page 1 user accounts lecture 3 hassan shuja 09/21/2004
TRANSCRIPT
Page 1
User AccountsUser Accounts
Lecture 3Hassan Shuja
09/21/2004
Page 2
User AccountsUser Accounts
• User Accounts– A user account is needed to access a Windows 2000 computer
– Object trying to access resource must do it through user account
– User accounts determine 3 things– When a user may log on– Where within a domain or workgroup can a user log in– What privilege a users has
– Each User account has a SID
Page 3
User AccountUser Account
• Type of Accounts– Windows 2000 has two types of accounts
– Local Account– This logon account is checked against user account database on the local PC
– Domain Account– This logon account is checked against Active Directory database on the DC
– Local Accounts– Supported on all Windows 2000 machines except Domain Controllers– Authentication is done only for local machine access– Guest and Administrator are built-in local accounts
– Domain Accounts– User accounts are verified on DC using encryption and permits access throughout a
Domain– Makes Administration easier
– Once authenticated user is given a session key which is used to access resources– Session Key is checked against resources’ ACL list when accessing resource
– Created in Active Directory within a DC and then propagated to all other DCs
Page 4
User AccountUser Account
• Resource Access Ticket Exchange
1. Request to
Logon to Domain
2. User is
authenticated by A
D.
User is sent b
ack 2 Keys by th
e
KDC. (logon key and Ticket
Granting Ticket k
ey)
Page 5
User AccountUser Account
• Resource Access Ticket Exchange Between Domains
CHILD.ENTCERT2.COM
Page 6
User AccountsUser Accounts
• User Account Attributes– User account names should be unique within a Domain
– A Workgroup can have similar user accounts but user accounts must be unique on each local machine
– Logon name attributes– Less than 20 characters– Not case sensitive– Must not contain: +,*,?,<,>,/,\,[,],:,;– Passwords are case sensitive
Page 7
User AccountsUser Accounts
• Manipulating User Accounts– Renaming user account does not effect any properties except the name
– Accounts can be moved from one container to another
– Accounts can be disabled– Cannot be accessed while disabled
– Accounts can be copied– Most properties are copied except username, full name, password, logon hours,
address/phone info, organization info, and user rights and permissions
– Deleting User Account– Permanently removed and all of its group memberships
– If new account is created with the same name, it has different SID and GUID– Disabling account may be a better option– Administrator and Guest can be renamed but not deleted
Page 8
User AccountsUser Accounts
• User Account Properties– User accounts have various different properties
– Properties can be changed through using Computer Management tool for local accounts or Active Directory Users and Computers for Domain Accounts
Page 9
User AccountsUser Accounts
• User Profiles– User Profile determines the desktop environment of user
– Helps manage and control what users do
– Every user has a profile that defines how, when and where a login is possible
– Three types of profiles – Local, Roaming, and Mandatory
Page 10
User AccountsUser Accounts
• Profiles– Local Profile
– Profiles are maintained on each system that a user logs onto– Default User is a template if a user has never logged on to that system
– Roaming Profile– All Domain users to move from system to system and maintain one profile
– Mandatory Profile– Profile is Read-Only and cannot be changed
– User can make changes to the desktop environment per logon session only