Chapter 13
Users, Groups Profiles and Policies
Learning Objectives
Understand Windows XP Professional user accountsUnderstand the different types of loginsUnderstand how to long on to Windows XPUnderstand naming conventionsCreate and manage local user accounts
Learning Objectives
Planning groups and system groups
Creating User Profiles
Working with group policies
Many computers have more them one person using them
User accounts can be established containing detailed information about the user
Windows XP uses named user accounts protected with passwords.
Local User Accounts and Groups
Windows XP Professional can be stand alone OS or a client on a server OS such as Windows Server 2003
Windows XP Professional can create configure and manage only local user accounts.
Local User Accounts and Groups
Local user accounts exist only on a single computer
They cannot be used in any manor with domains resources or to gain domain access.
Windows XP Professional also supports local user groups.
Local User Accounts and Groups
A Windows XP Professional local user account provides details about
Security
Preferences stored as a profile
Domain User Accounts
Must be created in a domain
Can be used by any computer connected to the domain
Used to gain access to domain resources
Grand access to local resources
Domain User Accounts
Windows XP Professional can grant access to local resources to domain users and groups
Account Interaction with Windows XP Professional
Windows XP Professional’s setup determines how each user interacts with the system
The interaction can be setup in the following ways
Account Interaction with Windows XP Professional
Standalone system automatic login – all users access resources through a common automatic loginStandalone system – Each user logs into the system with a unique user account and passwordWorkgroup member – each user logs in with a local user accountDomain network client – each user logs into the system with a unique domain user account
Multiple User Systems
Windows XP Professional is one of the Windows products that supports multiple users
There are four parts to the implementation of the multiple user system in Windows XP Professional
Multiple User Systems
Groups - a named collection of users
Groups can be local or globalLocal –exist on the computer they were created on
Global – exist through a domain
Multiple User Systems
Resources – any useful service or object examples include
Printers
Shared directories
Software applications.
Windows XP Professional has extensive control over resources
Multiple User Systems
Policies – a set of configurations that defines Windows XP security
Policies are used to definePassword restrictions
Account lockouts
User rights
Event auditing
Multiple User Systems
Profiles – a stored snapshot of a users desktop settings
Types of Logins
Login authentication – the requirement of a user to provide a name and password to gain access to a computer
Used toMaintain security
Track computer usage by user account
Types of Logins
Windows supports two types of logon is methods
Windows Welcome Login
Classic Login
Types of Logons (Windows Welcome
Logon)The user accounts are listed with iconsClicking on the icon either allows access or requests a passwordAllows for fast switching by users.
Do not have to logout to login as a new user.Accomplished by clicking on Log Off icon on the start menuIf programs are running you will be warned before you are allowed to switch
Types of Logons (Classic)
Uses Crtl+Alt+Delete to access the Windows security dialog box
You enter your username and password
If you are part of a domain the classic mode is used
Default User Accounts
When Windows XP Professional is installed two default user accounts are created
Administrator
Guest
Default User Accounts (administrator)
This is the most powerful account available.This account has unlimited access and unrestrictive privilegesIt cannot be removed from the systemIt cannot be locked outIt cannot be disabled
Default User Accounts (administrator)
Can have a blank password
Can be renamed
Cannot be removed from the administrative local group
Default User Accounts (guest)
An account with the least privilegesIt cannot be deletedIt can be locked out It can be disabledIt can have a blank password (not recommended)Can be renamed (recommended)Can be removed from the Guest local group
Naming Conventions
Predetermined process for creating names on network or standalone system
Determined by the organization
Must provide an intuitive and useful way to name parts of the system
Accounts
Directories
printers
Naming Conventions
Naming conventions need to address the following four elements
Must be consistent across all objects
Must be easy to use and understand
New names cam be easily constructed from existing names
Object names should identify the object type
Planning Groups
Group design should be done before and groups are created.
Windows XP provides a set of default groups.
Planning Groups
Planning Groups Administrators - members have full
access to the computer Backup Operators – members of this
group can override security restrictions for the purpose of backing up and restoring files and folders on a system.
Planning Groups Guest – members of the group can save
files but cannot save programs or alter the system
Network Configuration Operations – have some administrative privileges to manage configuration of network features.
Planning Groups Power Users – members can modify the
computer, create user accounts, share resources and install programs.
Remote Desktop Users – Members can logon remotely
Replicator – members can replicate directories between local and domain systems.
Planning Groups Users – members can only save files. Help Service Groups - a special group
used by Help and Support Centers, default account is set to allow remote support by Microsoft.
User Profiles A collection of desktop and environmental
configurations for a specific user or group of users.
Computer maintains profile for each user who has logged on except for guests
User Profiles Include Application data – a folder containing user
specific data for applications suchCustom dictionaries for word processingJunk sender lists for email clients
Cookies – a folder of cookies accepted by the user thought the browser.
Desktop – a folder containing all of the items displayed on the desktop.
User Profiles Include Favorites – a folder that contains the URL’s from
Internet Explorer Local Settings – a folder containing setting that
do not roam. There are four sub-folders Application data – contains machine specific
application data. History – contains user’s Internet Explorer browser
history Temp – folder that contains temporary files created by
applications Temporary Internet Files – folder contains the offline
cache for Internet Explorer.
User Profiles Include My Documents – the default target folder for the
My Documents short cut. NetHood – a folder that contains the shortcuts
appearing in My Network Places. PrintHood - a folder that contains the shortcuts
found in the printers and fax folder My Recent Documents – a folder containing
links to recently used documents.
User Profiles Include Sent To – a folder of user-specific used in
the send to command found on the menu when right clicking of files or folders.
Start Menu – a folder containing the user specific start menu layout
Temples – a folder containing user specific temples
User Profiles Include Ntuser.dat – a file containing registry
information specific to the user. Ntuser.dat.log – a transaction log that the
user profile can be recreated from in the event of a system failure.
Ntuers.ini – a file containing user related setting.
Local Profiles Set of specifications and preferences for
an individual user Created the first time the user logs on to
the computer. When a user makes changes to the profile
only the local profile is affected.
Roaming Profiles Resides on the network server. Made available to the any computer that
the user logs on to. Windows makes a local copy of the profile
the first time the user logs on the computer.
If the user makes changes to the local copy, those changes are merged into the server copy.
Group Policies A centralize police combining several
security and access controls. Group policies can be defined for
Local groupsDomain groupsOrganizational units
The local group policies are edited in the Local Security Policy tool.
Password Policies Defines restriction on passwords Used to create stronger passwords.
Password Policies (specific) Enforce Password History – prevents the
reuse of a password and determines how many time a person must wait before a password can be reused.
Maximum Password Age – defines when a password will expire.
Minimum Password Age – defines the minimum time between password changes.
Password Policies (specific) Minimum password length – sets the
number of characters a password must be.
Account Lockout Policies Defines the conditions in which a user is
locked out from the account
Account Lockout Policies (specific) Account lockout threshold – defines the
number of attempts that can be made before lockout
Account lockout duration – how long the lockout will remain in effect ( a setting of 0 requires administrative reset)
Reset account lockout – defines the amount of time that must expire before lockout is rest.
Audit Policy Defines what is recorded in the Security
log. Is use to track resource usage. The following audit policies can be set to
record success or failure.
Audit Policy (specific) Audit account logon events – audits
authentication of a user account on the system.
Audit account management – audits account changes to a user account or group
Audit directory service access – audits access to directory objects.
Audit Policy (specific) Audit logon events – audits user account
logons, logoffs, and establishment of network connections
Audit object access – audits resource access
Audit police changes – audits changes to security policies
Audit privileges – audits the use of specific rights and privileges.
Audit Policy (specific) Audit process tracking – audits the activity
of processes Audit system events – audits system level
activities.
User Rights Assignments Defines which groups or users can
perform the specific privileged action.
Security Options Defines and controls various security
features, functions and controls