| TOGGIT
IN SEARCH OF CERTIFICATION |
|
 |
Test 070-290 - Managing and Maintaining a Microsoft Windows Server 2003 Environment
|
Logon to ToggIT Join ToggIT |
|||||||||||||||||||||||
| Home | |||||||||||||||||||||||
|
|||||||||||||||||||||||
| Microsoft | |||||||||||||||||||||||
|
|||||||||||||||||||||||
| Cisco | |||||||||||||||||||||||
|
|||||||||||||||||||||||
| CompTia | |||||||||||||||||||||||
|
|||||||||||||||||||||||
| Study tools for exam 070-290 Managing and Maintaining a Microsoft Windows Server 2003 Environment | |||||||
| The Exam | Exam Tips | What to know | Study Guide | Study Tools | Practice Test | ||
Sponsored
Links:
|
|||||||
|
Managing and
Maintaining a Creating and Managing User and Computer Accounts Active Directory You create a domain user account in the Active Directory database on a domain controller. The domain controller replicates the new user account information to all domain controllers in the domain. There after, any of the domain controllers in the domain can authenticate the user during the logon process. Types of User Accounts User accounts are required for accessing local and network resources. Windows Server 2003 provides three types of user accounts: • Local User Accounts, which allows a user to log on to a specific computer to gain access to resources on that computer. Local user accounts reside in Security Accounts Manager (SAM) and must be created on each computer in a workgroup; • Domain User Accounts, which allows a user to log on to the domain to gain access to network resources and reside in Active Directory; and • Built-in User Accounts, which allows a user to perform administrative tasks or to gain access to local or network resources. These can be local built-in user accounts, which reside in SAM, or domain built-in user accounts, which reside in Active Directory Local User Accounts A Local user account allows a user to log on at a local computer and gain access to resources only on the computer where you create the local user account. When you create a local user account, Windows 2000, Windows XP Professional and Windows Server 2003 creates local user accounts only in that computer’s security database, which is called the local security database. After the local user account exists, the computer uses its local security database to authenticate the local user account, which allows the user to log on to that computer. Domain User Accounts A Domain user account allows a user to log on to the domain and gain access to resources on the network. The user provides his or her password and user name during the logon process. By using this information, Windows Server 2003 authenticates the user and then builds an access token that contains information about the user and security settings. The access token identifies the user to computers running Windows NT on which the user tries to gain access to resources and is provided for the duration of the logon session. Built-In User Accounts Built-in user accounts are automatically created by Windows 2000, Windows XP Professional and Windows Server 2003. Windows Server 2003 creates four built-in user accounts: the Administrator account; the Guest account; the HelpAssistant account; and the Support_388945a0 account. Administrator The built-in Administrator user account is placed in the built-in Administrators group. It has the widest range of permissions and is used for computer management. If your computer is part of a domain, the built-in Administrator user account is used to manage the domain configuration. Tasks that can be performed using the Administrator user account include creating and modifying user accounts and groups, managing security policies, creating printers, and assigning permissions and rights to user accounts to gain access to resources. You cannot delete or remove the account from the built-in Administrators group, but you can disable or rename it. As a security precaution, you should create a user account that you use to perform non-administrative tasks. You should log on by using the Administrator user account only when you perform administrative tasks. Guest The built-in Guest user account is used to give occasional users the ability to log on and gain access to local and network resources. By default the built-in guest user account is disabled in Windows XP Professional and Windows Server 2003. You can configure the permissions for the guest account and you can rename it but you cannot delete it. Help Assistant The Help Assistant account is the primary account used to establish a Remote Assistance session. This account has limited rights and permissions on the computer. Remote Assistance allows a user at one computer to ask for assistance from a user at another computer, on the network or across the Internet. The assistant can remotely and actively assist someone with a computer problem, and can view the screen of the user requesting assistance and offer advice. In addition, the assistant can take control of the user's computer and perform tasks remotely. Support_388945a0 The Support_388945a0 account is primarily used to control access to signed scripts that are accessible from within Help and Support Services. Administrators can use this account to delegate the ability for an ordinary user, who does not have administrative access over a computer, to run signed scripts from links embedded within Help and Support Services. These scripts can be programmed to use the Support_388945a0 account credentials instead of the users credentials to perform specific administrative operations on the local computer that otherwise would not be supported by the ordinary users account. Computer Accounts Computer accounts are created for all Windows NT, Windows 2000, Windows XP, and Windows Server 2003 computers in a domain. Computers running Windows 3.x, Windows 9x, or Windows ME do not have computer accounts and cannot be members of a domain, although a user who has an account in the domain can use it to log on to the domain. Computer accounts provide a means for authenticating and auditing computer access to the network and to domain resources. A computer account must be created in Active Directory for users to take full advantage of Active Directory features. When a computer account is created, the computer can use advanced authentication processes such as Kerberos authentication and IP security (IPSec) to encrypt IP traffic. The computer also needs a computer account to dictate how auditing is applied and recorded. In addition, a user must have a valid user account, and the user must also log on to the domain from a computer that has a valid computer account to be fully authenticated by Active Directory. Creating Computer Accounts When you create a computer account, you can choose the organizational unit (OU) in which to create that account. If a computer joins a domain, the computer account is automatically created in the Computers container, but can be moved to an OU as required. By default, members of the Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory can create computer accounts in the Computers container and in new OUs. However, members of the Account Operators group cannot create computer accounts in the Builtin, Domain Controllers, ForeignSecurityPrincipals, LostAndFound, Program Data, System, or Users containers. You can also create a computer account by using the dsadd command-line utility. Creating User Accounts Creating Local User Accounts You can use User Accounts in Control Panel to create local user accounts on a Windows 2000, Windows XP Professional or Windows Server 2003 computer. You can also use Computer Management to create local user accounts on a Windows XP Professional or Windows Server 2003 computer. Creating Domain User Accounts You can use Administrative Tools to create and administer domain user accounts. Administrative Tools are installed on all Windows 2000 Server and Windows Server 2003 computers by default but you can also install the Administrative Tools on Windows 2000 Professional and Windows XP Professional computers by installing the Administrative Tools Pack (adminpak.msi) on these computers. The Admin Pack is located in the i386 folder on the Windows Server 2003 Installation CD. Copying Domain User Accounts When you copy an existing domain user account, most of the account properties are copied to the new domain user account. This simplifies the process of creating new user accounts by reducing the configuration required to create the new domain user account. When you copy an existing domain user account, the password settings; description; groups; profile; and dial-in information attributes are copied but not the password; full name; and username as these attributes are unique to each user and must be configured for each individual account. You can use this method to create user account template by creating a user account that is configured according to the requirements of your company. Then, when you need to create a new user account, right click the template user account in Active Directory Users and Computers, select COPY and then configure the password; full name; and username for the user account. Modifying User Accounts and Computer Accounts As the nature of you network changes, you may need to modify user accounts and computer accounts. This may entail changing the account policies, or moving the accounts to another domain. You can use Active Directory Users and Computers in Administrative Tools to modify user accounts and computer accounts. Using the command line You can also use the dsmod command-line utility to modify the properties of one or more existing user accounts or computer accounts in Active Directory. The dsmod command supports a number of parameters, which allow you to modify any of the properties associated with the user account or the computer account. The properties associated with user accounts correspond to the various tabs on the User Account Properties dialog box and are listed in Table 6.2. The properties associate with computer accounts correspond to the various tabs on the Computer Account Properties dialog box. See Microsoft TechNet documentation: DSMOD Using and Managing Groups A group is a collection of user and/or computer accounts, and contacts that are managed as a single object. The users and computers that belong to the group are known as group members. Groups are used to simplify the administrative process of assigning permissions and rights to a large number of user and computer accounts at the same time, resulting in these groups’ members having inherited permissions from the group. When you install Windows Server 2003, a number of default groups are created on the computer and are known as local groups. In addition, computers that are part a domain also have a number of default groups that reside within the Active Directory database structure. You can create additional groups for both workstation and domain-based computers. Windows Server 2003 supports two types of groups: distribution groups, and security groups. • You can use distribution groups for distributing messages to group members by assigning an e-mail address to the distribution group. All members of the distribution group that are mailbox enabled will receive e-mail messages sent to the distribution group's e-mail address. This is the only usage for distribution groups. • You can also use security groups for the distribution of e-mail messages. But you can also use security groups to simplify and reduce administrative requirements by assigning permissions and rights for network resources to the group rather than to each individual user that requires access. All users and groups that are members of the group will receive the configured permissions and rights through inheritance. In addition, security groups enable you to delegate administrative responsibilities for performing specific tasks in Active Directory. Security groups also provides you with the capability to move users in and out of groups as their jobs and task requirements dictate Group Scope The scope of a group identifies the extent to which the group is applied throughout the domain tree or forest. There are four group scopes: local groups, domain local groups, global groups, and universal groups. • Local groups can contain user accounts from the local machine, user accounts from the domain the local machine is joined to, or user accounts from any trusted domains of the domain the computer is joined to. Only local groups can manage permissions for local resources. • Domain local groups can include other groups and user and/or computer accounts from Windows Server 2003, Windows 2000 Server, and Windows NT domains. Permissions for only the domain in which the group is defined can be assigned to domain local groups. Thus, domain local groups can be used to manage access to resources within a domain. • Global groups can include other groups and user and/or computer accounts from only the domain in which the group is defined. Permissions for any domain in the forest can be assigned to global groups. Global groups are not replicated beyond the boundaries of their own domains, thus changes can be made to global group members without creating large amounts of replication traffic to the Global Catalog servers. Permissions and user rights that are assigned to global groups are only valid in the domain in which they are assigned. • Universal groups can include other groups and user and/or computer accounts from any domain in the domain tree or forest. Permissions for any domain in the domain tree or forest can be assigned to universal groups. Universal groups are only available if your domain functional level is set to the Windows 2000 native domain functional level. Universal groups are best used to consolidate global groups into one location. Since user accounts are added to the global groups, membership changes in the global groups do not have an effect on the universal group. Group Nesting Group nesting refers to placing one group in another, so that the group becomes a member of parent group. Groups can be nested to help consolidate large numbers of user and computer accounts to reduce replication traffic. The type of nesting you can perform is determined by the domain functional level of the domain. If the domain functional level is set to the Windows 2000 native domain functional level or the Windows Server 2003 domain functional level, groups can have the following members: • Domain local groups can contain other domain local groups in the same domain, global groups from any domain, universal groups from any domain, user accounts from any domain, and computer accounts from any domain. • Global groups can contain other global groups in the same domain, user accounts in the same domain, and computer accounts in the same domain. • Universal groups can contain other universal groups from any domain, global groups from any domain, user accounts from any domain, and computer accounts from any domain. If the domain functional level is set to the Windows 2000 mixed domain functional level, distribution groups can have the same membership as in the to the Windows 2000 native domain functional level or the Windows Server 2003 domain functional levels. If the domain functional level is set to the Windows 2000 mixed domain functional level, security groups can have the following members: • Domain local groups can contain other global groups from any domain, user accounts from any domain, and computer accounts from any domain. • Global groups can contain user accounts in the same domain and computer accounts in the same domain. Creating Groups You can use Active Directory Users and Computers console in Administrative Tools or the dsadd command-line utility to create groups. See: Microsoft TechNet description of DSADD Adding a User to a Group Right-clicking a user account in Active Directory Users and Computers and choosing Add to a group enables you to add the selected user account to a group. You can also open the group in Active Directory Users and Computers, and add the users under the Members tab. Alternatively, you can use the dsmod command to add user to the group by using the –addmbr parameter and listing the distinguished name of the user accounts that you want to add to the group in the <member ...> list.
|