1
|
- Users, Groups, Profiles, and Policies
|
2
|
- Understand local users and groups
- Understand user policies
- Understand the local security policies
- Create and manage user accounts
- Create user profiles
|
3
|
- Local user accounts
- Exists on a single computer and cannot be used in any manner with
domain resources or to gain domain access of any kind
- Domain user accounts
- Exists in a domain by virtue of being created on a domain controller
|
4
|
- Local groups
- Group that exists only on the computer where it was created
- Can have users and global groups as members
- On a Windows XP Professional system, user accounts are used to govern or
control access
|
5
|
- A Windows XP Professional system can exist as a:
- Standalone system
- Standalone system
- Workgroup member
- Domain network client
|
6
|
- A Windows XP Professional local user account stores details about:
- Security
- Access permissions
- Preferences
- A user’s environmental settings and configuration preferences can be
stored as a profile
|
7
|
- Password policy
- Defines the restrictions on passwords
- Account lockout policy
- Defines the conditions that result in a user account being locked out
|
8
|
- Audit policy
- Defines the events that are recorded in the Security log of the Event
Viewer
- Security options
- Defines and controls various security features, functions, and controls
of the Windows XP environment
|
9
|
- Windows XP implements its multiple-user system through the following:
- Groups
- Resources
- Policies
- Profiles
|
10
|
- Windows XP uses logon authentication for two purposes:
- To maintain security and privacy within a network
- To track computer usage by user account
|
11
|
- Windows XP supports two types of logons:
- Windows Welcome
- Completely new logon method to the Windows product line
- Classic
- This method is Ctrl+Alt+Delete
|
12
|
- Administrator account
- Most powerful user account possible within the Windows XP environment
- Administrator account has the following characteristics:
- It cannot be deleted
- It cannot be locked out
|
13
|
- Administrator account has the following characteristics (cont.):
- It can be disabled
- It can have a blank password
- It can be renamed
- It cannot be removed from the Administrator local group
|
14
|
- Guest account
- One of the least privileged user accounts in Windows XP
- Guest account has the following characteristics:
- It cannot be deleted
- It can be locked out
|
15
|
- Guest account has the following characteristics (cont.):
- It can be disabled
- It can have a blank password
- It can be renamed
- It can be removed from the Guest local group
|
16
|
- Predetermined process for creating names on a network standalone system
- Should incorporate a scheme for user accounts, computers, directories,
network shares, printers, and servers
- Should be descriptive enough so that anyone can figure out to which type
of object the name corresponds
|
17
|
- Naming convention needs to address the following four elements:
- Must be consistent across all objects
- Must be easy to use and understand
- New names should be easily constructed by mimicking the composition of
existing names
- An object’s name should clearly identify that object’s type
|
18
|
|
19
|
|
20
|
|
21
|
- Imported user account
- A local account created by duplicating the name and password of an
existing domain account
- An imported account can be used only when the Windows XP Professional
system is able to communicate with the domain of the original account
|
22
|
|
23
|
|
24
|
|
25
|
|
26
|
- To provide the highest degree of control over resources, Windows XP uses
two types of groups:
- Local groups
- Exist only on the computer where they are created
- Global groups
- Exist throughout a domain
|
27
|
|
28
|
- Windows XP has several built-in system controlled groups
- System-controlled groups are pre-existing groups that you cannot manage
but that appear in dialog boxes when assigned group membership or access
permissions
- These groups can be used by the system to control or place restrictions
on specific groups of users based on their activities
|
29
|
- Collection of desktop and environmental configurations on a Windows XP
system for a specific user or group of users
- By default, each Windows XP computer maintains a profile for each user
who has logged on to the computer, except for Guest accounts
- Optionally, an administrator can force users to load a so-called mandatory
profile
|
30
|
|
31
|
- Set of specifications and preferences for an individual user, stored on
a local machine
- Windows XP provides each user with a folder containing their profile
settings
- Local profiles are established by default for each user who logs onto a
particular machine
|
32
|
- A roaming profile resides on a network server to make to broadly
accessible
- When a user whose profile is designated as roaming logs onto any Windows
XP system on the network, that profile is automatically downloaded when
the user logs on
- This process avoids having to store a local profile on each workstation
that a user uses
|
33
|
- Windows XP has combined several security and access controls into a
centralized policy:
- This centralized policy is called the group policy
- There are group policies for local computers, groups, domains, and
organizational units
|
34
|
|
35
|
- The items in this policy are:
- Account lockout threshold: 0 Invalid logon attempts
- Account lockout duration: Not Defined
- Reset account counter after: Not Defined
|
36
|
- Defines the events that are recorded in the Security log of the Event
Viewer
- Auditing is used to track resource usage
- Each item in this list can be set to audit the Success and/or Failure of
the event
|
37
|
- Defines which groups or users can perform the specific privileged action
- Troubleshooting user rights is a process of test, re-configure, and
retest
- For more details on user rights, consult the Microsoft Windows XP
Professional Resource Kit
|
38
|
- Defines and controls various security features, functions, and controls
of the Windows XP environment
- For more details on security options, consult the Microsoft Windows XP
Professional Resource Kit
|
39
|
- Windows XP Professional automatically caches a user’s credentials in the
Registry when a domain logon or .NET passport logon is performed
- Caching of credentials is used to enable a single sign-on requirements
- Caching of credentials can be disabled through two means from the
Windows XP Professional client
- Cached logons are stored within a utility named “Stored User Names and
Passwords”
|
40
|
- Problems can occur with stored credentials
- If you discover that you are being authenticated as the wrong user
account or with the wrong access level, you should remove the stored
account information for that server or domain
- Another problem is being unable to access resources to which you
previously had access
- Yet another problem might occur when you obtain access to a resource to
which you should not have access
|
41
|
- Used to move your data files and personal desktop settings from another
computer to your new Windows XP Professional system
- Must have some sort of network connection between the two systems
- Using this Wizard, you can transfer files from Windows 95, 98, SE, Me,
NT, 2000, or XP systems
|
42
|
- Windows XP Professional can employ three types of users
- Users are collected into groups to simplify management and grant access
or privileges
- Users and groups are managed through the User Accounts applet and the
Local Users and Groups utility
|
43
|
- User profiles can be local profiles when working with local users or
imported users, or they can be roaming when using a domain-user account
- User profiles store a wide variety of personalized or custom data about
a user’s environment
- The Local Security Policy is used to manage password, account lockout,
audit, user rights, security options, and more
|