Requirements:

Prior to installing Win2000, the following tasks must be performed:

‧ Ensure all hardware requirements are met.
‧ Determine if hardware is on the Hardware Compatibility List (HCL).
‧ Determine how you want to partition the hard disk where Win2000 will be installed.
‧ Choose a file system for the installation partition.
‧ Choose a licensing mode for a server that will be running Win2000.
‧ Identify whether the computer will join a domain or a workgroup.
‧ Run the Win2000 Upgrade Compatibility Verification tool.

‧ Does not require floppies.
‧ To make boot floppies, type MAKEBOOT A: in the directory of the installation CD.
‧ If installing using a MS-DOS or Win95/98 boot floppy, run WINNT.EXE from the i/386 to begin Windows 2000 setup.

‧ 685 MB minimum plus 100+ MB free hard drive space for temporary files created during installation.
‧ Create a Distribution Server with a file share containing the contents of the /i386 directory from the Windows 2000 CD-ROM.
‧ Boot the network client. Connect to the distribution server. Run WINNT.EXE. Boot from the Setup boot disks. Install Windows 2000. Run WINNT32.EXE if upgrading a previous version of Windows.

‧ Unattended installations use an answer file to provide information during the setup process.
‧ Answer files are created using the Setup Manager Wizard or a text editor.

Domains, Trusts and AD Active Directory
Active Directory is a hierarchical database of all objects in the entire enterprise. It includes users, groups, domain controllers, printers, computers, contacts, shared folders, and organizational units. AD uses TCP/IP as its network protocol. All Win2000 computers can use AD by default. Non-Win2000 computers can still log onto the domain, but cannot use AD features. They must use a Directory Services add-on client (DSCLIENT.EXE).

Domains
Domains are now a hierarchical model with a parent domain and child domains under it. A single domain tree consists of a parent domain and all of its child domains. Multiple trees in the same AD are called a forest. Domains are named in accordance with the Internet’s Domain Name System standard. If the parent (root) domain is called “acme.com”, a child may be called “support.acme.com”.

Organizational Units
OUs are sub-domains that contain AD objects. They are groups by similar function or geographical locations. They exist to delegate administrative authority and to group policy application.

Deploying Windows 2000 Using Remote Installation Services (RIS):
Allows administrators to install Win2000 Professional on client computers from a central location. RIS server can be a domain controller or a member server.

RIS Client requirements: 
‧ Must have a network adapter, or a 3 1/2" floppy drive and PCI network adapter supported by the RIS Startup Disk utility's list of supported adapters. 
‧ Client machine must meet minimum hardware requirements for Windows 2000 Professional and must use the same Hardware Abstraction Layer (HAL).

Troubleshooting Remote Installations:
Client cannot connect to RIS Server using the Startup disk: Verify correct network adapter driver in RBFG.EXE.

Computer displays a BootP message but does not display the DHCP message: Verify if it can obtain an IP address. Ensure the DHCP server is online, is authorized, has a valid IP address scope. Ensure DHCP packets are being routed.

Computer displays the DHCP message but does not display the Boot Information Negotiations Layer (BINL) message: Verify the RIS server is online and authorized. Verify DHCP packets are being routed. 

Installation options you expected are not available: Verify another Group Policy Object did not take precedence over your GPO.

System is unable to connect to RIS server, but BINL message is displayed: Restart the NetPC Boot Service Manager (BINLSVC) on the RIS Server.

Miscellaneous:
‧ The answer file (.SIF) supports the new [RemoteInstall] section. By setting the repartition parameter to yes, the install will delete all partitions on the client computer and reformat the drive with one NTFS partition. 
‧ The Remote Boot Floppy Generator utility (RBFG.EXE) only works on Windows 2000 systems. To create boot floppies, click Start, Run. Enter \RISServerName.EXE.

‧ RIPrep images cannot be created on a server unless it already has an existing CD-based image.

Troubleshooting Failed Installations:
Common errors:
Cannot contact domain controller: Ensure network cable is connected. Verify that servers running DNS and a domain controller are both on-line. Make sure all network settings are correct.

Dependency service will not start: Verify correct protocol and network adapter in the Network Settings.

Error loading operating system: Disk geometry is reported incorrectly on a NTFS partition. Use a partition less than 4 GB or use a FAT32 partition.

Insufficient disk space: Create a new partition or reformat an existing partition to free up space.

Disk Quotas
By default, only member of the Administrators group can view and change quota settings. Users can be allowed to view quota settings. Volume usage can be monitored on a per-user basis. Disk usage is based on file and folder ownership. Quotas do not use compression. Free space for applications is based on a quota limit. Quotas can be applied only to volumes formatted with NTFS that use Windows 2000. A quota warning should be set to log an event indicating that the user is nearing his limit. An event should be logged when a user exceeds a specified disk space threshold.

‧ Copying within a partition Inherits the target folders permissions.
‧ Moving within a partition File keeps its original permissions.
‧ Moving across partitions Inherits the target folders permissions.

Managing File Systems:
Windows 2000 supports Basic and Dynamic storage. Basic storage divides a hard disk into partitions. It can contain primary partitions, extended partitions and logical drives.

Basic volumes cannot be created on dynamic disks. Basic volumes should be used when dual-booting between Windows 2000 and DOS, Windows 3.x, Windows 95/98 and all version of Windows NT.

Dynamic storage allows you to create a single partition that includes the entire hard disk. Dynamic disks are divided into volumes which can include portions of one, or many, disks. You do not need to restart the operating system after resizing.

Volume Types:
Simple volume - Contains space from a single disk

Spanned volume - Contains space from multiple disks (maximum of 32). Fills one volume before going to the next. If a volume in a spanned set fails, all data in the spanned volume set is lost. Performance is degraded as disks in spanned volume set are read sequentially.

Striped set - Contains free space from multiple disks (maximum of 32) in one logical drive. Increases performance by reading/writing data from all disks at the same rate. If a disk in a stripe set fails, all data is lost.

Dynamic Volume Limitations:
‧ A boot disk that has been converted from basic to dynamic cannot be converted back to basic. 
‧ Not supported on portable computers or removable media.
‧ Cannot be directly accessed by DOS, Win95/98 or any versions of Windows NT if you are dual-booting. 
‧ Dynamic volumes which were upgraded from basic disk partitions cannot be extended. Volumes created after the disk was upgraded to dynamic can be extended.
‧ When installing Windows 2000, if a dynamic volume is created from unallocated space on a dynamic disk, Windows 2000 cannot be installed on that volume.

Disk Management on a Remote Computer:
You must create a custom console focused on another computer. Choose Start, Run and type MMC. Choose Add/Remove Snap-in. Click Add. Click Disk Management then click Add. When Choose Computer dialog box appears choose the remote system.

Windows 2000 supports disk-based quotas. Quotas can be set on NTFS volumes, but not on FAT or FAT32 volumes. Quotas cannot be set on individual folders within a NTFS partition.

Using the Disk Management Snap-in Tool:
‧ The default is Basic storage when adding a new disk.
‧ You must choose Rescan Disks when you remove or add a new disk.
‧ Use Import Foreign Disk for disks that have been removed from another computer.
‧ Upgrading from Basic to Dynamic storage requires at least 1 MB of unallocated space.

Display devices:
‧ Monitors are installed, removed, and drivers are updated through Monitors under the Device Manager. Windows 2000 Professional supports multiple monitors running concurrently.
‧ Use Display Adapters under the Device Manager to install, remove and update drivers.
‧ Desktop display properties are managed through the Display applet in Control Panel.

Disk devices:
‧ Use Disk Management to create, delete, and format partitions as FAT, FAT32 and NTFS. Used to change volume labels, reassign drive letters, check drives for errors and backup drives.

Updating drivers:
‧ Driver Verifier is used to troubleshoot and isolate driver problems. It must be enabled through changing a Registry setting. The Driver Verifier Manager, VERIFIER.EXE, provides a command-line interface for working with Driver Verifier.

Installing and Managing Network Adapters:
‧ Adapters are installed using the Add/Remove Hardware applet in Control Panel.
‧ Change the binding order of protocols and the Provider order using Advanced Settings under the Advanced menu of the Network and Dial-up Connections window. Access by right-clicking on My Network Places icon.

Startup and Recovery Settings:
‧ Use DUMPCHK.EXE to examine contents of MEMORY.DMP.
‧ Accessed through Control Panel, System applet, Advanced tab, Startup and Recovery.
‧ Memory dumps are always saved with the filename MEMORY.DMP.
‧ A paging file must be on the system partition and the pagefile itself at least 1 MB larger than the amount of RAM installed for Write debugging information option to work.

Running the Recovery Console:
To install the Recovery Console, run WINNT32 /CMDCONS from the Windows 2000 CD i386 folder.
‧ Can be used to disable services that prevent Windows from booting properly.
‧ When starting Recovery Console, you must log on as Administrator.
‧ Allows you to boot to a DOS prompt when your file system is formatted with NTFS.

Emergency Repair Disk:
Use the Backup utility to create an emergency repair disk. To create an ERD, from the Start menu, select Programs, Accessories, System Tools, Backup. Click Emergency Repair Disk. Insert a blank formatted floppy into the A: drive. Select the Also Backup The Registry To The Repair Directory (%systemroot%) check box. Click OK.

ERD contains AUTOEXEC.NT, CONFIG.NT and SETUP.LOG.

‧ Run SIGVERIF to launch File Signature Verification.
‧ Saves search results to SIGVERIF.TXT.

Using offline files:
By default, offline files are stored in the %systemroot%directory. Share a folder and set its caching to make it available offline.

Using Synchronization Manager, you can specify which items are synchronized, using which network connection and when synchronization occurs (at logon, logoff, and when computer is idle).

Encrypted files (EFS) provides 56-bit (standard) encryption for data in NTFS files. It is public key based, and runs as an integrated system service. If a user has a private key to an encrypted NTFS file, the user can edit the file as a normal document. Encrypted files cannot be shared. EFS files are NOT encrypted in the offline cache. You must be a member of the Administrators group to view the offline cache (on an NTFS volume). File and folder permissions still apply in the offline cache, even when it is located on a FAT or FAT32 volume.

Hardware profiles:
‧ Created to store different sets of configuration settings, usually used with portables. 
‧ Profiles are created through Control Panel, System applet, Hardware tab, Hardware Profiles

Data recovery:
‧ Windows 2000 Backup is launched through Control Panel, System applet, Backup or by running NTBackup from the Start menu.
‧ Users can back up their own files and files they have read, execute, modify, or have full control permission for.
‧ Users can restore files they have write, modify or full control permission for.
‧ Administrators and Backup Operators can backup and restore all files regardless of permissions.

Daily - All selected files and folders that have changed throughout the day are backed up. Archive attributes are ignored during the backup and are not cleared afterwards

Differential - Only selected files and folders that have their archive attribute set are backed up but archive attributes are not cleared 

Incremental - Only selected files and folders that have their archive attribute set are backed up and then archive markers are cleared

‧ A user can change their user profile by changing their desktop settings. When they log off, Windows 2000 incorporates the changes into their user profile.

‧ Setting a profile as mandatory forces Windows to discard any changes made during the session so the next time the user logs on, the session remains unchanged from their last login.

‧ User profiles are stored in the %systemroot%and Settings%username% folder in a new install of Win2000. When upgraded from NT 4.0, they are stored in %systemroot%%username%.

‧ Roaming profiles are used in Windows 2000 domains for users who move from one computer to another but require a consistent desktop environment.

‧ Changed through the Regional Options applet in Control Panel. To add more locales, use Region Options, Input Locale, Add.

‧ To see the available languages and the current default, from the Regional Options applet, General tab, check the “Your System is Configured to Read and Write Documents in Multiple Languages” ListBox.

Maintaining Software Using Group Policies:
‧ A software package is installed on a Windows 2000 Server in a shared directory. A Group Policy Object (GPO) is created. Behavior filters are set in the GPO to determine who gets the software. The package is then added to the GPO under User Configuration, Software Settings, Software Installation. Then, select the publishing method. 

‧ Set up Application Categories in Group Policy, computer or user configuration, Software Settings, Software Installation (right-click), Properties, Categories, Add. Creating logical categories helps users locate the software they need under Add/Remove Programs on their client computer.

‧ When upgrading deployed software, AD can either uninstall the old application first or upgrade over the top of it.

‧ Selecting the “Uninstall this application when it falls out of the scope of management” option forces removal of software when a GPO no longer applies.

Configuring Deployment Options:
‧ You can assign or publish software packages. 

‧ Software that is assigned to a user has a shortcut appear on a user's Start, Programs menu,but is not installed until the first time they use it. Software assigned to a computer is installed the next time the user logs on regardless of whether or not they run it.

‧ When software is assigned to a user, the new program is advertised when a user logs on, but is not installed until the user starts the application from an icon or double-click a filetype associated with the icon. Software assigned to a computer is not advertised - the software is installed automatically. When software is assigned to a computer it can only be removed by a local administrator. Users can repair software assigned to computers, but not remove it.

‧ Published applications are not advertised. They are only installed through Add/Remove Programs in the Control Panel or through invocation. Published applications lack resiliency (do not self-repair or re-install if deleted by the user). Finally, applications can only be published to users, not computers.

‧ With invocation, when a user double-clicks on an unknown file type, the client computer queries Active Directory to see what is associated with the file extension. If an application is registered, AD checks to see if it has been published to the user. If it has, it checks for the auto-install permission. If all conditions are met, the application is installed.

‧ Non-MSI programs are published as .ZAP files. They cannot take advantage of MSI features such as elevated installation privileges, rolling back an unsuccessful installation, installing on first use of software or feature, etc. .ZAP files can only be published, not assigned.

‧ When software requires a CD key during installation, it can be pushed down with the installer package by typing misexec /a <path to .msi file> PIDKEY="[CD-Key]"

‧ Modifications are created using tools provided by the software manufacturer and produce .MST files which tell the Windows Installer what is being modified during the installation. .MST files must be assigned to .MSI packages at the time of deployment.

‧ Patches are deployed as .MSP files.

Desktop settings can be configured using the Display applet in Control Panel or by right clicking on a blank area of the desktop and selecting Properties. Users can change the appearance of the desktop, desktop wallpaper, screen saver settings and more.

Fax support:
‧ If a fax device (modem) is installed, the Fax applet appears in Control Panel. 
‧ Use the Fax applet to setup rules for how the device receives faxes, number or retries when sending, where to store retrieved and sent faxes, user security permissions, etc.
‧ The Fax printer in your printer folder cannot be shared.
‧ If the Advanced Options tab is not available in the Fax applet log off then log back on as Administrator.

‧ Utility Manager enables users to check an Accessibility program's status, and start or stop an Accessibility program. Administrators can designate to have the program start when Windows 2000 starts. Built-in programs include Magnifier, Narrator, and On-Screen Keyboard.

‧ By default, automatic reset for accessibility options is disabled. When enabled, accessibility options will be turned off if they have not been used for a pre-defined period of time.

‧ SoundSentry displays visual warnings when your computer makes a sound.

‧ FilterKeys tells the keyboard to ignore brief or repeated keystrokes.

‧ StickyKeys allows you to press multiple key combinations (CTRL-ALT-DEL) one key at a time.

‧ ShowSounds forces programs to display captions for the speech and sounds they make.

‧ MouseKeys lets you control the mouse pointer with the numeric keypad.

‧ Magnifier magnifies a portion of the desktop.

‧ Narrator reads menu options aloud using speech synthesis.

‧ TCP/IP protocol is required for communicating with UNIX hosts.

‧ It is routable and works over most network topologies.

‧ Installed by default in Windows 2000.

‧ Can be used to connect dissimilar systems.

‧ Uses Microsoft Windows Sockets interface.

‧ IP addresses can be entered manually or provided automatically by a DHCP server.

You must configure the DHCP server to perform dynamic updates. To do so, on the DNS tab of the Properties dialog box for a DHCP server, select Automatically Update DHCP Client Information In DNS. You must also specify; Update DNS Only If DHCP Client Requests, or Always Update DNS. Additional options include Discard Forward Lookups When Lease Expires, and Enable Updates For DNS Client That Do Not Support Dynamic Update.

When “Obtain an IP Address Automatically” is enabled, but the client cannot obtain an IP address, Automatic Private IP addressing takes over. 

‧ IP address is generated in the form of 169.254.x.y (x.y is the computer's identifier) and a 16-bit subnet mask (255.255.0.0).

‧ The computer broadcasts this address to its local subnet.

‧ If no other computer responds to the address, the first system assigns this address to itself.

‧ When using the Auto Private IP, it can only communicate with other computers on the same subnet that also use the 169.254.x.y range with a 16-bit mask.

‧ The 169.254.0.0 - 169.254.255.255 range has been set aside for this purpose by the Internet Assigned Numbers Authority.

‧ Windows 2000 uses CIFS (Common Internet File System) which is an enhanced version of the SMB (Server Message Block) protocol.

‧ UNIX uses NFS (Network File System).

‧ FTP support has been added to Windows Explorer and to Internet Explorer 5.0 allowing users to browse FTP directories as if they were a local resource.

‧ Install SNMP for Network Management (HP, OpenView, Tivoli and SMS).

‧ Print Services for UNIX allows connectivity to UNIX controlled Printers (LPR).

‧ Simple TCP/IP Services provides Echo, Quote of Day, Discard, Daytime and Character Generator.

‧ Installs a full Network File System (NFS) client that integrates with Windows Explorer.

‧ Places a second Telnet client on your system that uses NTLM authentication instead of clear text.

‧ Users can browse and map drives to NFS volumes and access NFS resources through My Network Places. Microsoft recommends this over installing Samba (SMB file services for Windows clients) on your UNIX server.

‧ NFS shares can be accessed using standard NFS syntax (servername:/pathname) or standard UNC syntax (\servername)

‧ Common TCP/IP problems are caused by incorrect subnet masks and gateways.

‧ Check DNS settings if an IP address works but a hostname won't.

‧ The Ping command tests connections and verifies configurations.

‧ The Tracert command checks a route to a remote system.

‧ Use IPConfig and IPConfig /all to display current TCP/IP configuration.

‧ Use NetStat to display statistics and connections for TCP/IP protocol.

‧ Use NBTStat to display statistics for connections using NetBIOS over TCP/IP.

‧ NWLink is used by NT to allow NetWare systems to access its resources.

‧ To allow file and print sharing between NT and a NetWare server, CSNW (Client Services for NetWare) must be installed on the NT system. In a NetWare 5 environment, the Microsoft client does not support connection to a NetWare Server over TCP/IP. You will have to use IPX/SPX or install the Novell NetWare client.

‧ Gateway Services for NetWare can be implemented on your NT Server to provide an MS client system to access your NetWare server by using the NT Server as a gateway. Frame types for the NWLink protocol must match the computer that the NT system is trying to connect with. Mismatching frame types will cause connectivity problems between the two systems.

‧ When NWLink is set to auto-detect the frame type, it will only detect one type and will go in this order: 802.2, 802.3, ETHERNET II and 802.5 (Token Ring).

‧ NetWare 3 servers uses Bindery Emulation (Preferred Server in CSNW). NetWare 4.x and higher servers use NDS (Default Tree and Context.)

‧ There are two ways to change a password on a NetWare server - SETPASS.EXE and the Change Password option (from the CTRL-ALT-DEL dialog box). The Change Password option is only available to NetWare 4.x and higher servers using NDS.

‧ DLC is a special-purpose, non-routable protocol used by Windows 2000 to talk with IBM mainframes, AS400s and Hewlett Packard printers.

‧ AppleTalk must be installed to allow Windows 2000 Professional to communicate with Apple printers. File and Print Services for Macintosh allows Apple Clients to use resources on a Microsoft Network.

‧ NetBEUI is used solely by Microsoft operating systems and is non-routable.

‧ RADIUS - Remote Authentication Dial-in User Service. Provides authentication and accounting services for distributed dial-up networking.

‧ EAP - Extensible Authentication Protocol. Allows for an arbitrary authentication mechanism to validate a dial-in connection. Uses generic token cards, MD5-CHAP and TLS.

‧ EAP-TLS - Transport Level Security. Primarily used for digital certificates and smart cards.

‧ MD5-CHAP - Message Digest 5 Challenge Handshake Authentication Protocol. Encrypts usernames and passwords with an MD5 algorithm.

‧ MS-CHAP (V1 and 2) - Microsoft Challenge Handshake Authentication Protocol. Encrypts entire session, not just username and password. V2 is supported in Windows 2000 and NT 4.0 and Win 95/98 (with DUN 1.3 upgrade) for VPN connections. MS-CHAP cannot be used with non-Microsoft clients.

‧ CHAP - Challenge Handshake Authentication Protocol - encrypts user names and passwords, but not session data. Works with non-Microsoft clients.

‧ SPAP - Shiva Password Authentication Protocol. Used by Shiva LAN Rover clients. Encrypts password, but not data.

‧ PAP - Password Authentication Protocol. Sends username and password in clear text.

‧ Add new connections by using the Make New Connection wizard.

‧ PPP is generally preferred because it supports multiple protocols, encryption, and dynamic assignment of IP addresses. SLIP is an older protocol that only supports TCP/IP and is used for dialing into legacy UNIX systems.

‧ Dial-up networking entries can be created for modem connections, LAN connections, direct cable connections and Infrared connections.

‧ L2TP - Layer Two Tunneling Protocol. Creates a tunnel, but it does not provide data encryption. Security is provided by using an encryption technology like IPSec.

‧ PPTP - Point to Point Tunneling Protocol. Creates an encrypted tunnel through an untrusted network.

‧ Enabled from the PPP tab of the RAS Server Properties dialog box.

‧ Multilinking allows you to combine two or more modems or ISDN adapters into one logical link with increased bandwidth.

‧ BAP (Bandwidth Allocation Protocol) and BACP (Bandwidth Allocation Control Protocol) enhance multilinking by dynamically adding or dropping links on demand. Settings are configured through RAS policies.

The Administrators and Power Users groups can create shared folders on a Windows 2000 Professional workstation. Windows 2000 creates administrative shared folders for administrative reasons. These shares are appended with dollar sign ($), which hides the share from users browsing the computer. The system folder (Admin$), the location of the printer drivers (Print$) and the root of each volume (C$, D$, etc.) are all hidden shared folders.

Shared folder permissions apply only when the folder is accessed via the network. By default, the Everyone group is assigned Full Control for all new shared folders. Share level permissions can be applied to FAT, FAT32 and NTFS file systems.

Windows 2000 Professional is limited to 10 concurrent connections for file and print services.

Active Directory (AD) services provide a single point of network management, allowing you to add, remove, and relocate resources. It offers centralized management, scalability and open standards support.

Active Directory Structure:
Object - A distinct named set of attributes that represent a network resource such as a computer or a user account. 

Classes - The logical groupings of objects such as user accounts, computers, domains or organizational units.

Domain Joining a domain requires a domain name, a computer account, and an available domain controller and a DNS server. All network objects exist within a domain with each domain storing information only about the objects it contains. ACLs contain the permissions associated with objects that control which users or types of users can access them.

Tree - A grouping or hierarchical arrangement of one or more Windows 2000 domains that share a contiguous names space (e.g. support. acme.com, mcse.acme.com, and mcsd.acme.com).

Forest - A grouping or hierarchical arrangement of one or more domain trees that form a disjointed namespace. Domains in a forest operate independently of each other, but the forest enables communication across the domains.

Site - Combination of one or more IP subnets connected by high-speed links. Not part of the AD namespace, and contains only computer objects and connection objects used to configure replication between sites.

‧ Active Directory information is replicated between Domain Controllers (DCs) and ensures that changes to a domain controller are reflected in all DCs within a domain. A DC is a computer running Windows 2000 server which contains a replica of the domain directory (member servers do not).

‧ DCs store a copy of all AD information for their domain, manage changes to it and copy those changes to other DCs in the same domain. DCs in a domain automatically copy all objects in the domain to each other. When you change information in AD, you are making the change on one of the DCs.

‧ DCs immediately replicate important changes to AD like a user account being disabled.

‧ AD uses multimaster replication. No single DC is the master domain controller. All DCs within a domain are peers.

‧ Having more than one DC in a domain provides fault-tolerance. If a DC goes down, another is able to continue authenticating logins and providing required services using its copy of AD.

‧ Resides only on the computer where the account was created in its local security database. If computer is part of a peer-to-peer workgroup, accounts for that user will have to be created on each additional machine that they wish to log onto locally. Local accounts cannot access Windows 2000 domain resources and should not be created on computers that are part of a domain.

‧ Domain user accounts reside in AD on domain controllers and can access all resources on a network that they have been granted privileges to.

‧ Built in user accounts are Administrator (used for managing the local system) and Guest (for occasional users - disabled by default).

‧ Usernames cannot be longer than 20 characters and cannot contain illegal characters.

‧ User logon names are not case sensitive. Alphanumeric combinations are allowed.

‧ Passwords can be up to 128 characters.

‧ User accounts are added and configured through the Computer Management snap-in.

‧ Creating and duplicating accounts requires username and password. Disabling an account is typically used when someone else will take the user's place or when the user might return.

‧ When copying a user account, the new user will stay in the same groups that the old user was a member of. The user will keep all group rights that were granted through groups, but lose all individual rights that were granted specifically for that user.

Group Policy:
Group Policies are a collection of user environment settings that are enforced by the operating system and cannot be modified by the user. User profiles refer to the environment settings that users can change.

Windows NT 4, Windows 95 and Windows 98 use the System Policy Editor (POLEDIT.EXE) to specify user and computer configuration that is stored in the registry. 

‧ Are not removed when the policy ends.
‧ Not secure because settings can be changed by a user with the Registry Editor (REGEDIT.EXE). Settings are imported/exported using .ADM templates.
‧ Windows 2000 comes with SYSTEM.ADM (system settings), INETRES.ADM (Internet Explorer settings).

Group Policy snap-in (GPEDIT.MSC)
Exclusive to Windows 2000 and supercedes the System Policy Editor. Uses Incremental Security Templates.

‧ Settings can be stored locally or in AD. They are secure and can only be changed by Administrators.

‧ Should only be applied to Windows 2000 systems that have been clean installed onto an NTFS partition. Only the Basic security templates can be applied to NTFS computers that have been upgraded from NT 4.0.

‧ Settings are imported/exported using .INF files. The Group Policy snap-in can be focused on a local or remote system.

Security Configuration:
Security Configuration and Analysis snap-in is a stand-alone MMC snap-in that can configure or analyze Win2000 security based on contents of a security template created using Security Templates snap-in. The text-based tool can be run from the command line using SECEDIT.EXE.

By default, Windows 2000 Professional doesn't require users to press CTRL-ALT-DEL to logon. To increase security, disable this feature to force users to log on. To disable access to the workstation, but allow programs to continue running, use the Lock Workstation option (from the CTRL-ALT-DEL dialog box). To disable access to the workstation, and not allow programs to continue running, use the Logoff option (from the CTRL-ALT-DEL dialog box). To lock the workstation after a period of idle time, use a screensaver password.

Auditing can be enabled by clicking Start, Programs, Administrative Tools, Local Security Policy. In the Local Security Settings window, double-click Local Policies and then click Audit Policy. Highlight the event you want to audit and on the Action menu, click Security. Set the properties for each object as desired then restart computer for new policies to take effect.

To further enhance security, clear the Virtual Memory Pagefile when the system shuts down. By default it is not cleared, but this can be changed under Local Security Policy Settings and will prevent unauthorized person from extracting information from your system's pagefile. You can also prevent the last user name from being displayed at logon (Win2000 Pro does this by default). Use the Group Policy snap-in, Local Computer Policy, to change this. When using Event Viewer, only local administrators can see the security log, but anyone (by default) can view other logs.

Encrypting File System (EFS):
‧ Designated Recovery Agents (by default, the Administrator) can recover encrypted data for the domain using AD and Certificate Server.

‧ Encryption is transparent to the user.

‧ Only works on Windows 2000 NTFS partitions (NTFS v5).

‧ Uses public-key encryption. Keys that are used to encrypt the file are encrypted by using a public key from the user's certificate. The list of encrypted file-encryption keys is kept with the encrypted file and is unique to it. When decrypting the file encryption keys, the file owner provides a private key which only he has.

‧ There can be more than one recovery agent, but at least one public recovery key must be present on the system when the file is encrypted.

‧ If the owner has lost his private key, an appointed recovery system agent can open the file using his/her key instead.

‧ EFS resides in the Windows OS kernel and uses the non-paged memory pool to store file encryption keys.

‧ Encrypted files can be backed up using the Backup Utility, but will retain their encrypted state as access permissions are preserved.

‧ Default encryption is 56-bit. North Americans can upgrade to 128-bit encryption.

‧ Compressed files can't be encrypted and vice versa.

‧ You can't share encrypted files.

‧ Use the Cipher command to work with encrypted files from the command line.

‧ Encrypted files are decrypted if you copy or move them to a FAT volume.

‧ Cut and paste to move files into an encrypted folder - if you drag and drop files, the files are not automatically encrypted in the new folder.

‧ The EFSINFORMATION.EXE utility in the Win2000 Resource Kit allows an administrator to determine information about encrypted files

IPSec encrypts Transmission Control Protocol/Internet Protocol (TCP/IP) traffic within an Intranet, and provides the highest levels of security for VPN traffic across the Internet.

IPSec is implemented using Active Directory or on a Windows 2000 machine through its Local Security settings. It is not available for Windows 95/98 or Windows NT. IPSec is a protocol, not a service. It consists of two separate protocols, Authentication Headers (AH) and Encapsulated Security Payload (ESP). AH provides authentication, integrity and anti-replay but does not encrypt data and is used when a secure connection is needed but the data itself is not sensitive. ESP provides the same features plus data encryption and is used to protect sensitive or proprietary information but is associated with greater system overhead for encrypting and decrypting data.

Supported IPSec authentication methods are Kerberos v5 Public Key Certificate Authorities, Microsoft Certificate Server, and Pre-shared Key.

Before two computers can communicate they must negotiate a Security Association (SA). The SA defines the details of how the computers will use IPSec, with which keys, key lifetimes, and which encryption and authentication protocols will be used. When participating in a Windows 2000 domain, IPSec policies are stored in Active Directory. Without AD, they are stored in these registry keys.