• Understand the default user accounts • Create and manage local user accounts • Work with the Local Users and Groups tool • Use groups • Understand user rights Local User Accounts • User account: Represents all information defining user’s access to local computer or network ▫ Stored on local computer or in Active Directory • Local user accounts: Stored in Security Accounts Manager (SAM) database ▫ Managed using Local Users and Groups snap-in • Domain user account: Exists in a domain by virtue of being created on a domain controller ▫ Used to gain access to domain resources • Provide users with personalized desktop environments via profiles and policies Default Local User and Group Accounts • When Windows XP Professional installed, two default user accounts created ▫ Administrator and Guest ▫ Also several local group accounts • Local User Accounts: ▫ Administrator account: Unlimited access and unrestricted privileges to every aspect of Windows Must be protected from misuse Default Local User and Group Accounts
▫ Administrator account (continued):
Cannot be deleted Cannot be locked out Can be disabled Can have blank password Can be renamed Cannot be removed from Administrators local group ▫ Guest account: Limited access to resources and computer activities Default Local User and Group Accounts
▫ Guest account (continued):
Member of Everyone group Cannot be deleted Can be locked out Can be disabled (disabled by default) Can have a blank password (blank by default) Can be renamed (recommended) Can be removed from Guests local group Default Local User and Group Accounts • Local Group Accounts: Used to grant rights to local OS ▫ Everyone ▫ Administrators ▫ Backup Operators ▫ Guests ▫ Network Configuration Operators ▫ Power Users ▫ Remote Desktop Users ▫ Replicator ▫ Users ▫ HelpServicesGroup Creating and Managing Local User Accounts
• Local user accounts can be created and
managed: ▫ With User Accounts applet ▫ Through Local Users and Groups MMC snap-in • User Accounts Applet: Function differs depending on whether system part of workgroup or domain 9
Creating and Managing Local User Accounts
(continued)
Figure The User Accounts applet
Creating and Managing Local User Accounts (continued)
• Local Users and Groups Snap-in: Used to
create and manage local users and groups ▫ Console tree has two nodes: Users node: Contains all local user accounts Groups node: Contains all local group accounts ▫ Use Profile tab to define user profile path, logon script, and home folder Creating and Managing Local User Accounts (continued)
Figure Displaying local user accounts
Creating and Managing Local User Accounts (continued)
Figure : A user account’s Properties dialog box
Activity • Activity : Creating a Local Account ▫ Objective: Create a new local user account with Local Users and Groups • Activity : Creating a Local Group ▫ Objective: Create a local group by using Local Users and Groups • Activity : Changing Built-in Group Membership for a Local Account ▫ Objective: Change the group membership of a local account using Local Users and Groups Creating and Managing Local User Accounts (continued)
Figure : The Profile tab
Managing Local User Profiles • User profile: Collection of desktop and environmental configurations for specific user or group of users ▫ By default, each Windows computer maintains profile for each user who has logged on Except for Guest accounts ▫ User Profile Info: Application Data Cookies Desktop Favorites Local Settings My Documents My Recent Documents Managing Local User Profiles • Local Profile: Set of specifications and preferences for individual user ▫ Stored on local machine ▫ Two ways to create: User logs on, arranges information as needed, logs off Assign mandatory profile from existing profile folder • Roaming Profile: Used in domains to allow users to have a common desktop on any Windows XP member of domain Managing Local Security Policies • Security policies allow administrators to change system security configuration settings in local Windows Registry ▫ Registry provides hierarchical database of info about system’s software, hardware, and user configuration • Local Security Policy tool: Used to edit local policy settings on systems that are not domain controllers ▫ Applied to Registry during computer startup or when user logs on Account Policies • Improve local user account security • Password Policy: Defines password restrictions ▫ Enforce strong passwords ▫ Default settings in Password Policy node: Enforce password history: 0 passwords Maximum password age: 42 days Minimum password age: 0 days Minimum password length: 0 characters Password must meet complexity requirements: Disabled Store password using reversible encryption for all users in the domain: Disabled Account Policies (continued) • Account Lockout Policy: Defines conditions that result when user account locked out ▫ Default settings for Account Lockout Policy items: Account lockout threshold: 0 Invalid logon attempts Account lockout duration: (defaults to 30 minutes after Account lockout threshold defined) Reset account lockout counter after: (defaults to 30 minutes after Account lockout threshold defined) • Activity : Setting Account Policies ▫ Objective: Set account policies by using the Local Security Policy tool Local Policies • Audit Policy: Defines events recorded in Security log of EventViewer ▫ Default settings for Audit Policy items: Audit account logon events: No auditing Audit account management: No auditing Audit directory service access: No auditing Audit object access: No auditing Audit policy change: No auditing