Users
User is an object or security principle which has authority to perform activities on a Windows
based machine. Every user has an right to perform activities and has a user login name and
password. There are two types of users in Windows network environment i.e. Local User and
Global User.
Local Users
• Used in workgroup environment
• Created only on Non-Domain Controller
• Can log on to the same machine where his account is created
• Created using computer management
• Cannot be created on domain controller
• Local user are created on member server, windows 2000/XP professional.
Domain Global User (Active directory user)
• Used in domain environment
• Created only on domain controllers
• Can log on to any machine in a domain
• Created using Active directory users and computers snap-in or using command-line tool
Creating active directory global user from command line
Dsadd user “USERDN” –samid <samid> -upn <name@domainname> -pwd <password>
Example :
dsadd user “cn=ajay raul, cn=Users, dc=vision,dc=com” –samid ajayraul –upn
ajayraul@vision.com –pwd 123_abc
Built-in Users
There are two built-in users account i.e. Administrator and Guest. Administrator is a user who
has full access to every resources of a windows based machine. The administrator can perform a
variety of task. We cannot delete this account but we can rename it. Where as the guest account
is designed to permit limited access to network resources. For example, a client visiting your
office might want to access some network resources for limited period of time. Guest account is
disable by default. Once guest account is enabled client can logon to network using this account.
So it is recommended to disable guest account. The guest account does not require a password.
You cannot delete guest account, but can rename it.
Steps for creating domain based global user
1. Select Start – Programs - Administrative Tools - Active Directory Users and Computers
snap-in.
2. In the left pane of the Active Directory Users and Computers dialog box, click the + next
to the name of the domain in which you want to create a domain user account. Highlight
the Users folder or the OU in which you want to create a domain user account, and right
click Action New User.
3. The New Object - User dialog box appears on the screen.
Enter the first name, middle initial, and last name of the new user in the appropriate text
boxes. Windows 2000 automatically displays the full name based on the information you
entered. Enter a user logon name — this is the user name. Click Next.
4. The next New Object - User dialog box appears on your screen.
Enter the password for the new user account, and confirm the password by retyping it. There are
four check boxes that can be selected in this dialog box, none of which are selected by default:
User must change password at next logon: Select this check box if you want the user to choose
and enter a new password the first time the user logs on.
User cannot change password: Select this check box if you — the network administrator —
want to manage and assign user passwords.
Password never expires: Select this check box if you are configuring a user account for a
Windows 2000 service to use when it logs on.
Account is disabled: Select this check box if you are creating a user template.
5. In the next New Object - User dialog box, click Finish.
6. Windows 2008 creates the new user account, and displays it in the right pane of the
Active Directory Users and Computers dialog box.
Groups
Group types
Security Group : A group that can be listed in discretionary access control lists (DACLs) used
to define permissions on resources and objects. In simple security groups are group to which
rights and permission can be assigned.
Distribution Group : A group that is used solely for e-mail distribution and that is not securityenabled.
Distribution groups cannot be listed in discretionary access control lists (DACLs) used
to define permissions on resources and objects. Distribution groups can be used only with e-mail
applications (such as Microsoft Exchange) to send e-mail to collections of users. If you do not
need a group for security purposes, create a distribution group instead of a security group.
There are three group scopes: universal, global, and domain local
• Members of universal groups can include other groups and accounts from any domain in
the domain tree or forest and can be assigned permissions in any domain in the domain
tree or forest.
• Members of global groups can include other groups and accounts only from the domain
in which the group is defined and can be assigned permissions in any domain in the
forest.
• Members of domain local groups can include other groups and accounts from Windows
Server 2003, Windows 2000, or Windows NT domains and can be assigned permissions
only within a domain.
Universal scope
• When the domain functional level is set to Windows 2000 native or Windows Server
2003, members of universal groups can include accounts, global groups, and universal
groups from any domain.
• When the domain functional level is set to Windows 2000 mixed, security groups with
universal scope cannot be created
• When the domain functional level is set to Windows 2000 native or Windows Server
2003, groups can be added to other groups and assigned permissions in any domain
• Groups can be converted to domain local scope. Groups can be converted to global scope,
as long as no other universal groups exists as members.
Global scope
• When the domain functional level is set to Windows 2000 native or Windows Server
2003, members of global groups can include accounts and global groups from the same
domain.
• When the domain functional level is set to Windows 2000 mixed, members of global
groups can include accounts from the same domain.
• Groups can be added to other groups and assigned permissions in any domain.
• Groups can be converted to universal scope, as long as the group is not a member of any
other group with global scope.
Domain local scope
• When the domain functional level is set to Windows 2000 native or Windows Server
2003, members of domain local scope can include accounts, global groups, and universal
groups from any domain, as well as domain local groups from the same domain
• When the domain functional level is set to Windows 2000 native or Windows Server
2003, members of domain local groups can include accounts and global groups from any
domain.
• Groups can be added to other domain local groups and assigned permissions only in the
same domain.
• Groups can be converted to universal scope, as long as the group does not have as its
member another group with domain local scope.
Changing group scope
• Global to universal : This is only allowed if the group you want to change is not a
member of another global scope group.
• Domain local to universal : This is only allowed if the group you want to change does
not have another domain local group as a member.
• Universal to global : This is only allowed if the group you want to change does not have
another universal group as a member.
• Universal to domain local : No restrictions for this operation
Built-in Default Groups
• Administrators : Members of this group have full control of the server and can assign
user rights and access control permissions to users as necessary.
• Backup Operators : Members of this group can back up and restore files on the server,
regardless of any permissions that protect those files.
• DHCP Administrators : Members of this group have administrative access to the
Dynamic Host Configuration Protocol (DHCP) Server service.
• Guests : Members of this group will have a temporary profile created at log on, and
when the member logs off, the profile will be deleted.
• HelpServicesGroup : This group allows administrators to set rights common to all
support applications. By default, the only group member is the account associated with
Microsoft support applications, such as Remote Assistance. Do not add users to this
group.
• Network Configuration Operators : Members of this group can make changes to
TCP/IP settings and renew and release TCP/IP addresses
• Performance Monitor Users : Members of this group can monitor performance counters
on the server locally and from remote clients without being a member of the
Administrators or Performance Log Users groups.
• Power Users : Members of this group can create user accounts and then modify and
delete the accounts they have created. They can create local groups and then add or
remove users from the local groups they have created
• Print Operators : Members of this group can manage printers and print queues.
• Remote Desktop Users : Members of this group can remotely log on to a server
• Terminal Server Users :This group contains any users who are currently logged on to
the system using Terminal Server
And many more
Steps to Create Groups
To create Groups you must have administrative privileges or rights. Domain based Groups are
only created on Domain Controllers. Active Directory users and computer snap-in is a tool used
for creating Groups. Below are the steps used to create groups
1) Click on Start – Program – Administrative Tools – Active Directory Users and Computer
2) When you click on Active Directory Users and Computer snap-in a MMC Console
appears on you screen.
3) Right click on the user Icon and then select New – Groups. When you do so the group
creation window appears on screen as show below.
Here you have specified a unique group name, group type and group scope.
4) After specifying the details shown above click on OK to create a new Group.
5) Next you can add users or other groups to the new groups or you can make this group a
member of existing group.
6) To add user to this group right click on the group and then go to properties as show below
7) Then go to member tab and select the user who wants to be member of this group.
8) To make this group the member of existing group you can go to Members Of tab.
9) After doing so click on OK to finish.
Note : You can also add a user to a group by going to User properties and then to Member tab
and then add the group you want.
Managing user Policies
Windows 2008 policies are rules or setting applied to users in a domain or workgroup. These
setting are not applied to an individual user, but rather applied to all or multiple users. The
various policies setting are like
• Password policy
• Account Lockout policy
• Kerberos policy
Password Policy
This policy setting contains user password setting like passsword age, password length, password
history, etc.
Enforce Password History : This setting specifies how many password a user must use before
an old password can be reused. If you set this value to 5 passwords, it means you cannot use
same password after 5 different password. This value ranges from 0 to 24.
Maximum password age : This setting specifies for how many days the same password can be
used. The value ranges from 0 to 999 and default is 42 days.
Minimum password age : This setting specifies for how many minimum days a user must use
the same password before changing it. This value ranges from 0 to 998.
Minimum password length : This setting specifies the length of the password. The value ranges
from 0 to 14.
Passowrd must meet complexity requirement : This setting specifies that the password should
be complex combining of charaters, numbers, special charaters, etc. eg : V103_IN03
Store password using reversible encryption : This setting specifies whether password should
be stored using one-way encryption or reversible encryption. One-way encryption is more secure
the reverse encryption. This setting should only be used when you have domain with apple
computers or any application that only supports reverse encryptions.
Account Lockout Policy
This policy are use as a security parameters to secure users password and accounts. There are 3
setting available to secure user accounts. This policy tracks user account locking feature if any
invalid attempts are made.
Account Lockout Threshold : This setting specifies that when to lock a user account if how
many unsuccessful attempt is made. This value ranges from 0 to 999.
Account lockout duration : This setting specifies for how long duration the user account must
be locked. The value ranges from 0 to 99999 minutes. Administration has a right to manually
unlock a locked user account.
Reset account lockout counter : This setting specifies the number of minutes the counter must
be reset so that the user gets new attempts. This value ranges from 0 to 99999 minutes. This
value should be equal to account lockout duration.
Kerberos Policy
This policy setting applies to Kerberos V5 authentication protocol use by Windows
2000/2003/2008 operating system. This feature is used in domain environment only and
operating system that supports its like Windows 2000/XP/2003/2008/Vista/7. This feature is not
supported by Windows NT/9x,etc.
Enforce user logon restrictions
Maximum lifetime for service ticket
Maximum lifetime for user ticket
Maximum lifetime for user ticket renewal
Maximum tolerance for computer clock synchronization
Account Policy Setting for a Domain
1. Select Start.- Programs - Administrative Tools – Group Policy Management.
2. In the Group Policy Management Window Select the domain and under the domain select
group policy.
3. Next select the domain security policy and right click and select edit.
4. The GPO window now appears on the screen
5. Next select windows settings under computer configuration.
6. Under Windows seetings , click the Security Settings. Then click the Account Policies.
7. In the dialog box, highlight the type of account policies you want to set, either Password
Policy, Account Lockout Policy, or Kerberos Policy. Notice the six configurable settings
displayed in the right pane.
8. To set account policies, in the right pane, double-click the setting you want to configure.
For example, suppose you want to configure the minimum password length.
9. In this case, the Security Policy Setting dialog box would be displayed, specify the
minimum number of required characters in user passwords. Make the appropriate
configurations in the Security Policy Setting dialog box and click OK.
10. Repeat Steps 3 through 5 to set additional account policies as necessary. When you’ve
finished setting account policies, close the Domain Security Policy dialog box.
User rights
User rights are rights assigned to user to perform specific type of task on a Windows XP/Vista/7
based computer. User rights enable a user to perform various activities like load and unload
device drivers, log on locally, backup files and folders, etc. The procedure for assigning user
rights is same as assigning account setting to the user.
The various rights are as under
• Access this computer from the network
• Deny access to this computer from the network
• Deny logon as a batch job
• Deny logon as a service
• Deny logon locally
• Log on as a batch job
• Log on as a service
• Log on locally
• Act as part of the operating system
• Add workstations to domain
• Back up files and directories
• Bypass traverse checking
• Change the system time
• Create a pagefile
• Create a token object
• Create permanent shared objects
• Debug programs
• Enable computer and user accounts to be trusted for delegation
• Force shutdown from a remote system
• Generate security audits
• Increase quotas
• Increase scheduling priority
• Load and unload device drivers
• Lock pages in memory
• Manage auditing and security log
• Modify firmware environment values
• Profile single process
• Profile system performance
• Remove computer from docking station
• Replace a process level token
• Restore files and directories
• Shut down the system
• Synchronize directory service data
• Take ownership of files or other objects
User is an object or security principle which has authority to perform activities on a Windows
based machine. Every user has an right to perform activities and has a user login name and
password. There are two types of users in Windows network environment i.e. Local User and
Global User.
Local Users
• Used in workgroup environment
• Created only on Non-Domain Controller
• Can log on to the same machine where his account is created
• Created using computer management
• Cannot be created on domain controller
• Local user are created on member server, windows 2000/XP professional.
Domain Global User (Active directory user)
• Used in domain environment
• Created only on domain controllers
• Can log on to any machine in a domain
• Created using Active directory users and computers snap-in or using command-line tool
Creating active directory global user from command line
Dsadd user “USERDN” –samid <samid> -upn <name@domainname> -pwd <password>
Example :
dsadd user “cn=ajay raul, cn=Users, dc=vision,dc=com” –samid ajayraul –upn
ajayraul@vision.com –pwd 123_abc
Built-in Users
There are two built-in users account i.e. Administrator and Guest. Administrator is a user who
has full access to every resources of a windows based machine. The administrator can perform a
variety of task. We cannot delete this account but we can rename it. Where as the guest account
is designed to permit limited access to network resources. For example, a client visiting your
office might want to access some network resources for limited period of time. Guest account is
disable by default. Once guest account is enabled client can logon to network using this account.
So it is recommended to disable guest account. The guest account does not require a password.
You cannot delete guest account, but can rename it.
Steps for creating domain based global user
1. Select Start – Programs - Administrative Tools - Active Directory Users and Computers
snap-in.
2. In the left pane of the Active Directory Users and Computers dialog box, click the + next
to the name of the domain in which you want to create a domain user account. Highlight
the Users folder or the OU in which you want to create a domain user account, and right
click Action New User.
3. The New Object - User dialog box appears on the screen.
Enter the first name, middle initial, and last name of the new user in the appropriate text
boxes. Windows 2000 automatically displays the full name based on the information you
entered. Enter a user logon name — this is the user name. Click Next.
4. The next New Object - User dialog box appears on your screen.
Enter the password for the new user account, and confirm the password by retyping it. There are
four check boxes that can be selected in this dialog box, none of which are selected by default:
User must change password at next logon: Select this check box if you want the user to choose
and enter a new password the first time the user logs on.
User cannot change password: Select this check box if you — the network administrator —
want to manage and assign user passwords.
Password never expires: Select this check box if you are configuring a user account for a
Windows 2000 service to use when it logs on.
Account is disabled: Select this check box if you are creating a user template.
5. In the next New Object - User dialog box, click Finish.
6. Windows 2008 creates the new user account, and displays it in the right pane of the
Active Directory Users and Computers dialog box.
Groups
Group types
Security Group : A group that can be listed in discretionary access control lists (DACLs) used
to define permissions on resources and objects. In simple security groups are group to which
rights and permission can be assigned.
Distribution Group : A group that is used solely for e-mail distribution and that is not securityenabled.
Distribution groups cannot be listed in discretionary access control lists (DACLs) used
to define permissions on resources and objects. Distribution groups can be used only with e-mail
applications (such as Microsoft Exchange) to send e-mail to collections of users. If you do not
need a group for security purposes, create a distribution group instead of a security group.
There are three group scopes: universal, global, and domain local
• Members of universal groups can include other groups and accounts from any domain in
the domain tree or forest and can be assigned permissions in any domain in the domain
tree or forest.
• Members of global groups can include other groups and accounts only from the domain
in which the group is defined and can be assigned permissions in any domain in the
forest.
• Members of domain local groups can include other groups and accounts from Windows
Server 2003, Windows 2000, or Windows NT domains and can be assigned permissions
only within a domain.
Universal scope
• When the domain functional level is set to Windows 2000 native or Windows Server
2003, members of universal groups can include accounts, global groups, and universal
groups from any domain.
• When the domain functional level is set to Windows 2000 mixed, security groups with
universal scope cannot be created
• When the domain functional level is set to Windows 2000 native or Windows Server
2003, groups can be added to other groups and assigned permissions in any domain
• Groups can be converted to domain local scope. Groups can be converted to global scope,
as long as no other universal groups exists as members.
Global scope
• When the domain functional level is set to Windows 2000 native or Windows Server
2003, members of global groups can include accounts and global groups from the same
domain.
• When the domain functional level is set to Windows 2000 mixed, members of global
groups can include accounts from the same domain.
• Groups can be added to other groups and assigned permissions in any domain.
• Groups can be converted to universal scope, as long as the group is not a member of any
other group with global scope.
Domain local scope
• When the domain functional level is set to Windows 2000 native or Windows Server
2003, members of domain local scope can include accounts, global groups, and universal
groups from any domain, as well as domain local groups from the same domain
• When the domain functional level is set to Windows 2000 native or Windows Server
2003, members of domain local groups can include accounts and global groups from any
domain.
• Groups can be added to other domain local groups and assigned permissions only in the
same domain.
• Groups can be converted to universal scope, as long as the group does not have as its
member another group with domain local scope.
Changing group scope
• Global to universal : This is only allowed if the group you want to change is not a
member of another global scope group.
• Domain local to universal : This is only allowed if the group you want to change does
not have another domain local group as a member.
• Universal to global : This is only allowed if the group you want to change does not have
another universal group as a member.
• Universal to domain local : No restrictions for this operation
Built-in Default Groups
• Administrators : Members of this group have full control of the server and can assign
user rights and access control permissions to users as necessary.
• Backup Operators : Members of this group can back up and restore files on the server,
regardless of any permissions that protect those files.
• DHCP Administrators : Members of this group have administrative access to the
Dynamic Host Configuration Protocol (DHCP) Server service.
• Guests : Members of this group will have a temporary profile created at log on, and
when the member logs off, the profile will be deleted.
• HelpServicesGroup : This group allows administrators to set rights common to all
support applications. By default, the only group member is the account associated with
Microsoft support applications, such as Remote Assistance. Do not add users to this
group.
• Network Configuration Operators : Members of this group can make changes to
TCP/IP settings and renew and release TCP/IP addresses
• Performance Monitor Users : Members of this group can monitor performance counters
on the server locally and from remote clients without being a member of the
Administrators or Performance Log Users groups.
• Power Users : Members of this group can create user accounts and then modify and
delete the accounts they have created. They can create local groups and then add or
remove users from the local groups they have created
• Print Operators : Members of this group can manage printers and print queues.
• Remote Desktop Users : Members of this group can remotely log on to a server
• Terminal Server Users :This group contains any users who are currently logged on to
the system using Terminal Server
And many more
Steps to Create Groups
To create Groups you must have administrative privileges or rights. Domain based Groups are
only created on Domain Controllers. Active Directory users and computer snap-in is a tool used
for creating Groups. Below are the steps used to create groups
1) Click on Start – Program – Administrative Tools – Active Directory Users and Computer
2) When you click on Active Directory Users and Computer snap-in a MMC Console
appears on you screen.
3) Right click on the user Icon and then select New – Groups. When you do so the group
creation window appears on screen as show below.
Here you have specified a unique group name, group type and group scope.
4) After specifying the details shown above click on OK to create a new Group.
5) Next you can add users or other groups to the new groups or you can make this group a
member of existing group.
6) To add user to this group right click on the group and then go to properties as show below
7) Then go to member tab and select the user who wants to be member of this group.
8) To make this group the member of existing group you can go to Members Of tab.
9) After doing so click on OK to finish.
Note : You can also add a user to a group by going to User properties and then to Member tab
and then add the group you want.
Managing user Policies
Windows 2008 policies are rules or setting applied to users in a domain or workgroup. These
setting are not applied to an individual user, but rather applied to all or multiple users. The
various policies setting are like
• Password policy
• Account Lockout policy
• Kerberos policy
Password Policy
This policy setting contains user password setting like passsword age, password length, password
history, etc.
Enforce Password History : This setting specifies how many password a user must use before
an old password can be reused. If you set this value to 5 passwords, it means you cannot use
same password after 5 different password. This value ranges from 0 to 24.
Maximum password age : This setting specifies for how many days the same password can be
used. The value ranges from 0 to 999 and default is 42 days.
Minimum password age : This setting specifies for how many minimum days a user must use
the same password before changing it. This value ranges from 0 to 998.
Minimum password length : This setting specifies the length of the password. The value ranges
from 0 to 14.
Passowrd must meet complexity requirement : This setting specifies that the password should
be complex combining of charaters, numbers, special charaters, etc. eg : V103_IN03
Store password using reversible encryption : This setting specifies whether password should
be stored using one-way encryption or reversible encryption. One-way encryption is more secure
the reverse encryption. This setting should only be used when you have domain with apple
computers or any application that only supports reverse encryptions.
Account Lockout Policy
This policy are use as a security parameters to secure users password and accounts. There are 3
setting available to secure user accounts. This policy tracks user account locking feature if any
invalid attempts are made.
Account Lockout Threshold : This setting specifies that when to lock a user account if how
many unsuccessful attempt is made. This value ranges from 0 to 999.
Account lockout duration : This setting specifies for how long duration the user account must
be locked. The value ranges from 0 to 99999 minutes. Administration has a right to manually
unlock a locked user account.
Reset account lockout counter : This setting specifies the number of minutes the counter must
be reset so that the user gets new attempts. This value ranges from 0 to 99999 minutes. This
value should be equal to account lockout duration.
Kerberos Policy
This policy setting applies to Kerberos V5 authentication protocol use by Windows
2000/2003/2008 operating system. This feature is used in domain environment only and
operating system that supports its like Windows 2000/XP/2003/2008/Vista/7. This feature is not
supported by Windows NT/9x,etc.
Enforce user logon restrictions
Maximum lifetime for service ticket
Maximum lifetime for user ticket
Maximum lifetime for user ticket renewal
Maximum tolerance for computer clock synchronization
Account Policy Setting for a Domain
1. Select Start.- Programs - Administrative Tools – Group Policy Management.
2. In the Group Policy Management Window Select the domain and under the domain select
group policy.
3. Next select the domain security policy and right click and select edit.
4. The GPO window now appears on the screen
5. Next select windows settings under computer configuration.
6. Under Windows seetings , click the Security Settings. Then click the Account Policies.
7. In the dialog box, highlight the type of account policies you want to set, either Password
Policy, Account Lockout Policy, or Kerberos Policy. Notice the six configurable settings
displayed in the right pane.
8. To set account policies, in the right pane, double-click the setting you want to configure.
For example, suppose you want to configure the minimum password length.
9. In this case, the Security Policy Setting dialog box would be displayed, specify the
minimum number of required characters in user passwords. Make the appropriate
configurations in the Security Policy Setting dialog box and click OK.
10. Repeat Steps 3 through 5 to set additional account policies as necessary. When you’ve
finished setting account policies, close the Domain Security Policy dialog box.
User rights
User rights are rights assigned to user to perform specific type of task on a Windows XP/Vista/7
based computer. User rights enable a user to perform various activities like load and unload
device drivers, log on locally, backup files and folders, etc. The procedure for assigning user
rights is same as assigning account setting to the user.
The various rights are as under
• Access this computer from the network
• Deny access to this computer from the network
• Deny logon as a batch job
• Deny logon as a service
• Deny logon locally
• Log on as a batch job
• Log on as a service
• Log on locally
• Act as part of the operating system
• Add workstations to domain
• Back up files and directories
• Bypass traverse checking
• Change the system time
• Create a pagefile
• Create a token object
• Create permanent shared objects
• Debug programs
• Enable computer and user accounts to be trusted for delegation
• Force shutdown from a remote system
• Generate security audits
• Increase quotas
• Increase scheduling priority
• Load and unload device drivers
• Lock pages in memory
• Manage auditing and security log
• Modify firmware environment values
• Profile single process
• Profile system performance
• Remove computer from docking station
• Replace a process level token
• Restore files and directories
• Shut down the system
• Synchronize directory service data
• Take ownership of files or other objects
No comments:
Post a Comment