page 1 user accounts lecture 3 hassan shuja 09/21/2004

User AccountsUser Accounts

Lecture 3Hassan Shuja

09/21/2004


• User Accounts– A user account is needed to access a Windows 2000 computer

– Object trying to access resource must do it through user account

– User accounts determine 3 things– When a user may log on– Where within a domain or workgroup can a user log in– What privilege a users has

– Each User account has a SID

User AccountUser Account

• Type of Accounts– Windows 2000 has two types of accounts

– Local Account– This logon account is checked against user account database on the local PC

– Domain Account– This logon account is checked against Active Directory database on the DC

– Local Accounts– Supported on all Windows 2000 machines except Domain Controllers– Authentication is done only for local machine access– Guest and Administrator are built-in local accounts

– Domain Accounts– User accounts are verified on DC using encryption and permits access throughout a

Domain– Makes Administration easier

– Once authenticated user is given a session key which is used to access resources– Session Key is checked against resources’ ACL list when accessing resource

– Created in Active Directory within a DC and then propagated to all other DCs


• Resource Access Ticket Exchange

1. Request to

Logon to Domain

2. User is

authenticated by A

D.

User is sent b

ack 2 Keys by th

e

KDC. (logon key and Ticket

Granting Ticket k

ey)


• Resource Access Ticket Exchange Between Domains

CHILD.ENTCERT2.COM


• User Account Attributes– User account names should be unique within a Domain

– A Workgroup can have similar user accounts but user accounts must be unique on each local machine

– Logon name attributes– Less than 20 characters– Not case sensitive– Must not contain: +,*,?,<,>,/,\,[,],:,;– Passwords are case sensitive


• Manipulating User Accounts– Renaming user account does not effect any properties except the name

– Accounts can be moved from one container to another

– Accounts can be disabled– Cannot be accessed while disabled

– Accounts can be copied– Most properties are copied except username, full name, password, logon hours,

address/phone info, organization info, and user rights and permissions

– Deleting User Account– Permanently removed and all of its group memberships

– If new account is created with the same name, it has different SID and GUID– Disabling account may be a better option– Administrator and Guest can be renamed but not deleted


• User Account Properties– User accounts have various different properties

– Properties can be changed through using Computer Management tool for local accounts or Active Directory Users and Computers for Domain Accounts


• User Profiles– User Profile determines the desktop environment of user

– Helps manage and control what users do

– Every user has a profile that defines how, when and where a login is possible

– Three types of profiles – Local, Roaming, and Mandatory


• Profiles– Local Profile

– Profiles are maintained on each system that a user logs onto– Default User is a template if a user has never logged on to that system

– Roaming Profile– All Domain users to move from system to system and maintain one profile

– Mandatory Profile– Profile is Read-Only and cannot be changed

– User can make changes to the desktop environment per logon session only

page 1 user accounts lecture 3 hassan shuja 09/21/2004

Documents