Exam Prep 2 [Electronic resources] : Windows XP Professional نسخه متنی

Configuring, Managing, and Troubleshooting Users and Groups

• When you grant rights to domain users, the best practice is to use the AGDLP method. This means that you place Accounts in Global groups. Then you place the Global groups into Domain Local groups, to which you grant (or deny) Permissions.

• When a permission is explicitly denied to a user or group, even if the user is a member of another group where the same permission is explicitly granted, the Deny permission overrides all others and the user is not allowed access.

• Whenever a user requests authorization to use a prohibited object or resource, the user sees an Access Is Denied message.

• Table 26 lists Windows XP local groups, and includes their default access, default local members, and default domain members.

• Table 27 lists Windows XP built-in special groups, and includes their default access, default local members, and default domain members.

  Table 27. Built-in Special Groups in Windows XP Professional

  Built-in Group	Default Access	Default Members Locally	Default Domain Members When Joined to a Domain
  Anonymous Logon	Not provided any default access rights	User accounts that Windows XP cannot authenticate locally	N/A
  Authenticated Users	Not given any default access rights	All users with valid local user accounts on this computer	All Active Directory users in the computer's domain or any trusted domain
  Creator Owner	Designated full control over resources created or taken over by a member of the Administrators group	Administrators group	N/A
  Dialup	No specific rights; this group is not shown on systems without configured modems and dial-up connections	All users who have connected to the computer with a dial-up connection	N/A
  Everyone	Full Control is the default permission granted for all files and folders on NTFS volumes; you must remove this permission to implicitly deny access	All users who access the computer	N/A
  Interactive	No specific rights	All users who have logged on locally to the computer	N/A
  Network	No specific rights	All users who have established a connection to this computer's shared resource from a remote network computer	N/A

• Watch out for Audit policy questions that embed the FAT32-formatted disk into the question. FAT file systems do not support auditing. You can audit only an NTFS-formatted volume.

• You cannot select Fast User Switching when your computer is a member of a domain or if you have enabled Offline Files.

• You can add a .NET Passport only in the Control Panel User Accounts applet.

• To configure the Local Group Policy, open the MMC console, click the File menu, click Add/Remove Snap-Ins, click Add, and select the Group Policy Editor snap-in. When asked to select the location of the GPO, select Local Computer.

• You can display a user's actual rights to use a file by looking at the Effective Permissions tab of the Advanced Security options.

• Cached credentials enable faster logons and single signons.

• You can disable cached credentials in Group Policy by setting the Interactive Logon: Number of Previous Logons to Cache (in Case Domain Controller Is Not Available) policy to 0 logons.