Introduction to Microsoft Management Console (MMC) MMC is a common console framework for management applications. MMC provides a common environment for snap-ins, the tools that support management functionality. MMC allows you to perform a number of tasks.

The MMC Window

MMC Consoles

Introduction to Snap-Ins

Stand-Alone Snap-Ins Stand-alone snap-ins are usually referred to simply as snap-ins. Each snap-in provides one function or a related set of functions.

Extension Snap-Ins Extension snap-ins are usually referred to as extensions. An extension provides additional administrative functionality to another snap-in. Extensions are designed to work with one or more stand-alone snap-ins. Some snap-ins can act as stand-alone snap-ins or as extensions.

Console Options Author mode User mode

Windows 2000 User Accounts Domain user accounts Local user accounts Built-in user accounts

Domain User Accounts Allow users to log on to the domain and gain access to resources anywhere on the network Created in an OU in the Active Directory store Replicated to all domain controllers

Local User Accounts Allow users to log on to and gain access to resources on the computer where they log in Created in the computer’s security database Not replicated to domain controllers

Built-In User Accounts Administrator Guest

Naming Conventions The naming convention establishes how users are identified in the domain. Several considerations should be taken into account when determining naming conventions.

Password Requirements Always assign a password for the Administrator account. Determine whether the administrator or the users will control passwords. Use passwords that are hard to guess. Passwords can be up to 128 characters; a minimum length of eight characters is recommended. Use both uppercase and lowercase letters, numerals, and valid nonalphanumeric characters.

Account Options Logon hours Computer from which users can log on Account expiration

Creating Domain User Accounts

Creating Local User Accounts

Overview of Modifying Properties A set of default properties is associated with each user account. Properties defined for a domain user account can be used to search for users in the Active Directory store. Several properties should be configured for each domain user account. You can use the Active Directory Users And Computers snap-in to modify a domain user account. You can use the Local Users And Groups snap-in to modify a local user account.

The Properties Dialog Box Personal properties tabs Account tab Profile tab Published Certificates tab Member Of tab Dial-In tab Object tab Security tab Terminal Services tabs

Administering User Accounts Managing user profiles Modifying user accounts Creating home folders

Managing User Profiles A user profile is a collection of folders and data that stores your current desktop environment and application settings as well as personal data. Microsoft Windows 2000 creates a local user profile the first time you log on at a computer. User profiles operate in a specific manner.

Assigning a Customized Roaming User Profile

Creating Home Folders

Introduction to Groups A group is a collection of user accounts. Groups simplify administration of user permissions. Users can be members of more than one group. When you assign permissions, you give users the capability to gain access to specific resources. You can add user accounts, contacts, computers, and other groups to groups.

Types of Groups Security groups Distribution groups

Group Scopes

Introduction to Group Membership The group scope determines the membership of the group. Membership rules define which members a group can contain. Domain local groups and global groups can be converted to universal groups.

Group Nesting You can add groups to other groups to reduce the number of times permissions need to be assigned. You should create a hierarchy of groups based on business needs. Try to minimize the levels of nesting. Nesting reduces the number of times you assign permissions; however, tracking permissions becomes more complex. Document group membership to keep track of permission assignments. Effective nesting in a multiple domain environment will reduce network traffic between domains and simplify administration. Consider the domain operation mode when nesting groups.

Group Strategies

Introduction to Groups Determine the required group scope based on how you want to use the group. Avoid adding users to universal groups. Determine whether you have the necessary permissions to create a group in the appropriate domain. Determine the name of the group.

Administering Groups

Overview of Group Implementation A local group can contain user accounts on a computer and can be assigned to resources on that computer. There are two types of local groups: domain and non-domain. Try to follow specific guidelines when using local groups. Non-domain local groups can contain local user accounts from the computer on which you create the local groups.

Creating Local Groups

Built-In Global Groups Windows 2000 creates built-in global groups to group common types of user accounts. The groups are created in the Active Directory store. The Users OU contains the built-in global groups. Windows 2000 includes a number of commonly used built-in global groups.

Built-In Domain Local Groups Built-in domain local groups provide users with user rights and permissions to perform tasks on domain controllers and in the Active Directory store. Built-in domain local groups give predefined rights to user accounts when you add user accounts or global groups as members. Windows 2000 includes a number of commonly used built-in domain local groups.

Built-In Local Groups Built-in local groups give rights to perform system tasks on a single computer. Built-in local groups are located in the Groups folder of the Computer Management snap-in. Windows 2000 includes a number of commonly used built-in local groups.

Built-In System Groups Built-in system groups exist on all computers running Windows You do not see system groups when you administer groups, but they are available for use when you assign rights to resources. Windows 2000 includes a number of commonly used built-in system groups.

Overview of Group Policies Group policies are a set of configuration settings that an administrator applies to one or more objects in the Active Directory store. A group policy consists of settings that govern how an object and its child objects behave. Group policies provide users with a fully populated desktop environment. Conflicts can exist between group policies and local needs.

Benefits of Group Policies Lowering your network’s total cost of ownership (TCO) Securing a user’s environment Enhancing a user’s environment

Types of Group Policies Software Settings Scripts Security Settings Administrative Templates Remote Installation Services (RIS) Folder Redirection

Group Policy Structure Group policy objects (GPOs) Group policy containers (GPCs) Group policy templates (GPTs)

Group Policy Objects (GPOs) A GPO contains group policy settings for sites, domains, and OUs. One or more GPOs can be applied to a site, a domain, or an OU. Group policy data that is small in size and changes infrequently is stored in GPCs. Group policy data that is large and can change frequently is stored in the GPT. A local GPO exists on every Windows 2000 computer, and by default, only security settings are configured.

Group Policy Containers (GPCs) A GPC is an Active Directory object that stores GPO properties and includes subcontainers for computer and user group policy information. The GPC stores the Windows 2000 class store information for application deployment.

Group Policy Templates (GPTs) When a GPO is created, the corresponding GPT folder structure is created. Certain subfolders are often contained in the GPT structure.

Creating a GPO

Using the Group Policy Snap-In

GPO Permissions

Support for Windows 95, Windows 98, and Windows NT 4.0 The Group Policy snap-in does not provide client support for Microsoft Windows 95, Windows 98, or Windows NT computers. Windows NT is supported through.adm files and Poledit.exe. Windows 95 and Windows 98 clients are supported through the Windows 9x System Policy Editor.

Managing Software Settings Use the Group Policy snap-in to centrally manage software distribution. To assign or publish an application, create a shared folder and copy the application files and package files (.msi files) to the share folders.

Managing Scripts Windows 2000 group policy allows considerable flexibility in assigning scripts. Multiple scripts can be assigned to a user or a computer. You can use the Show Files button to open a window that displays the contents of the scripts folder.

Managing Security Settings Computer security policy covers areas of policy, administrative rights, and user permissions. Two types of security policies are defined in Windows The security infrastructure can be separated into a number of configurable categories. Security configurations are stored as.inf files in a text format.

Managing Administrative Templates

Managing Folder Redirection The Folder Redirection extension allows you to redirect special folders in a user profile. By redirecting the My Documents folder, you can provide a number of advantages. By default, the Folder Redirection extension is not included with the Group Policy snap-in.