CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Agenda Chapter 3: Understanding Workgroups and Active Directory Quiz Exercise
Workgroup A group of computer form into a peer-to-peer network. ▫User accounts are decentralized and stored on each individual computer
Authentication and Logins Authentication ▫The process of identifying an individual ▫Username and password Authorization ▫The process of giving individuals access to system objects based on their identity Auditing ▫The process of keeping track of a user’s activity while accessing the network resources
Authentication Methods A user can authenticate using one or more of the following methods: ▫What they know A password or Personal Identity Number (PIN). ▫What they own or possess Such as a passport, smart card, or ID card ▫What a user is Biometric factors based on fingerprints, retinal scans, voice input, or other forms
Password The most common method of authentication A secret series of characters that enables a user to access a file, computer, or program A complex or strong password ▫6 or more characters long ▫Cannot contain the user’s account name or parts of the user’s full name ▫A mix of characters, upper and lower case, number, and non-alphanumeric characters
User Account Enables a user to log on to a computer and domain Can be used for auditing There are two types of user accounts: ▫The local user account ▫The domain user account
Local User Account A local user account allows a user to log on and gain access to the computer where the account was created. Security Account Manager (SAM) database ▫Located on the local computer ▫Stores the local user account
User Accounts (Cont.) Three groups of local user accounts: ▫Administrator ▫Standard ▫Guest Creating and managing local user accounts: ▫User Accounts in the Control Panel See Figure 3-1 on Page 57 ▫Local Users and Groups MMC snap-in See Figure 3-2 on Page 59
User Profile A collection of folders and data that store the user’s current desktop environment and application settings, is associated with each user account ▫C:\Users folder ▫See Figure 3-3 on Page 60
Credential Manager Store credentials, such as usernames and passwords that you use to log on to websites or other computers, on a network Credentials are saved in special folders on your computer called vaults.
Active Directory A directory service stores, organizes, and provides access to information in a directory It is used for locating, managing, administering, and organizing common items and network resources, such as volumes, folders, files, printers, users, groups, devices, telephone numbers, and other objects
Active Directory A technology created by Microsoft that provides a variety of network services, including: ▫Lightweight Directory Access Protocol (LDAP) ▫Kerberos-based and single sign-on (SSO) authentication ▫DNS-based naming and other network information ▫Central location for network administration and delegation of authority
Domain A logical unit of computers and network resources that defines a security boundary
Domain Controller A Windows server that stores a replica of the account and security information of the domain and defines the domain boundaries A server that is not running as a domain controller is known as a member server
Active Directory Consoles Several MMC snap-in consoles to manage Active Directory: ▫Active Directory Users and Computers ▫Active Directory Domains and Trusts ▫Active Directory Sites and Services ▫Active Directory Administrative Center ▫Group Policy Management Console (GPMC)
Organizational Units To help organize objects within a domain and minimize the number of domains, you can use organizational units, commonly seen as OU OUs can be used to hold users, groups, computers, and other organizational units An organizational unit can only contain objects that are located in a domain
Delegating Administration You can assign a range of administrative tasks to the appropriate users and groups
Active Directory Objects A distinct, named set of attributes or characteristics that represents a network resource ▫Computers, users, groups, and printers A 128-bit unique number called a globally unique identifier (GUID) or security identifier (SID) ▫If a user changes his or her name, GUID remains the same
Domain User A domain user account is stored on the domain controller and allows you to gain access to resources within the domain See Figure 3-4 and 3-5 on Page 65 ▫Domain user properties sheet See Figure 3-6 on Page 66 ▫Specify logon hours
Computer Account For authenticating and auditing the computer’s access to a Windows network and its access to domain resources
Groups A collection or list of user accounts or computer accounts Group Types ▫Security group ▫Distribution group Group scopes ▫Domain Local group ▫Global group ▫Universal group
Group Policies Controls the working environment for user accounts and computer accounts ▫Provides the centralized management and configuration of operating systems, applications, and users’ settings in an Active Directory environment Group policies can be set ▫Locally on the workstation ▫Domain Level Group policies are applied in the following order: ▫Local -> Site -> Domain -> OU
Rights and Permissions A user right authorizes a user to perform certain actions on a computer such as logging on to a system interactively or backing up files and directories on a system ▫See Figure 3-8 on Page 71 for list of user’s rights Permission defines the type of access that is granted to an object ▫Assigned permissions are NTFS files and folders, printers and Active Directory objects. ▫Access control list (ACL) which lists all users and groups that have access to the object.
Account Lockout Policy Specifies the number of unsuccessful logon attempts ▫To lock the account ▫Specifies the duration that the account remains locked ▫See Figure 3-9 on Page 72
Password Control Group policies can be used to control ▫How often a user changes a password ▫How long the password is ▫A complex password ▫See Figure 3-10 on Page 74 To help manage passwords ▫Computer Configuration\Windows Settings\ Security Settings\ Account Policies\Password Policy
Auditing Auditing is not enabled by default To enable auditing, you specify what types of system events to audit using group policies or the local security policy ▫Security Settings\Local Policies\Audit Policy ▫See Figure 3-11 on Page 75 To audit NTFS files, NTFS folders, and printers is a two-step process ▫Enable Object Access using group policies ▫Specify which objects you want to audit
Troubleshooting Authentication Issues The users forgot their password Caps lock or num lock key on Language defined and that the keyboard is operating fine If the time is off, authentication can fail If computer is not part of the domain or is not trusted, you will not be able to log in to the domain
Assignment Submit these before class over on Thursday ▫Fill in the blank ▫Multiple Choice ▫True / False Submit these before class start on Monday ▫Lab 3