Managing User, Computer and Group Accounts Lecture 5.

Managing User, Computer and Group Accounts

Lecture 5

Computer Accounts To access Windows 2008 domain a

computer needs an account

Joining a domain creates a computer account object in the AD

Each computer account has SID (other security principals, such as users and groups have SIDs as well)

User Accounts To access Windows 2008 network a

user needs an account

Account determines 3 factors:- when a user may log on- where within the domain/workgroup- what privilege level a user is assigned

User Accounts Each account has SID that serves as

security credentials

Any object trying to access resource must do it through a user account

Windows 2008 has 2 types of accounts: local and domain

Interactive Logon Process

Interactive Logon – a process to verify user’s credentials for logon to a Win2008 computer

If the local account – it’s checked against the local user account database.

Domain account – using encryption process, user credentials are verified at a DC, and after successful authentication a logon key/logon token is granted for the session

Network Authentication Process

Process of verifying user’s credentials to allow access to network resources

When a user attempts to access a resources, user’s credentials and session key/token are compared against resources’ ACL list to grant access

Local Accounts Supported on all Windows 2000, 2003 and 2008

systems except DCs (on member servers participating in domains and on standalone systems participating in workgroups )

Maintained on the local system, not distributed to other systemsLocal user account authenticates the user for local machine access only; access to resources on other computers is not supported

Built-in local accounts: Guest; Administrator

Domain User Accounts Permit access throughout a domain and

provide centralized user administration through AD

Created within a domain container in AD database and propagated to all other DCs

Once authenticated against AD database using GC, a user obtains an access token for the logon session, which determines permissions to all resources in the domain

Creating User Accounts • Domain accounts names must be

unique within the domain, although the same logon name can be used on several systems with local logon.

• Logon names are not case sensitive, must not contain more than 20 chars, and nust not contain: +,*,?,<,>,/,\,[,],:,;.

• Passwords are case sensitive, must be secure – not easy to guess

Copying, Moving, Disabling and

Renaming User Accounts • Renaming account doesn’t affect any of the

user account properties, except the name.• Accounts can be moved from one container

to another• Disabled accounts can’t be accessed• When account is copied, most properties are

copied, except the username, full name, password, logon hours, address/phone info, organization info, the Account is disabled option, and user rights and permissions.

Deleting User and Computer

Accounts • Deleting account – permanently

removes it, and all if its group memberships, permissions and user rights. The new account with the same name has different SID and GUID

• Disabling an account may be a better option!

• Administrator and Guest can be renamed, but not deleted

Understanding User Account Properties

As with all AD objects, user accounts have a number of associated properties or attributes

Once the account is created, those properties maybe modified using Computer Management tool (local accounts) or AD Users and Computers (domain accounts)

Group Accounts Group – AD objects that contain users,

computers and other entities. (have SIDS) Groups are used for easier management of

users/computers/resources Access token identifies groups to which a

users belongs/rights assigned 2 Types of groups:1. Distribution group for e-mail 2. Security groups to assign limited

permission to groups that need access to resources or to deny access

Example of Access Token

Group Accounts Rights and privileges are assigned

at the group level

Groups can be nested (membership by inheritance)

User’s rights and privileges through group memberships are cumulative

Group/User relationship

Group 1

Group 3

Group 2

Group 3 is a member

of Group 1

Group Scope Scope of influence (or scope)

Reach of a group for gaining access to resources in Active Directory

Types of groups and associated scopes: Local Domain local Global Universal

Local Groups Local security group

Used to manage resources on a stand-alone computer that is not part of a domain and on member servers in a domain (non-DCs)

Create using the Local Users and Groups MMC snap-in

Domain Local Groups Domain local security group

Used when Active Directory is deployed Manage resources in a domain

Give global groups from the same and other domains access to those resources

Scope of a domain local group Domain in which the group exists Can convert a domain local group to a

universal group

Domain Local Groups

Domain Local Group Example

User 1Engineering(Global Group)

User 1Engineering

User 2

Printer Group(Domain Local)

Printer Group - Print

Printer ACL

Domain CDomain BDomain A

User 2

Global Groups Contain user accounts from a single domain Can also be set up as a member of a domain

local group in the same or another domain Broader scope than domain local groups Can be nested Typical use: Add accounts that need access to resources in

the same or in another domain Make the global group in one domain a

member of a domain local group in the same or another domain

Nested Global Groups

Global Group Example

Group 2

User 1Group 1

Accountants(Global Group)

Domain A Domain B

Domain C

User1Group 1 Accountants

Accountants

Printer ACL

Universal Groups Universal security groups

Span domains and trees Can include

User accounts from any domain Global groups from any domain Other universal groups from any

domain Guidelines to help simplify how you

plan to use groups

Universal Groups

Group Strategy Put users into global domain group. A global group

can be thought of as an Accounts group. Put resources into domain local (or machine local)

groups. A local group can be thought of as a Resource group.

Put a global group into any domain local (or machine local) group in the forest

Assign permissions for accessing resources to the domain local (or machine local) groups that contain them

Use Universal groups to grant access to resources in multi-domain environments where access is needed across domain trees.

Group Strategy Example

Engineers(Global Group)

Domain A Domain B

Domain CDomain A EngineersDomain B EngineersDomain C Engineers

Database Access(Domain Local G.)

DatabaseACL

Database Access Allow Write/Read

Engineers(Global Group)

Engineers(Global Group)

Default User Account

Membership Built-in groups are automatically

created in Windows Server 2003 to reflect most common attributes and tasks

Domain Users/Users Domain Admins/Administrators

Special Groups EVERYONE Network Interactive Service System Authenticated Users SELF CREATOR OWNER

User Profiles Profiles customize user environment,

store profiles on server (roaming), restrict changes through mandatory profiles

Local profiles are stored on a computer when each user logs in.