\ue000Configure local user accounts
\u2022Create and configure domain user accounts
\u2022Implement user profiles
\u2022Create and configure computer accounts
\u2022Automate the creation of users, computers, and groups
\u2022Secure user accounts
\u2022 Troubleshoot logon problems
\u2022 Implement local groups
\u2022 Implement domain groups
\u2022 Use domain local, global, and universal groups to grant access to resources
\u2022 Grant access to resources in other domains
\u2022 Use group nesting
With the release of Windows 2000, Microsoft introduced Active Directory, a scalable, robust directory service. However, the fundamental building block of Microsoft\u2019s direc- tory service continues to be the domain. A domain is a logical grouping for network re- sources, including servers, shares, printers, groups, and, of course, user accounts. Every individual who requires access to network or computer resources must have a user ac- count. The user account represents the individual to the domain, and allows for differ- ent types of access and different types of tasks. Every user account is unique! It is the uniqueness of the user account that allows administrators to control access for every member of the domain.
There are two types of user accounts that you must be familiar with: local accounts and domain accounts. Local accounts are maintained in the local database of a com- puter and cannot be used to grant access to network resources. Local accounts are pri- marily used to administer a computer or to allow several people to share a single
computer that is not a member of a domain. Domain user accounts are much more widely used in organizations than local user accounts because they allow for central ad- ministration and users can log on to any computer in the domain. Domain user accounts are stored in Active Directory, and a user with a domain account is able to log on to any computer in the domain, except if they have been specifically restricted from the com- puter. (Users can\u2019t log on to domain controllers, for example. A user must be a member of the Domain Admins group, or have been specifically granted rights to log on to a do- main controller.) Using local user accounts in a large organization would be extremely cumbersome and impractical, as they would require that each user maintain a different user account for every computer they logged into. The administration of such an envi- ronment would be nightmarish.
Although a user account is requiredto access network resources, granting access to in- dividual users wouldbe a monumental task in larger networks. To make the administra- tion of resources easier, user accounts are collected into groups, and access is granted to a group instead of an individual account. By collecting user accounts into groups, net- work access can be granted to all members of a group at the same time. When access to a specific network resource, such as a printer, is required, it is simpler to assign access to a group than to assign access to each user account.
Just as there are local accounts and domain accounts, there are also local groups and domain groups. Again, local groups are used to administer the computer or to grant ac- cess to local user accounts. Domain groups are much more powerful, and can be used not only to grant access for users in the network, but also to grant access for users in other networks and other domains. Although setting up a group strategy can be compli- cated, once the groups are implemented, administering access to resources is much sim- pler than administering access by only using the user account.
Security and troubleshooting will also be covered in this chapter. It is not enough to create accounts for users and then place the accounts into groups to allow access to net- work resources; you must also concern yourself with ensuring that unauthorized users are not able to gain access to the network. There are many types of network attacks, but some of the most devastating are when an attacker gains access by using a user account and impersonates an authorized user. You will learn some strategies to prevent this type of attack. Also, although logging on to a Windows domain is relatively simple (press
A user account is used to identify an individual to a computer or a network. A user ac- count consists of an account name and password, and a unique identifier. This unique identifier is a binary bit number of variable length that is generated by the computer or the domainwhere the account is created. This security identifier (SID) identifies the user to the computer or domain, and is used when a user attempts to gain access to a resource. A user account also may have other attributes, such as group membership, remote access
permissions, e-mail addresses, and others. Every user who logs on to a Windows com- puter must have a valid user account, either for that computer or for the domain the computer belongs to. At logon, the user has to select whether they are logging on to a domain or to the local computer. The users\u2019 credentials are then either checked against the local database or against Active Directory as appropriate.
There are two types of user accounts: local user accounts and domain user accounts. The two types of accounts share common characteristics, but they vary in scope. A local user account can only be used on a single computer, and a domain user account can be used throughout the entire network.
Local user accounts are stored in the local database of a computer and are only used for accessing resources on the computer. All computers except domain controllers have a local database for storing local user accounts. When a user attempts to access a computer with a local user account, they must enter the correct user name and password and be validated against the local database.
Directory is running on a domain controller, the domain controller validates
all local logon attempts against Active Directory. In order to log on to a domain controller,
a user must be a member of the Domain Admins group, the Enterprise Admins group, or
have been explicitly granted the logon locally user right.
The problem with using local user accounts is that they are not portable. If a user needs to use more than one computer, that user needs to have two user accounts, one for each computer they use. Also, if a user attempts to access a resource on another com- puter, such as a shared folder, they will have to present logon credentials for the remote computer to authenticate and use resources. If a user requires access to resources on sev- eral computers, they will require several user accounts, one for each computer. Even if a user only works from a single computer, they may need tohave several user accounts for several computers in order to access resources. Also, since each account is unique to the local computer, any account maintenance, such as changing passwords, will have to be done multiple times. As you can see, trying to maintain an environment with local user accounts only would be cumbersome.
Local user accounts are created and administered using the Local Users and Groups snap-in on the Computer Management Console (see Figure 2-1). The Local Users and Groups snap-in can also be added to any custom Microsoft Management Console (MMC). The Local Users and Groups snap-in not only allows you to create and manage user accounts and groups for the local machine, but it also supports connecting to a remote computer and manage user accounts and groups on a remote computer.
This action might not be possible to undo. Are you sure you want to continue?