Networks: Access Management Windows NT Server Class Notes # 10 Administration October 24, 2003 In Windows NT server, the user manager for domains is the primary administrative tool for managing user accounts, groups, and security policies for domains and computers on the network. User manager for domains only run on NT server machines. If you run the user manager on an NT workstation or an NT server that is not a domain controller, then you get the cut down version simply called the user manager rather than the user manager for domains. The NT workstation creates and manages user accounts with a program called simply user manager. The job of the user manager on machine XYZ is to create user accounts that are only relevant and useful on machine XYZ. If a user on machine ABC wants to get access to data on machine XYZ, the owner of machine XYZ would have to create an account for the user on ABC on the XYZ machine with the user manager on machine XYZ. On NT servers, the primary domain controller holds a shared database of all users known to the machines that have all agreed to constitute a domain. That way, if a user needs access to servers in a domain, then all you ve got to do is build a single domain wide account for that user and build a domain wide account with the user manager for domains. User accounts contain information like the user name, the password, and a description. All of that data sits in a file called SAM in the primary domain controller s \winnt\system32\config directory. SAM (Security Access Manager) lives in the PDC s registry, in an area that s grayed out if you try to peek into it. Whenever you run the user manager for domains, you re directly manipulating that part of the registry on the PDC. No matter what machine you run the user manager for domains from, your changes get stored in the PDC s registry. User manager for domains provides the network administrator with the means to: Create, modify, and delete user accounts in the domain Define a user s desktop environment and network connections Assign logon scripts to user accounts Manage groups and group membership within the accounts in a domain Manage trust relationships between different domains in the network Manage a domain s security policies If you are logged on as an administrator and you start up the user manager for domains, all of its features are available to you. If you log on as a member of the account operators group, you won t be able to use some of the user manager for domain s capabilities; you can manage most user accounts, but you cannot implement any of the security policies. If you log on as a mere mortal user, you can only look at user names with the user 1
manager for domains; the user manager for domains won t let you make any changes to those accounts. In NT server, a user account contains information such as the user s name, password, group membership, and rights and privileges the user has for accessing resources on the network. These details are shown in table one. Table 1: Information in a user account Part of user account Description Account type The particular type of user account; i.e. a local or global account. Expiration date A future date when the user account automatically becomes disabled. Full name The user s full name. Home directory A directory on the server that is private to the user, the user controls access to this directory. Logon hours The hours during which the user is allowed to log on to and access network services. Logon script A batch or executable file that runs automatically when the user logs on. Logon workstations The computer names of the NT workstations that the user is allowed to work from (by default, the user can work from any workstation) Password The user s secret password for logging on to his or her account. Profile A file containing a record of the user s desktop environment (program group, network connections, screen color, and settings that determine what aspects of the environment the user can change) on NT workstations. Username A unique name the user types when logging on. Pre-built Accounts If you re creating a new domain, you ll notice that two accounts called administrator and guest are built already. The administrator account is an account with complete power over a domain. You can t delete it, but you can rename it. You assigned the password for the domain s administrator account when you installed NT server on the machine that became the primary domain controller for the domain. The other account is the guest account. Guest means anyone that the domain doesn t recognize. By default, this account is disabled, and it should stay that way. The guest account is pretty restricted in the things it can do. If the guest account is enabled on the server, then a user logged on to an NT workstation can have access to a domain resource even thou that user does not have a domain account. The mere fact that there is an enabled guest account pretty much says to NT, leave the back door open, okay? So be careful when enabling the guest account. 2
Predefined Groups A number of predefined groups, both local and global, are built into NT server to aid network administration and management. The local groups are: Administrator Server operator Account operator Print operator Backup operator Everyone Users Guests Replicator Administrator Members of the administrators local group have more control over the domain than any other users, and they are granted all of the rights necessary to manage the overall configuration of the domain and the domain s servers. Within the administrator group is a built-in administrator user account that cannot be deleted. By default, the domain administrators global group is also a member of the administrator group, but it can be removed. Server operator The server operators local group has all of the rights needed to manage the domain s servers. Members of the server operations group can create, manage, and delete printer shares at servers; create, manage, and delete network shares at servers; back up and restore files on servers; format a server s fixed disk; lock and unlock servers; and change the system time. In addition, server operators can log on the network from the domain s servers as well as shut down the servers. Account operator Members of the account operators local group are allowed to use user manager for domains to create user accounts and groups for the domain, and to modify or delete most of the domain s user accounts and groups. An account operator cannot modify or delete the following groups: Administrators Domain admins Account operators Backup operators Print operators Server operators Likewise, members of this group cannot modify or delete user accounts of administrator. They cannot administer the security policies, but they can use the server manager to add computers to a domain, log on at servers, and shut down servers 3
Print operator Members of this group can create, manage, and delete printer shares for an NT server server. Additionally, they can log on at and shut down servers. Backup operator The backup operator local group provides its members the rights necessary to back up directories and files from a server and to restore directories and files to a server. Like the print operators, they can log on at and shut down servers. Everyone Everyone is not actually a group, and it doesn t appear in the user management list, but you can assign rights and permissions to it. Anyone who has a user account in the domain, including all local and remote users, is automatically a member of the everyone local group. Not only are members of this group allowed to connect over the network to a domain s servers, but they are also granted the advanced right to change directories and travel through a directory tree that they may not have permission on. Members of the everyone group also have the right to lock the server, but won t be able to unless they ve been granted the right to log on locally at the server. Users Members of the group simply called users have minimal rights at servers running NT server. They are granted the right to create and manage local groups, but unless they have access to the user manager for domains tool (such as by being allowed to log on locally at the server), they can t perform this task. Members of the users group do posses certain rights at their local NT workstations. Guests This is NT server s built-in local group for occasional or one time users to log on. Members of this group are granted very limited abilities. Guests have no rights at the NT server servers, but they do possess certain rights at their own individual workstations. The built-in guest user account is automatically a member of the guest group. Replicator This local group, different from the others, supports directory replication functions. The only member of a domain s replicator local group should be a single domain user account, which is used to log on to the replicator services of the domain controller and to the other servers in the domain. User accounts of actual users should not be added to this group at all. Table two through nine summarizes the user rights and special abilities granted to NT server s predefined local groups. Table 2: Rights/Special abilities granted to the administrators group None none 4
Table 3: Rights/Special abilities granted to the administrators group Create and manage user accounts Access this computer from the network Create and manage global groups Take ownership of files Assign user rights Manage auditing and security log Lock the server & override the server s lock Change the system time Create common groups Format the server s hard disk Force shutdown from a remote system Keep a local profile Backup files and directories Share and stop sharing directories and printers Table 4: Rights/Special abilities granted to the server operators Lock the server & override the server s lock Change the system time Create common groups Format the server s hard disk Force shutdown from a remote system Keep a local profile Backup files and directories Share and stop sharing directories and printers Restore files and directories Table 5: Rights/Special abilities granted to the account operator Create and manage user accounts, global groups, and local groups Keep a local profile Table 6: Rights/Special abilities granted to the print operators Keep a local profile Share and stop sharing printers Table 7: Rights/Special abilities granted to the backup operators Keep a local profile Backup files and directories Restore files and directories Table 8: Rights/Special abilities granted to the everyone group Access this computer from the network Lock the server Table 9: Rights/Special abilities granted to the Users group None Create and manage local groups 5
Global groups NT server has only three built-in global groups: Domain Administrator Domain Users Domain Guests Domain Administrator By placing a user account into this global group, you provide administrative level abilities to that user. Members of domain administrator can administer the home domain, the workstations of the domain, and any other trusted domains that have added the domain administrator global group to their own administrator local group. By default, the built-in domain administrator group is a member of both the domain s administrators local group and the administrators local group for every NT workstation in the domain. The built-in administrator user account for the domain is automatically a member of the domain administrator global group. Domain Users Members of the domain users global group have normal user access to, and abilities for, both the domain itself and for any NT workstation in the domain. This group contains all domain user accounts, and is by default a member of the users local groups for both the domain and for every Windows NT workstation on the domain. Domain Guests This group allows guest accounts to access resources across domain boundaries, if they ve been allowed that by the domain administrators. In addition to the built-in local and global groups, a few special groups appear now and again when viewing certain lists of groups: Interactive: Anyone using the computer locally Network: All users connected over the network to a computer System: The operating system Creator owner: The creator and /or owner of subdirectories, files, and print jobs. The interactive and network groups combined form the everyone local group. 6
Adding computers to a Domain Members of the Administrators, Domain Admins, and Account Operators groups can grant computers membership in a domain. It is the computers that are acknowledged as members of the domain and not the users. Adding a computer to a domain is a two-stop process. First, the machine account for the computer must be created in the domain. Then, the computer must actually join the domain a separate step, performed at the computer itself during installation of NT or afterwards in its Control Panel. You can create a machine account for an NT machine by: 1. Launch Server Manager at the Windows NT Server. 2. From the computer menu, choose add to domain. You will see the add computer to domain dialog box. 3. Under Computer type, choose the option Windows NT Workstation or Server. 4. Type the computer name, and choose Add. 5. You can continue adding other computers and close when you are finished. Joining a Workgroup or Domain with Windows NT workstation 4.0 You can join a workgroup or a Windows NT server domain from the Network dialog box. To join a workgroup, you must log on as a member of the administrator group or the Domain Admins global group. Make sure you specify a workgroup name that is not the same as the computer name. When joining a domain, check with the system administrator to make sure you re using the correct domain name and that you have a user account on that domain. To join a workgroup or domain, follow these steps: 1. In the network dialog box, choose the identification tab and choose change. The identification changes dialog box appears. 2. In the Member of area, choose either Workgroup or Domain. In the text box, enter the exact name of the workgroup or domain. 3. If you choose Domain and you re the domain administrator, enter the user name and password of your account. This is not required if you have created an account for the computer in the server manager of the domain controller. 4. Choose OK to close the dialog box. If you joined a domain, a welcome dialog box appears; choose OK to close the box. Joining a Workgroup or Domain with Windows 9X To configure Windows 9X to join a domain, perform the following steps: 1. Click start, Control Panel, and Networking. You will see the Network dialog box. 2. Select the Configuration tab and double click the Client for Microsoft Networks. 3. In the Logon Validation section, check the box labeled Log on to Windows NT domain and fill in the domain s name. Click OK to return to the Network applet and OK again to tell the Control Panel that you re finished. It will load some files and reboot. 4. Once the computer reboots, you ll see a new login dialog box, one field is the domain field. 7