: It cannot be deleted It cannot be deleted It cannot be locked out It cannot be locked out

Administrator Administrator account has the following characteristics (cont.): Administrator account has the following characteristics (cont.): It can be disabled It can be disabled It can have a blank password It can have a blank password It can be renamed It can be renamed It cannot be removed from the Administrator local group It cannot be removed from the Administrator local group

Guest Guest account Guest account One of the least privileged user accounts in Windows XP One of the least privileged user accounts in Windows XP Guest account has the following characteristics: Guest account has the following characteristics: It cannot be deleted It cannot be deleted It can be locked out It can be locked out

Guest Guest account has the following characteristics (cont.): Guest account has the following characteristics (cont.): It can be disabled It can be disabled It can have a blank password It can have a blank password It can be renamed It can be renamed It can be removed from the Guest local group It can be removed from the Guest local group

Naming Conventions Predetermined process for creating names on a network standalone system Predetermined process for creating names on a network standalone system Should incorporate a scheme for user accounts, computers, directories, network shares, printers, and servers Should incorporate a scheme for user accounts, computers, directories, network shares, printers, and servers Should be descriptive enough so that anyone can figure out to which type of object the name corresponds Should be descriptive enough so that anyone can figure out to which type of object the name corresponds

Naming Conventions Naming convention needs to address the following four elements: Naming convention needs to address the following four elements: Must be consistent across all objects Must be consistent across all objects Must be easy to use and understand Must be easy to use and understand New names should be easily constructed by mimicking the composition of existing names New names should be easily constructed by mimicking the composition of existing names An object’s name should clearly identify that object’s type An object’s name should clearly identify that object’s type

User Account Applets Figure 5-1: User Accounts applet, User tab

User Account Applets Figure 5-2: Add New User Wizard, user name and domain page

User Account Applets Figure 5-3: Add New User Wizard, level of access page

User Account Applets Imported user account Imported user account A local account created by duplicating the name and password of an existing domain account A local account created by duplicating the name and password of an existing domain account An imported account can be used only when the Windows XP Professional system is able to communicate with the domain of the original account An imported account can be used only when the Windows XP Professional system is able to communicate with the domain of the original account

Local Users and Groups Figure 5-4: Local Users and Groups, Users node

Users Figure 5-5: A user account’s Properties dialog box, General tab

Users Figure 5-6: A user account’s Properties dialog box, Member Of tab

Users Figure 5-7: A user account’s Properties dialog box, Profile tab

Groups To provide the highest degree of control over resources, Windows XP uses two types of groups: To provide the highest degree of control over resources, Windows XP uses two types of groups: Local groups Local groups Exist only on the computer where they are created Exist only on the computer where they are created Global groups Global groups Exist throughout a domain Exist throughout a domain

Groups Figure 5-8: Local Users and Groups, Groups node

System Groups and Other Important Groups Windows XP has several built-in system controlled groups Windows XP has several built-in system controlled groups System-controlled groups are pre-existing groups that you cannot manage but that appear in dialog boxes when assigned group membership or access permissions System-controlled groups are pre-existing groups that you cannot manage but that appear in dialog boxes when assigned group membership or access permissions These groups can be used by the system to control or place restrictions on specific groups of users based on their activities These groups can be used by the system to control or place restrictions on specific groups of users based on their activities

User Profiles Collection of desktop and environmental configurations on a Windows XP system for a specific user or group of users Collection of desktop and environmental configurations on a Windows XP system for a specific user or group of users By default, each Windows XP computer maintains a profile for each user who has logged on to the computer, except for Guest accounts By default, each Windows XP computer maintains a profile for each user who has logged on to the computer, except for Guest accounts Optionally, an administrator can force users to load a so-called mandatory profile Optionally, an administrator can force users to load a so-called mandatory profile

User Profiles Figure 5-9: User Profiles dialog box

Local Profiles Set of specifications and preferences for an individual user, stored on a local machine Set of specifications and preferences for an individual user, stored on a local machine Windows XP provides each user with a folder containing their profile settings Windows XP provides each user with a folder containing their profile settings Local profiles are established by default for each user who logs onto a particular machine Local profiles are established by default for each user who logs onto a particular machine

Roaming Profiles A roaming profile resides on a network server to make to broadly accessible A roaming profile resides on a network server to make to broadly accessible When a user whose profile is designated as roaming logs onto any Windows XP system on the network, that profile is automatically downloaded when the user logs on When a user whose profile is designated as roaming logs onto any Windows XP system on the network, that profile is automatically downloaded when the user logs on This process avoids having to store a local profile on each workstation that a user uses This process avoids having to store a local profile on each workstation that a user uses

Local Security Policy Windows XP has combined several security and access controls into a centralized policy: Windows XP has combined several security and access controls into a centralized policy: This centralized policy is called the group policy This centralized policy is called the group policy There are group policies for local computers, groups, domains, and organizational units There are group policies for local computers, groups, domains, and organizational units

Password Policy Figure 5-10: Local Security Settings, Password Policy selected

Account Lockout Policy The items in this policy are: The items in this policy are: Account lockout threshold: 0 Invalid logon attempts Account lockout threshold: 0 Invalid logon attempts Account lockout duration: Not Defined Account lockout duration: Not Defined Reset account counter after: Not Defined Reset account counter after: Not Defined

Audit Policy Defines the events that are recorded in the Security log of the Event Viewer Defines the events that are recorded in the Security log of the Event Viewer Auditing is used to track resource usage Auditing is used to track resource usage Each item in this list can be set to audit the Success and/or Failure of the event Each item in this list can be set to audit the Success and/or Failure of the event

User Rights Policy Defines which groups or users can perform the specific privileged action Defines which groups or users can perform the specific privileged action Troubleshooting user rights is a process of test, re-configure, and retest Troubleshooting user rights is a process of test, re-configure, and retest For more details on user rights, consult the Microsoft Windows XP Professional Resource Kit For more details on user rights, consult the Microsoft Windows XP Professional Resource Kit

Security Options Defines and controls various security features, functions, and controls of the Windows XP environment Defines and controls various security features, functions, and controls of the Windows XP environment For more details on security options, consult the Microsoft Windows XP Professional Resource Kit For more details on security options, consult the Microsoft Windows XP Professional Resource Kit

Troubleshooting Cached Credentials Windows XP Professional automatically caches a user’s credentials in the Registry when a domain logon or.NET passport logon is performed Windows XP Professional automatically caches a user’s credentials in the Registry when a domain logon or.NET passport logon is performed Caching of credentials is used to enable a single sign-on requirements Caching of credentials is used to enable a single sign-on requirements Caching of credentials can be disabled through two means from the Windows XP Professional client Caching of credentials can be disabled through two means from the Windows XP Professional client Cached logons are stored within a utility named “Stored User Names and Passwords” Cached logons are stored within a utility named “Stored User Names and Passwords”

Troubleshooting Cached Credentials Problems can occur with stored credentials Problems can occur with stored credentials If you discover that you are being authenticated as the wrong user account or with the wrong access level, you should remove the stored account information for that server or domain If you discover that you are being authenticated as the wrong user account or with the wrong access level, you should remove the stored account information for that server or domain Another problem is being unable to access resources to which you previously had access Another problem is being unable to access resources to which you previously had access Yet another problem might occur when you obtain access to a resource to which you should not have access Yet another problem might occur when you obtain access to a resource to which you should not have access

File and Settings Transfer Wizard Used to move your data files and personal desktop settings from another computer to your new Windows XP Professional system Used to move your data files and personal desktop settings from another computer to your new Windows XP Professional system Must have some sort of network connection between the two systems Must have some sort of network connection between the two systems Using this Wizard, you can transfer files from Windows 95, 98, SE, Me, NT, 2000, or XP systems Using this Wizard, you can transfer files from Windows 95, 98, SE, Me, NT, 2000, or XP systems

Chapter Summary Windows XP Professional can employ three types of users Windows XP Professional can employ three types of users Users are collected into groups to simplify management and grant access or privileges Users are collected into groups to simplify management and grant access or privileges Users and groups are managed through the User Accounts applet and the Local Users and Groups utility Users and groups are managed through the User Accounts applet and the Local Users and Groups utility

Chapter Summary User profiles can be local profiles when working with local users or imported users, or they can be roaming when using a domain-user account User profiles can be local profiles when working with local users or imported users, or they can be roaming when using a domain-user account User profiles store a wide variety of personalized or custom data about a user’s environment User profiles store a wide variety of personalized or custom data about a user’s environment The Local Security Policy is used to manage password, account lockout, audit, user rights, security options, and more The Local Security Policy is used to manage password, account lockout, audit, user rights, security options, and more