WINDOWS 1002000 PROFESSIONAL RESOURCE KIT [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

WINDOWS 1002000 PROFESSIONAL RESOURCE KIT [Electronic resources] - نسخه متنی

Chris Aschauer

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید







Managing Users and Groups


Windows 2000 allows you to manage user accounts and passwords. It also provides you with tools such as the Local Users and Groups management tool, security for users, and user and computer profiles.

Setting Up User Accounts


A local user account gives a user access to resources that are located only on the computer where you create the account. Local user accounts are stored in the security database of the computer where you create them.

Overview of Users and Passwords


Users and Passwords in Control Panel simplifies adding and removing local user accounts, adding and removing users from groups, and working with passwords. It also provides access to certificate management and secure boot settings.

When the Windows 2000 Professional–based computer is connected to a Windows NT or Windows 2000 Server domain, you can use Users and Passwords to add and remove domain user accounts to local groups.

When the Windows 2000 Professional–based computer is not connected to a domain, you can use Users and Passwords to add and remove local user accounts and assign users to a local group.

In addition, you can specify whether users can log on automatically each time the computer starts. You enable this feature on the Users tab by clearing the Users must enter a user name and password to use this computer check box. Users and Passwords is not available on Windows 2000 Server or when Windows 2000 Professional is running in Terminal Services mode.

NOTE

You must log on as an administrator or be a member of the Administrators group to add and delete user accounts, assign users to a local group, and change user passwords.

To add users to more than one group or create groups, use the Local Users and Groups MMC snap-in that is available by going to Users and Passwords in Control Panel and clicking Advanced on the Advanced tab.

Users and Passwords allows you to create or change the password for local user accounts, which is necessary when you create a new local user account or when a local user forgets his or her password.

To improve the security of user passwords, the password should contain at least two of the following elements: uppercase letters, lowercase letters, numbers, and punctuation. The longer the password and the more of these elements it contains, the more secure it is.

You can use Group Policy settings to enforce password requirements such as minimum length and expiration time. However, domain controller Group Policy settings override local computer configuration and local user configuration Group Policy settings.

For more information about using Group Policy, see "Group Policy" later in this chapter. For more information about using Local Users and Groups to manage certificates and secure boot settings, see Windows 2000 Professional Help.

Local Users and Groups


The Local Users and Groups MMC snap-in gives you more control setting up and maintaining local user accounts. It is similar to User Manager in Windows NT 4.0 Workstation.

With Local Users and Groups you can assign profiles, add and edit users and groups, assign users to more than one group, and set or modify password restrictions. You can also add a domain user to any local group. This is helpful for assigning domain user accounts to the local Administrators group. This allows domain user account members to have administrator rights on the local computer without giving them administrator rights on the domain.

To gain access to Local Users and Groups, start MMC and then add the Local Users and Group snap-in; or open Users and Passwords in Control Panel, click the Advanced tab, and then click Advanced.

You should review the information about security settings for Windows 2000 before you create or modify user accounts and groups. For more information about security settings, see "Security" in this book.

Security for Users and Groups


To effectively manage users of Windows 2000 Professional, it is important to understand how user rights are defined and set, how privileges and logon rights are granted, and how to change these settings.

User rights are assigned by using the Group Policy MMC snap-in. After you have started MMC and opened the Group Policy snap-in, in the console tree pane under Local Computer Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies, locate the User Rights Assignment folder.

For more detailed information about planning security, see "Security" in this book. For more information about using MMC and Group Policy, see "Group Policy" later in this chapter. For information about configuring security options, see Windows 2000 Professional Help.

User Rights


You can assign specific rights to group accounts or to individual user accounts. These rights authorize users to perform specific actions, such as logging on to a system interactively or backing up files and directories. User rights are different from permissions; user rights apply to user accounts, permissions are attached to objects.

Although user rights can apply to individual user accounts, user rights are best administered on a group account basis. A user who is a member of one or more groups, inherits rights associated with that group. You can simplify user account administration by assigning user rights to groups rather than to individual users. When all users in a group require the same user rights, you can assign the set of user rights once to the group, rather than repeatedly assigning the same set of user rights to each user account.

User rights that are assigned to a group apply to all members of the group. If a user is a member of multiple groups, the user's rights are cumulative, which means that the user has more than one set of rights. Occasionally, some logon rights assigned to one group might conflict with rights assigned to another group. However, this is generally not the case. To remove rights from a user, remove the user from the group that has those rights.

There are two types of user rights:

Privileges. A right that is assigned to a user and specifies allowable actions on the network. An example of a privilege is the right to back up files and directories.

Logon rights. A right that is assigned to a user and specifies the ways in which a user can log on to a system. An example of a logon right is the right to log on to a system locally.

Privileges


To ease the task of user account administration, you should assign privileges primarily to group accounts, rather than to individual user accounts. When you assign privileges to a group account, users are assigned those privileges when they become a member of that group. This method of administering privileges is easier than assigning individual privileges to each user account when the account is created.

Some of these privileges can override permissions set on an object. For example, a user logged on to a domain account as a member of the Backup Operators group has the right to perform backup operations for all domain servers. However, this requires the ability to read all files on those servers, even files for which their owners have set permissions that explicitly deny access to all users, including members of the Backup Operators group. A user right, in this case, the right to perform a backup, takes precedence over all file and directory permissions.

The following list shows the privileges that you can assign to a user by setting user rights. You can manage these privileges by using settings in the MMC Group Policy console in the console tree pane under Local ComputerWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment.


    Act as part of the operating system

    Add workstations to a domain

    Back up files and directories

    Bypass traverse checking

    Change the system time

    Create a token object

    Create permanent shared objects

    Create a pagefile

    Debug programs

    Enable trusted for delegation on user and computer accounts

    Force shutdown from a remote system

    Generate security audits

    Increase quotas

    Increase scheduling priority

    Load and unload device drivers

    Lock pages in memory

    Manage auditing and security log

    Modify firmware environment values

    Profile a single process

    Profile system performance

    Replace a process-level token

    Restore files and directories

    Shut down the system

    Take ownership of files or other objects

    Unlock a laptop


For detailed descriptions of these privileges and for information about using Group Policy to manage security settings, see "Security" in this book.

Logon Rights


The special user account called "LocalSystem" has almost all available privileges and logon rights assigned to it because all processes that are running as part of the operating system are associated with this account, and these processes require a complete set of user rights. The logon rights of the local system user account are as follows:

    Log on locally

    Log on as a batch job

    Log on as a service

    Deny access to this computer from the network

    Deny logon as a batch job

    Deny logon as a service

    Deny local logon


For more information about logon rights, see "Security" in this book.

User Profile Types


In Windows 2000 Professional, user profiles automatically create and maintain the desktop settings for each user's work environment on the local computer. A user profile is created for each user when the user logs on to a computer for the first time.

User profiles include all user-specific settings of a user's Windows 2000 Professional environment, including program items, screen colors, network connections, printer connections, mouse settings, window size and position, and desktop preferences.

User profiles provide several advantages to users. For example, when users log on to their workstations, they receive the desktop settings as they existed when they logged off. Also, when several users log on to the same computer, each receives a customized desktop.

There are three types of user profiles, which are as follows:

Local User Profile This profile is automatically created the first time a user logs on to the computer, and it is stored on the computer's local hard drive. Any changes made to the local user profile are specific to the computer where the change was made.

Roaming User Profile You, as the administrator, create this profile, and store it on a network server. This profile is available when a user logs on to any computer on the network. Any changes made to roaming user profiles are automatically updated on the server when the user logs off.

Mandatory User Profile Mandatory user profiles are stored on a network server and are downloaded each time the user logs on. This profile does not update when the user logs off. It is useful for situations where consistent or job-specific settings are needed Only administrators can make changes to mandatory user profiles. If the mandatory user profile is unavailable, the user cannot log on.

IMPORTANT

Group policy settings take precedence over user settings.

For more information about roaming user profiles and mandatory user profiles, see "Defining Client Administration and Configuration Standards" in the Deployment Planning Guide.

Creating User Profiles


When you install Windows 2000 Professional, a user profile is created on the %SystemDrive%Documents and Settings partition.

When a user logs on to a Windows 2000 Professional–based computer, the name of the folder that is created is derived from the user account name, and, if necessary, the user account name is appended with the name of the local computer or domain that is applicable to the user who is logging on.

The user account name in Windows NT 4.0 Server is in NetBIOS format, such as <domain>jeffsmith. In Windows 2000 Server, you can specify user accounts in the NetBIOS format, or you can use the user principal name (UPN) format. An example of a UPN format is jeffsmith@<domain>.com.

If the NetBIOS name is <domain>jeffsmith, the user ID is jeffsmith. If the UPN is jeffsmith@<domain>.com, the user ID also is jeffsmith. The user ID portion of the UPN and the user ID portion of the NetBIOS name usually are the same. However, they might not be the same, as shown in the following example:



NetBIOS name: <domain>jeffsmith
User principal name: jeffreysmith@<domain>.com


Whether the user logs on to a local account or to an account from a domain, if the %UserProfile% folder does not contain a folder with the name of the user who is logging on (in this case jeffsmith), a folder with that name is created and the path is recorded in the registry of the user who is associated with the profile. The folder that is created as a result is the following:



%SystemDrive%:Documents and Settingsjeffsmith


If another user with the NetBIOS name jeffsmith logs on, another folder is created, but it is created with the name of the local computer or domain in which the user's account originates. The folder that is created as a result is the following:



%SystemDrive%:Documents and Settingsjeffsmith.NEWDOMAIN.


Or, if the user account is established on the local computer, the folder that is created as a result is the following:



%SystemDrive%:Documents and Settingsjeffsmith.LOCALBOX.


If another user with an account name jeffsmith logs on to the same Windows 2000 Professional–based computer from an identically named source (either a domain or local computer) and the SIDs of the two accounts are not the same, a new folder is created with an extension indicating how many times the user account name was used. This occurs when the user accounts are re-created and the user logs on to the same computer, as shown in the following example:

    For the first user: %SystemDrive%:Documents and Settingsjeffsmith [NEWDOMAIN].000

    For the second user: %SystemDrive%:Documents and Settingsjeffsmith [NEWDOMAIN].001


For more information about setting and changing local profiles, see Windows 2000 Professional Help.


Upgrading User Profiles from Previous Versions of Windows

The naming convention for user profile folders in Windows 2000 is different from the naming convention that is used in Microsoft Windows NT 4.0 and earlier versions of Windows. There is a new location for user profile folders in Windows 2000 and also a new way to create subfolders for individual user profiles.

If you upgrade from Windows NT, the user profile folders are stored in the same location as in Windows NT. This location is as follows:



%SystemRoot%Profiles


When you upgrade to Windows 2000 from Windows 95 or Windows 98, a new folder for user profiles is created on the same partition as the Windows 2000 installation:



%SystemDrive%:Documents and Settings


NOTE



The appropriate path to the user profiles folder is represented as %UserProfile%.

/ 335