Networks: Access Management Windows NT Server Class Notes # 10 Administration October 24, 2003

Similar documents
5 MANAGING USER ACCOUNTS AND GROUPS

Chapter 6: Connecting Windows Workstations

Lesson 3: Identifying Key Characteristics of Workgroups and Domains

Faculty of Engineering Computer Engineering Department Islamic University of Gaza Network Lab # 5 Managing Groups

8 Administering Groups

29 March 2017 SECURITY SERVER INSTALLATION GUIDE

Windows Server 2003 Network Administration Goals

Recent Operating System Class notes 04 Managing Users on Windows XP March 22, 2004

Select the Akeni Pro Server installation file that matches your operating system and double-click on the file.

Contents. Why You Should Read This Manual...ix. 1. Introduction... 1

Ebook : Overview of application development. All code from the application series books listed at:

HP OpenVMS CIFS Version 1.2 Migration Guide

Introduction to Active Directory

How to create a System Logon Account in Backup Exec for Windows Servers

Configure advanced audit policies

x CH03 2/26/04 1:24 PM Page

As a first-time user, when you log in you won t have any files in your directory yet.

Chapter. Accessing Files and Folders MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER

RWT Network System Installation Guide

Setting Access Controls on Files, Folders, Shares, and Other System Objects in Windows 2000

Filesharing. Jason Healy, Director of Networks and Systems

COPYRIGHTED MATERIAL. Configuring, Deploying, and Troubleshooting Security Templates. Chapter MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:

Local Area Networks (LAN s)

IDEVWORKS TECHNOLOGIES. SurfStation 9.0 Cyber Café Timer Software. SurfStation 9.0 User Guide

Car Park Control System Software User Manual

CODESOFT uses NT security. The network administrator will need to set up the users as needed per the requirements of 21 CFR Part 11.

Privileged Identity App Launcher and Session Recording

CISNTWK-11. Microsoft Network Server. Chapter 4

WESTAT REMOTE ACCESS (WRA)

Print Audit 6. Print Audit 6 Documentation Apr :07. Version: Date:

Password Changer User Guide

User Guide. Version R94. English

Unified CCE Security Compliance for Windows Server 2012 R2

Welcome to ncrypted Cloud!... 4 Getting Started Register for ncrypted Cloud Getting Started Download ncrypted Cloud...

Windows User Manual 1

User Guide. Version R92. English

Data Privilege Adding or Removing Members

A NETWORK PRIMER. An introduction to some fundamental networking concepts and the benefits of using LANtastic.

Smart Access Control System Software User Manual (Client Version)

Backup using Quantum vmpro with Symantec Backup Exec release 2012

User Profile Manager 2.0

File systems security: Shared folders & NTFS permissions, EFS Disk Quotas

C UNIT 4. Active Directory User Accounts

Networks: Access Management Windows 2000 Server Class Notes # 22 Building an Active Directory February 26, 2004

USE QUICK ASSIST TO REMOTELY TROUBLESHOOT A FRIEND S COMPUTER

8 MANAGING SHARED FOLDERS & DATA

ROCK-POND REPORTING 2.1

Aretics T7 Installation Manual

All About Mapped Drives

Remote Support 19.1 Web Rep Console

2015 Optima Healthcare Solutions Page 2

Abila MIP DrillPoint Reports. Installation Guide

Contents 1 INITIAL CONFIGURATION BEFORE CHANGING THE CONFIGURATION NETWORK SETUP PROCEDURE... 3

SAS 9.4 Management Console: Guide to Users and Permissions

Files.Kennesaw.Edu. Kennesaw State University Information Technology Services. Introduces. Presented by the ITS Technology Outreach Team

ATX Document Manager. User Guide

Live Connect. Live Connect

Remote Support Web Rep Console

Using the Fiery WebTools

PDS OnDemand. Getting Started Guide for Windows

Data Manager. Scheduling Data Backup CHAPTER

Avigilon Control Center 6 System Integration Guide

idocvault Administrator Guide

Security Essentials. Working with Systems Management Server (SMS) 2.0 to maximize SMS security and avoid security-related problems.

ClonePrincipal User Guide

Security Administrator System Technical Bulletin Code No. LIT Software Release 9.0 Issued December 2017

Command Center Access Control Software

QuickBooks 2006 Network Installation Guide

Using BlueStep Data Vault with WebDAV

windream Client Installation windream GmbH, Bochum

User Agent Preparing the Windows Environment and Installing the User Agent. How-To

LABEL ARCHIVE Administrator s Guide

Required privileges and permissions

10ZiG Technology. Thin Desktop Quick Start Guide

Administrator for Enterprise Clients: User s Guide. Second Edition

Nortel Contact Center Routine Maintenance NN

User s Guide Before operating the unit, please read this manual thoroughly and retain it for future reference.

Policy Settings for Windows Server 2003 (including SP1) and Windows XP (including SP2)

LepideAuditor. Installation and Configuration Guide

Enable the Always Offline Mode to Provide Faster Access to Files

DefendX Software Control-Audit for Hitachi Installation Guide

271 Waverley Oaks Rd. Telephone: Suite 206 Waltham, MA USA

DSS User Guide. End User Guide. - i -

R9.7 erwin License Server:

PaperClip32. Revision 2.0

User Profile Central Management Center User guide User Profile Central - User guide for remote backup and restore of user profiles.

Outline. Security. Security Ratings. TCSEC Rating Levels. Key Requirements for C2. Met B-Level Requirements

Guide to Deploy the AXIGEN Outlook Connector via Active Directory

Evaluation Guide Host Access Management and Security Server 12.4 SP1 ( )

Manual - TeamViewer 3.5

Lab 11-1 Lab User Profiles and Tracking

Manage Administrators and Admin Access Policies

MITEL. Live Content Suite. Mitel Live Content Suite Installation and Administrator Guide Release 1.1

Print Manager Plus 2010 Workgroup Print Tracking and Control

Setup Smart Login for Windows V2

Virtual CD TS 1 Introduction... 3

Security. Outline. Security Ratings. Ausgewählte Betriebssysteme Institut Betriebssysteme Fakultät Informatik

EMC ApplicationXtender Reports Management 6.0

WinSCP. Author A.Kishore/Sachin

Lasso CDP. Lasso. Administration Tool Guide. August 2005, Version Lasso CDP Administration Tool Guide Page 1 of All Rights Reserved.

Transcription:

Networks: Access Management Windows NT Server Class Notes # 10 Administration October 24, 2003 In Windows NT server, the user manager for domains is the primary administrative tool for managing user accounts, groups, and security policies for domains and computers on the network. User manager for domains only run on NT server machines. If you run the user manager on an NT workstation or an NT server that is not a domain controller, then you get the cut down version simply called the user manager rather than the user manager for domains. The NT workstation creates and manages user accounts with a program called simply user manager. The job of the user manager on machine XYZ is to create user accounts that are only relevant and useful on machine XYZ. If a user on machine ABC wants to get access to data on machine XYZ, the owner of machine XYZ would have to create an account for the user on ABC on the XYZ machine with the user manager on machine XYZ. On NT servers, the primary domain controller holds a shared database of all users known to the machines that have all agreed to constitute a domain. That way, if a user needs access to servers in a domain, then all you ve got to do is build a single domain wide account for that user and build a domain wide account with the user manager for domains. User accounts contain information like the user name, the password, and a description. All of that data sits in a file called SAM in the primary domain controller s \winnt\system32\config directory. SAM (Security Access Manager) lives in the PDC s registry, in an area that s grayed out if you try to peek into it. Whenever you run the user manager for domains, you re directly manipulating that part of the registry on the PDC. No matter what machine you run the user manager for domains from, your changes get stored in the PDC s registry. User manager for domains provides the network administrator with the means to: Create, modify, and delete user accounts in the domain Define a user s desktop environment and network connections Assign logon scripts to user accounts Manage groups and group membership within the accounts in a domain Manage trust relationships between different domains in the network Manage a domain s security policies If you are logged on as an administrator and you start up the user manager for domains, all of its features are available to you. If you log on as a member of the account operators group, you won t be able to use some of the user manager for domain s capabilities; you can manage most user accounts, but you cannot implement any of the security policies. If you log on as a mere mortal user, you can only look at user names with the user 1

manager for domains; the user manager for domains won t let you make any changes to those accounts. In NT server, a user account contains information such as the user s name, password, group membership, and rights and privileges the user has for accessing resources on the network. These details are shown in table one. Table 1: Information in a user account Part of user account Description Account type The particular type of user account; i.e. a local or global account. Expiration date A future date when the user account automatically becomes disabled. Full name The user s full name. Home directory A directory on the server that is private to the user, the user controls access to this directory. Logon hours The hours during which the user is allowed to log on to and access network services. Logon script A batch or executable file that runs automatically when the user logs on. Logon workstations The computer names of the NT workstations that the user is allowed to work from (by default, the user can work from any workstation) Password The user s secret password for logging on to his or her account. Profile A file containing a record of the user s desktop environment (program group, network connections, screen color, and settings that determine what aspects of the environment the user can change) on NT workstations. Username A unique name the user types when logging on. Pre-built Accounts If you re creating a new domain, you ll notice that two accounts called administrator and guest are built already. The administrator account is an account with complete power over a domain. You can t delete it, but you can rename it. You assigned the password for the domain s administrator account when you installed NT server on the machine that became the primary domain controller for the domain. The other account is the guest account. Guest means anyone that the domain doesn t recognize. By default, this account is disabled, and it should stay that way. The guest account is pretty restricted in the things it can do. If the guest account is enabled on the server, then a user logged on to an NT workstation can have access to a domain resource even thou that user does not have a domain account. The mere fact that there is an enabled guest account pretty much says to NT, leave the back door open, okay? So be careful when enabling the guest account. 2

Predefined Groups A number of predefined groups, both local and global, are built into NT server to aid network administration and management. The local groups are: Administrator Server operator Account operator Print operator Backup operator Everyone Users Guests Replicator Administrator Members of the administrators local group have more control over the domain than any other users, and they are granted all of the rights necessary to manage the overall configuration of the domain and the domain s servers. Within the administrator group is a built-in administrator user account that cannot be deleted. By default, the domain administrators global group is also a member of the administrator group, but it can be removed. Server operator The server operators local group has all of the rights needed to manage the domain s servers. Members of the server operations group can create, manage, and delete printer shares at servers; create, manage, and delete network shares at servers; back up and restore files on servers; format a server s fixed disk; lock and unlock servers; and change the system time. In addition, server operators can log on the network from the domain s servers as well as shut down the servers. Account operator Members of the account operators local group are allowed to use user manager for domains to create user accounts and groups for the domain, and to modify or delete most of the domain s user accounts and groups. An account operator cannot modify or delete the following groups: Administrators Domain admins Account operators Backup operators Print operators Server operators Likewise, members of this group cannot modify or delete user accounts of administrator. They cannot administer the security policies, but they can use the server manager to add computers to a domain, log on at servers, and shut down servers 3

Print operator Members of this group can create, manage, and delete printer shares for an NT server server. Additionally, they can log on at and shut down servers. Backup operator The backup operator local group provides its members the rights necessary to back up directories and files from a server and to restore directories and files to a server. Like the print operators, they can log on at and shut down servers. Everyone Everyone is not actually a group, and it doesn t appear in the user management list, but you can assign rights and permissions to it. Anyone who has a user account in the domain, including all local and remote users, is automatically a member of the everyone local group. Not only are members of this group allowed to connect over the network to a domain s servers, but they are also granted the advanced right to change directories and travel through a directory tree that they may not have permission on. Members of the everyone group also have the right to lock the server, but won t be able to unless they ve been granted the right to log on locally at the server. Users Members of the group simply called users have minimal rights at servers running NT server. They are granted the right to create and manage local groups, but unless they have access to the user manager for domains tool (such as by being allowed to log on locally at the server), they can t perform this task. Members of the users group do posses certain rights at their local NT workstations. Guests This is NT server s built-in local group for occasional or one time users to log on. Members of this group are granted very limited abilities. Guests have no rights at the NT server servers, but they do possess certain rights at their own individual workstations. The built-in guest user account is automatically a member of the guest group. Replicator This local group, different from the others, supports directory replication functions. The only member of a domain s replicator local group should be a single domain user account, which is used to log on to the replicator services of the domain controller and to the other servers in the domain. User accounts of actual users should not be added to this group at all. Table two through nine summarizes the user rights and special abilities granted to NT server s predefined local groups. Table 2: Rights/Special abilities granted to the administrators group None none 4

Table 3: Rights/Special abilities granted to the administrators group Create and manage user accounts Access this computer from the network Create and manage global groups Take ownership of files Assign user rights Manage auditing and security log Lock the server & override the server s lock Change the system time Create common groups Format the server s hard disk Force shutdown from a remote system Keep a local profile Backup files and directories Share and stop sharing directories and printers Table 4: Rights/Special abilities granted to the server operators Lock the server & override the server s lock Change the system time Create common groups Format the server s hard disk Force shutdown from a remote system Keep a local profile Backup files and directories Share and stop sharing directories and printers Restore files and directories Table 5: Rights/Special abilities granted to the account operator Create and manage user accounts, global groups, and local groups Keep a local profile Table 6: Rights/Special abilities granted to the print operators Keep a local profile Share and stop sharing printers Table 7: Rights/Special abilities granted to the backup operators Keep a local profile Backup files and directories Restore files and directories Table 8: Rights/Special abilities granted to the everyone group Access this computer from the network Lock the server Table 9: Rights/Special abilities granted to the Users group None Create and manage local groups 5

Global groups NT server has only three built-in global groups: Domain Administrator Domain Users Domain Guests Domain Administrator By placing a user account into this global group, you provide administrative level abilities to that user. Members of domain administrator can administer the home domain, the workstations of the domain, and any other trusted domains that have added the domain administrator global group to their own administrator local group. By default, the built-in domain administrator group is a member of both the domain s administrators local group and the administrators local group for every NT workstation in the domain. The built-in administrator user account for the domain is automatically a member of the domain administrator global group. Domain Users Members of the domain users global group have normal user access to, and abilities for, both the domain itself and for any NT workstation in the domain. This group contains all domain user accounts, and is by default a member of the users local groups for both the domain and for every Windows NT workstation on the domain. Domain Guests This group allows guest accounts to access resources across domain boundaries, if they ve been allowed that by the domain administrators. In addition to the built-in local and global groups, a few special groups appear now and again when viewing certain lists of groups: Interactive: Anyone using the computer locally Network: All users connected over the network to a computer System: The operating system Creator owner: The creator and /or owner of subdirectories, files, and print jobs. The interactive and network groups combined form the everyone local group. 6

Adding computers to a Domain Members of the Administrators, Domain Admins, and Account Operators groups can grant computers membership in a domain. It is the computers that are acknowledged as members of the domain and not the users. Adding a computer to a domain is a two-stop process. First, the machine account for the computer must be created in the domain. Then, the computer must actually join the domain a separate step, performed at the computer itself during installation of NT or afterwards in its Control Panel. You can create a machine account for an NT machine by: 1. Launch Server Manager at the Windows NT Server. 2. From the computer menu, choose add to domain. You will see the add computer to domain dialog box. 3. Under Computer type, choose the option Windows NT Workstation or Server. 4. Type the computer name, and choose Add. 5. You can continue adding other computers and close when you are finished. Joining a Workgroup or Domain with Windows NT workstation 4.0 You can join a workgroup or a Windows NT server domain from the Network dialog box. To join a workgroup, you must log on as a member of the administrator group or the Domain Admins global group. Make sure you specify a workgroup name that is not the same as the computer name. When joining a domain, check with the system administrator to make sure you re using the correct domain name and that you have a user account on that domain. To join a workgroup or domain, follow these steps: 1. In the network dialog box, choose the identification tab and choose change. The identification changes dialog box appears. 2. In the Member of area, choose either Workgroup or Domain. In the text box, enter the exact name of the workgroup or domain. 3. If you choose Domain and you re the domain administrator, enter the user name and password of your account. This is not required if you have created an account for the computer in the server manager of the domain controller. 4. Choose OK to close the dialog box. If you joined a domain, a welcome dialog box appears; choose OK to close the box. Joining a Workgroup or Domain with Windows 9X To configure Windows 9X to join a domain, perform the following steps: 1. Click start, Control Panel, and Networking. You will see the Network dialog box. 2. Select the Configuration tab and double click the Client for Microsoft Networks. 3. In the Logon Validation section, check the box labeled Log on to Windows NT domain and fill in the domain s name. Click OK to return to the Network applet and OK again to tell the Control Panel that you re finished. It will load some files and reboot. 4. Once the computer reboots, you ll see a new login dialog box, one field is the domain field. 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback