حسابات المستخدمين و المجموعات نظم تشغيل 1

المحتوى 1 حسابات المستخدمين 1 إدارة حسابات المستخدمين 2 أنواع حسابات المستخدمين 3 المجموعات 4 التشكيلات الجانبية للمستخدمين 5

حسابات المستخدمين

حسابات المستخدمين حسابات المستخدمين المحلية Local user accounts (stored on local computer) حسابات المستخدمين للمجال Domain user accounts (stored in Active Directory) Windows Server 2008 Domain

حسابات المستخدمين

حسابات المستخدمين Local user account Domain user account Logon screen

Logon Screen Welcome Screen Classic Screen شاشة الترحيب الشاشة الكلاسيكية

Logon Screen

Logon Screen

إدارة حسابات المستخدمين يمكن إدارة حسابات المستخدمين عن طريق: Control Panel Peer to Peer Network Computer Management Local Users and Groups Client/ Server Network Active Directory Active Directory Users and Computers

إدارة حسابات المستخدمين

إدارة حسابات المستخدمين

إدارة حسابات المستخدمين

إدارة حسابات المستخدمين

المستخدم أنواع حساب نوع الحساب يحدد الإجراءات التي يمكن للمستخدم تنفيذها على جهاز الكمبيوتر. Control Panel Administrator An account type determines the actions that a user can perform on the computer. Limited User Guest

المستخدم أنواع حساب

حسابات المستخدمين المضمنين Built-in accounts

حسابات المستخدمين المضمنين

المجموعات Group مجموعة من حسابات المستخدمين. المجموعات تبسط الإدارة من خلال تمكين تعيين الأذونات والحقوق لمجموعة من المستخدمين بدلا من تعيينها لكل حساب مستخدم لحاله. Groups simplify administration by enabling you to assign permissions and rights to a group of users rather than having to assign them for every user account. Group

Windows XP built-in Groups Administrators Users Guests Power Users Backup Operators

المجموعات

المجموعات

Windows server 2008 Default Groups

Windows server 2008 Default Groups Course 6425C Module 4: Managing Groups Windows server 2008 Default Groups Default local groups in the BUILTIN and Users containers Enterprise Admins, Schema Admins, Administrators, Domain Admins, Server Operators, Account Operators, Backup Operators, Print Operators Issues with these groups Highly overdelegated Account Operators, for example, can log on to a domain controller Protected Users who are members of these groups become protected and are not unprotected when removed Best practice: Keep these groups empty and create custom groups with the rights and privileges you require Objective: Describe the purpose of default groups. Keep the default (Builtin) groups empty, except for Administrators and Domain Admins, which should be tightly controlled. Discuss protection and AdminSDHolder. Many built-in groups are assigned a set of user rights automatically. These rights determine what each group and their members can do within a domain’s or forest’s scope. User rights authorize members of a group to perform specific actions, such as logging on to a local system or backing up files and folders. For example, a member of the Backup Operators group has the right to perform backup operations for all of the domain’s controllers. The best practice is to create custom groups with the specific rights and permissions you require, and not to use the overdelegated built-in groups. This also helps you avoid AdminSDHolder problems. Discuss AdminSDHolder to an extent that is appropriate for your audience. References For more information about protected accounts, see: Knowledge Base article 817433 at http://go.microsoft.com/fwlink/?LinkId=168759 Knowledge Base article 840001 at http://go.microsoft.com/fwlink/?LinkId=168760. If you want to search the Internet for resources, use the keyword, adminSDHolder. Microsoft TechNet provides an exhaustive reference to the default groups in a domain and to the default local groups. For reference information about local and domain groups, go to http://go.microsoft.com/fwlink/?LinkId=217993 For reference information about default local groups, go to http://go.microsoft.com/fwlink/?LinkId=217992 Default groups http://go.microsoft.com/fwlink/?LinkId=99433 Windows Server 2008 Future Resources http://go.microsoft.com/fwlink/?LinkId=99434

User Profile User Profile: Is a group of settings and files that defines the environment that the system loads when a user logs on. User Profile: هي مجموعة من الإعدادات والملفات التي يحملها النظام عندما يقوم المستخدم بتسجيل الدخول.

In each User Profile there is:

Default User & All Users

Types of User Profiles Windows security requires a user profile for each user account on a computer. The system automatically creates a local user profile for each user when the user logs on to the computer for the first time. The system automatically maintains the settings for each user's work environment in a user profile on the local computer. If a computer is running Windows 2000 Server or later on a network, users can store their profiles on the server. These profiles are called roaming user profiles. Roaming user profiles have the following advantages: Automatic resource availability. A user's unique profile is automatically available when he or she logs on to any computer on the network. Users do not need to create a profile on each computer they use on a network. Simplified computer replacement and backup. When a user's computer must be replaced, it can be replaced easily because all of the user's profile information is maintained separately on the network, independent of an individual computer. When the user logs on to the new computer for the first time, the server copy of the user's profile is copied to the new computer. A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users. With mandatory user profiles, a user can modify his or her desktop, but the changes are not saved when the user logs off. The next time the user logs on, the mandatory user profile created by the administrator is downloaded. There are two types of mandatory profiles: normal mandatory profiles and super-mandatory profiles. User profiles become mandatory profiles when the administrator renames the NTuser.dat file (the registry hive) on the server to NTuser.man. The .man extension causes the user profile to be a read-only profile. User profiles become super-mandatory when the folder name of the profile path ends in .man; for example, \\server\share\mandatoryprofile.man\. Super-mandatory user profiles are similar to normal mandatory profiles, with the exception that users who have super-mandatory profiles cannot log on when the server that stores the mandatory profile is unavailable. Users with normal mandatory profiles can log on with the locally cached copy of the mandatory profile. Only system administrators can make changes to mandatory user profiles.

Types of User Profiles Local user profile Roaming user profile Stored on a computer's local hard disk Roaming user profile Follows user Stored on a server Mandatory user profile Cannot be modified

Temporary User Profile يتم إصدار التشكيل الجانبي المؤقت للمستخدم في كل مرة يحدث خطأ يمنع تحميل التشكيل الجانبي للمستخدم . يتم حذف ملفات التشكيل الجانبي المؤقت في نهاية كل جلسة، ويتم فقدان التغييرات التي قام بإجرائها المستخدم على إعدادات سطح المكتب والملفات عندما يقوم المستخدم بتسجيل الخروج. التشكيلات الجانبية المؤقتة متاحة فقط على أجهزة الكمبيوتر التي تشغل Windows 2000 والإصدارات الأحدث. A temporary user profile is issued each time an error condition prevents the user's profile from loading. Temporary profiles are deleted at the end of each session, and changes made by the user to their desktop settings and files are lost when the user logs off. Temporary profiles are only available on computers running Windows 2000 and later.

Best Practices أفضل الممارسات لإنشاء حسابات المستخدمين تعطيل حساب Guest تعطيل حساب لن يتم استخدامه على الفور الطلب من المستخدمين تغيير كلمات المرور الخاصة بهم في المرة الأولى التي يقومون فيها بتسجيل الدخول

Best Practices

Maintain at least two accounts A standard user account Course 6425C Module 2: Administering Active Directory® Securely and Efficiently Secure Administration with Least Privilege, Run As Administrator, and User Account Control Maintain at least two accounts A standard user account An account with administrative privileges Log on to your computer as a standard user Do not log on to your computer with administrative credentials Start administrative consoles with Run As Administrator Right-click the console and click Run As Administrator Click Use another account Enter the user name and password for your administrative account Objective: Understand the importance of User Account Control and secondary logon. Discuss the reasons behind non-administrative logon. Report the fact that many organizations do not allow administrators to log on directly with their administrative credentials. Ask students: Why it is risky to log on with administrative credentials? The privileges of the credentials could be used, accidentally or intentionally, to harm the environment. Ask students: What is the disadvantage of logging on with standard-user, non-administrative credentials? It is difficult to perform administrative tasks if you have to repeatedly enter administrative credentials. Describe the concept of using Run As Administrator to run processes that require elevation. The processes you start, run with an elevated credential, but the Explorer shell, and all processes that it spawns, run with standard user privileges. You will be demonstrating Run As Administrator next, so you do not have to detail the steps shown on this slide—it can be a reference for students as you perform the demonstration. Reference Using Run as: http://go.microsoft.com/fwlink/?LinkId=168725

Best Practices

Best Practices

المدربة نجلاء العرفاوي www.themegallery.com Thank You ! المدربة نجلاء العرفاوي