Chapter 13

Users, Groups Profiles and Policies

Learning Objectives

Understand Windows XP Professional user accountsUnderstand the different types of loginsUnderstand how to long on to Windows XPUnderstand naming conventionsCreate and manage local user accounts

Learning Objectives

Planning groups and system groups

Creating User Profiles

Working with group policies

Many computers have more them one person using them

User accounts can be established containing detailed information about the user

Windows XP uses named user accounts protected with passwords.

Local User Accounts and Groups

Windows XP Professional can be stand alone OS or a client on a server OS such as Windows Server 2003

Windows XP Professional can create configure and manage only local user accounts.

Local User Accounts and Groups

Local user accounts exist only on a single computer

They cannot be used in any manor with domains resources or to gain domain access.

Windows XP Professional also supports local user groups.

Local User Accounts and Groups

A Windows XP Professional local user account provides details about

Security

Preferences stored as a profile

Domain User Accounts

Must be created in a domain

Can be used by any computer connected to the domain

Used to gain access to domain resources

Grand access to local resources

Domain User Accounts

Windows XP Professional can grant access to local resources to domain users and groups

Account Interaction with Windows XP Professional

Windows XP Professional’s setup determines how each user interacts with the system

The interaction can be setup in the following ways

Account Interaction with Windows XP Professional

Standalone system automatic login – all users access resources through a common automatic loginStandalone system – Each user logs into the system with a unique user account and passwordWorkgroup member – each user logs in with a local user accountDomain network client – each user logs into the system with a unique domain user account

Multiple User Systems

Windows XP Professional is one of the Windows products that supports multiple users

There are four parts to the implementation of the multiple user system in Windows XP Professional

Multiple User Systems

Groups - a named collection of users

Groups can be local or globalLocal –exist on the computer they were created on

Global – exist through a domain

Multiple User Systems

Resources – any useful service or object examples include

Printers

Shared directories

Software applications.

Windows XP Professional has extensive control over resources

Multiple User Systems

Policies – a set of configurations that defines Windows XP security

Policies are used to definePassword restrictions

Account lockouts

User rights

Event auditing

Multiple User Systems

Profiles – a stored snapshot of a users desktop settings

Types of Logins

Login authentication – the requirement of a user to provide a name and password to gain access to a computer

Used toMaintain security

Track computer usage by user account

Types of Logins

Windows supports two types of logon is methods

Windows Welcome Login

Classic Login

Types of Logons (Windows Welcome

Logon)The user accounts are listed with iconsClicking on the icon either allows access or requests a passwordAllows for fast switching by users.

Do not have to logout to login as a new user.Accomplished by clicking on Log Off icon on the start menuIf programs are running you will be warned before you are allowed to switch

Types of Logons (Classic)

Uses Crtl+Alt+Delete to access the Windows security dialog box

You enter your username and password

If you are part of a domain the classic mode is used

Default User Accounts

When Windows XP Professional is installed two default user accounts are created

Administrator

Guest

Default User Accounts (administrator)

This is the most powerful account available.This account has unlimited access and unrestrictive privilegesIt cannot be removed from the systemIt cannot be locked outIt cannot be disabled

Default User Accounts (administrator)

Can have a blank password

Can be renamed

Cannot be removed from the administrative local group

Default User Accounts (guest)

An account with the least privilegesIt cannot be deletedIt can be locked out It can be disabledIt can have a blank password (not recommended)Can be renamed (recommended)Can be removed from the Guest local group

Naming Conventions

Predetermined process for creating names on network or standalone system

Determined by the organization

Must provide an intuitive and useful way to name parts of the system

Accounts

Directories

printers

Naming Conventions

Naming conventions need to address the following four elements

Must be consistent across all objects

Must be easy to use and understand

New names cam be easily constructed from existing names

Object names should identify the object type

Planning Groups

Group design should be done before and groups are created.

Windows XP provides a set of default groups.

Planning Groups

Planning Groups Administrators - members have full

access to the computer Backup Operators – members of this

group can override security restrictions for the purpose of backing up and restoring files and folders on a system.

Planning Groups Guest – members of the group can save

files but cannot save programs or alter the system

Network Configuration Operations – have some administrative privileges to manage configuration of network features.

Planning Groups Power Users – members can modify the

computer, create user accounts, share resources and install programs.

Remote Desktop Users – Members can logon remotely

Replicator – members can replicate directories between local and domain systems.

Planning Groups Users – members can only save files. Help Service Groups - a special group

used by Help and Support Centers, default account is set to allow remote support by Microsoft.

User Profiles A collection of desktop and environmental

configurations for a specific user or group of users.

Computer maintains profile for each user who has logged on except for guests

User Profiles Include Application data – a folder containing user

specific data for applications suchCustom dictionaries for word processingJunk sender lists for email clients

Cookies – a folder of cookies accepted by the user thought the browser.

Desktop – a folder containing all of the items displayed on the desktop.

User Profiles Include Favorites – a folder that contains the URL’s from

Internet Explorer Local Settings – a folder containing setting that

do not roam. There are four sub-folders Application data – contains machine specific

application data. History – contains user’s Internet Explorer browser

history Temp – folder that contains temporary files created by

applications Temporary Internet Files – folder contains the offline

cache for Internet Explorer.

User Profiles Include My Documents – the default target folder for the

My Documents short cut. NetHood – a folder that contains the shortcuts

appearing in My Network Places. PrintHood - a folder that contains the shortcuts

found in the printers and fax folder My Recent Documents – a folder containing

links to recently used documents.

User Profiles Include Sent To – a folder of user-specific used in

the send to command found on the menu when right clicking of files or folders.

Start Menu – a folder containing the user specific start menu layout

Temples – a folder containing user specific temples

User Profiles Include Ntuser.dat – a file containing registry

information specific to the user. Ntuser.dat.log – a transaction log that the

user profile can be recreated from in the event of a system failure.

Ntuers.ini – a file containing user related setting.

Local Profiles Set of specifications and preferences for

an individual user Created the first time the user logs on to

the computer. When a user makes changes to the profile

only the local profile is affected.

Roaming Profiles Resides on the network server. Made available to the any computer that

the user logs on to. Windows makes a local copy of the profile

the first time the user logs on the computer.

If the user makes changes to the local copy, those changes are merged into the server copy.

Group Policies A centralize police combining several

security and access controls. Group policies can be defined for

Local groupsDomain groupsOrganizational units

The local group policies are edited in the Local Security Policy tool.

Password Policies Defines restriction on passwords Used to create stronger passwords.

Password Policies (specific) Enforce Password History – prevents the

reuse of a password and determines how many time a person must wait before a password can be reused.

Maximum Password Age – defines when a password will expire.

Minimum Password Age – defines the minimum time between password changes.

Password Policies (specific) Minimum password length – sets the

number of characters a password must be.

Account Lockout Policies Defines the conditions in which a user is

locked out from the account

Account Lockout Policies (specific) Account lockout threshold – defines the

number of attempts that can be made before lockout

Account lockout duration – how long the lockout will remain in effect ( a setting of 0 requires administrative reset)

Reset account lockout – defines the amount of time that must expire before lockout is rest.

Audit Policy Defines what is recorded in the Security

log. Is use to track resource usage. The following audit policies can be set to

record success or failure.

Audit Policy (specific) Audit account logon events – audits

authentication of a user account on the system.

Audit account management – audits account changes to a user account or group

Audit directory service access – audits access to directory objects.

Audit Policy (specific) Audit logon events – audits user account

logons, logoffs, and establishment of network connections

Audit object access – audits resource access

Audit police changes – audits changes to security policies

Audit privileges – audits the use of specific rights and privileges.

Audit Policy (specific) Audit process tracking – audits the activity

of processes Audit system events – audits system level

activities.

User Rights Assignments Defines which groups or users can

perform the specific privileged action.

Security Options Defines and controls various security

features, functions and controls