User and computer accounts represent physical entities within a network infrastructure. Some user accounts also represent specific services that are running on computers. In any case, user and computer accounts play an important role and serve the following purposes:
When designing a user and computer account strategy, one of the first things that must be determined is who will be responsible for creating and managing user and computer accounts. At least one trusted individual should be granted the right to create user and computer accounts. You can do this be granting the User Account Creation right to a user. Because creating user and computer accounts poses a security threat, make sure that only trusted individuals are granted this right. Because unused user accounts also pose a security threat, a plan needs to be established that outlines how and when user accounts can be disabled. For example, a policy can be put in place to state that when an employee leaves the organization, that employee's user account is deleted. Specifying Account Policy RequirementsAccount policies contain various settings that control how users can interact on a local computer or on a network. Account policies consist of the following three components (see Figure 4.5):
Figure 4.5. Components of an account policy.Account policies can be applied locally or through a GPO. Within a domain, only one account policy can exist and it must be configured at the domain level (using the default domain policy). Therefore, careful planning as to the account policy settings is required because they affect all computers and user accounts within a domain.
|