User Accounts and Groups

User Accounts and Groups

A Windows 2000 user account allows the user to log on to a computer or a domain. In addition, a user account controls what access, if any, that a user has to local or domain resources. To grant these access rights, the administrator assigns rights and permissions to the user's account.

Permissions control what a user can do with a resource, such as a file, folder, or printer. When an administrator assigns permissions, she specifies what type of access the user has. For example, a member of the accounting department may have read and write access to all folders and files related to the accounting department. Yet, this same user may well be denied all access to human resources' files and folders. Most likely this user has little to no business dealing with confidential files found in human resources.

A group is a collection of one or more user accounts that have at least one thing in common, such as all personnel in the sales department who will likely need access to the same resources. Assembling users into groups simplifies administration because the administrator has to configure permissions to resources only once, rather than for each user individually.

Also the administrator can add or remove users from the group at any time. This comes in especially handy when another user, not part of the group, needs access to the resources to which the group collectively has access. All the administrator has to do is to add the user to the group that has such access.

There are two types of user accounts and groups, domain and local . A local account or group can be used to assign a user or a group of users access to the resources only on the computer where the account resides. However, domain user accounts and groups can be used to grant access to any resources that are contained within the domain. You will discover each in more depth next .

Domain Accounts

A domain is the basic security, administrative, and replication unit of the Active Directory. Multiple domains can be connected to form a tree or forest. However, because Active Directory, forests, and trees are covered on other exams, we limit our discussion to the domain level.

Each domain has an Active Directory security database that can contain millions of objects. These objects are the users, groups, computers, and other objects that are the resources contained within the domain. Access to these resources is controlled by granting access to users and groups. To assist in sorting and categorizing these users, groups,and resources, there is a subdomain container called an Organizational Unit (OU). Each OU can hold a large number of objects. Access to the objects in an OU can be granted at the object, OU, or domain level.

Each Active Directory domain controller contains a read/write copy of the domain database. This allows you to manage the database using any domain controller. Any changes are replicated to all of the other domain controllers.

Domain users, groups, and other objects are created and managed using the Active Directory Users and Computers snap-in, as shown in Figure 8.1. This snap-in is installed by default on Windows 2000 servers that are domain controllers, or it can be added to a Windows 2000 Professional or Windows 2000 member server by installing the Administrative Tools package. The installation file, adminpak .msi , is located on the Windows 2000 Server CD in the I386 folder. The snap-in is started by selecting Start, Programs, Administrative Tools, Active Directory Users and Computers.

The Active Directory Users and Computers snap-in has five default nodes and two invisible ones:

• Builtin This container holds the default groups for a Windows 2000 domain.

• Computers This container is empty when Windows 2000 is first installed. As computer accounts are added to the domain, they are put here unless you specify a specific OU to put them in.

• Domain Controllers This is an OU that contains the domain controllers for the domain.

• ForeignSecurityPrincipals This container holds the security objects that are created when a trust is set up between domains.

• Users This container holds all of the default domain and local users and groups installed by Windows 2000. You can add new users and groups to this container, or to OUs that you create.

• LostAndFound This container holds orphaned objects for the domain and is not visible by default. To view it, you must turn on Advanced Features by selecting View, Advanced Features.

• System This container holds the objects for policies, RAS, IP security, and other system functions, and is not visible by default. To view it, you must turn on Advanced Features by selecting View, Advanced Features.

As shown earlier in Figure 8.1, the containers are represented in Active Directory as blank file folders, whereas OUs are file folders with an open book icon. The difference between the two is that you can rename, nest, and configure the properties for OUs. You are also limited as to what objects can be created or moved to some containers. There may possibly be other containers shown if Active Directoryaware applications, such as Exchange 2000, are installed.

To create a new object, right-click the desired container in the Active Directory Users and Computers snap-in, click New, then select the type of object that you want to create (see Figure 8.2).

There could possibly be little, if any, coverage of domain accounts on the exam. On the other hand, you should be thoroughly familiar with creating and using local accounts and groups and know what accounts and groups are installed by default. Domain accounts are discussed at length in the preparation material for the 70-217 exam.

Local Accounts

Every member server and all workstations will have their own local accounts . Unlike domain accounts, in which every domain controller contains a shared database of all users, groups, and resources in the domain, these local accounts exist only on the computer where they were created. Also, these accounts can be used only to grant access to resources on the computer on which the local accounts reside.

Local users and groups are created in the local security database. Local accounts cannot be used to access any resources other than those on the local computer because other computers cannot see the local Active Directory security database in order to authenticate the users and group in the database.

There is rarely, if ever, a reason to create a local user or group on a computer that is a member of a domain.

The Local Administrator and Guest Accounts

By default, Windows 2000 Server creates two local user accounts, Administrator and Guest . The Administrator account has the following properties:

• Can be renamed

• Cannot be deleted

• Cannot be locked out

• Cannot be disabled

• Has access and control of all resources on the computer

The Administrator account is used when Windows 2000 Server is installed. This account cannot be deleted or disabled, to ensure that you never lock yourself out of your server. This is the only account that cannot be deleted or disabled.

The Guest account is disabled by default, and has the following properties:

• Can be renamed

• Cannot be deleted

• Can be disabled

• Can be locked out

• Does not save any user configuration settings between logons

The Guest account is just what the name implies, an account that has limited privileges, and is only to be used temporarily by a user who won't be around long.

Local Groups

In addition, there are several default local groups created when Windows 2000 Server is installed:

• Administrators The members of this group can access and control all resources on the computer. The local Administrator account is a member of this group. When a Windows 2000 server joins a domain, the Domain Admins group (a default group that contains all administrators in the domain) is made a member of this group. This is so that all members of the Domain Admins group will have administrative control of this computer. Although the Administrator account cannot be locked out or disabled, other members of this group can be.

• Backup Operators The members of this group can back up and restore files and folders, even if they don't have any access permissions for the files. In addition they can log on to the server and shut it down. However, the members of the Backup Operators group cannot change security settings on any objects that they don't own.

• Guests The members of this group have limited access to resources on the server, but can log on and shut it down. The Guest account is a member of this group. When a Windows 2000 server joins a domain, the Domain Guests (a default group that contains all guests in the domain) group is made a member of this group.

• Power Users The members of this group can create, modify, and delete resources such as file shares and user and group accounts. However, they have complete control only over those objects that they have created. They can remove users from the Power Users, Users, and Guests groups. They cannot modify the Administrators or Backup Operators groups, take ownership of files, perform backups or restores , load or unload device drivers, or manage the security and auditing logs. Power Users can run all Windows 2000 applications, as well as install and run most legacy applications that cannot be installed or run by members of the Users group. The Windows 2000 Power Users group has privileges roughly equivalent to that of the Users group in Windows NT 4.0.

• Replicator The group is used to support file replication services in a domain. Do not add users to this group.

• Users The members of the group can perform the normal user tasks such as running most Windows 2000 applications, using printers, and creating local groups. However, they cannot create local printers or share folders. Some legacy applications cannot be run by members of the users group, because the Windows 2000 Users group has fewer privileges than members of the Windows NT 4.0 Users group. By default, all local accounts created are added to the Users group. When a Windows 2000 server joins a domain, the Domain Users (a default group containing all authenticated users in the domain) group is made a member of this group.

Local groups can be used only to assign permissions to resources residing on the server where the group is created. Like local user accounts, local groups are stored in the local security database. Local groups can contain local accounts from the same computer on which they are created, and a local group can't be a member of any other group. If a server is a member of a domain, the local groups on that server can contain domain user accounts and groups.

To create a new local group, perform the following steps:

1. In the left pane of the Computer Management windows, click Local Users and Groups.

2. In the right pane, right-click the Groups folder and select New Group from the pop-up menu.

3. In the New Group dialog box, fill in the appropriate fields, then click Add.

4. When the Select Users or Groups dialog box appears, as shown in Figure 8.3, select the users to add to the group, then click Add. Click OK.

   Figure 8.3. The Local Computers and Groups snap-in, showing the Select Users or Groups dialog box.

   

5. Click Create.

6. When the fields in the New Group dialog box have cleared, you can either create another group or click Close to quit.

When creating and using local groups, you should always keep the following points in mind:

• A local group is visible only on the computer where it was created.

• A local group can be used only to assign permissions to resources on the computer where it was created.

• A local group can be administered only on the computer where it was created.

• A local group cannot be created on a domain controller.

• A local group cannot be a member of any other group, either local or domain.

• A local group can contain local or domain accounts domain local groups, or a global group from the domain that the computer is a member of or from any trusted domains.

Built-in System Groups

In addition to the built-in local groups, Windows 2000 also has several built-in system groups. The user cannot manipulate the membership of these groups; they are used to assign rights and permissions to resources. The Windows 2000 operating system dynamically manipulates the membership of these groups according to how the server is accessed, not by whom.

The commonly used built-in system groups are

• Anonymous Logon This group contains the user account from any session that was not authenticated by the Windows 2000 security system, which occurs only when a username and password is not required to access the system.

• Authenticated Users This group contains all users with a valid account in the local security database on a member server or the Active Directory domain database in a domain environment.

• Creator Owner The user account that is the creator or the owner of the current object.

• Dialup All users that are currently connected via a dial-up connection.

• Everyone This group includes all users who access the computer, including the Guest account and anonymous logons.

• Interactive This group contains the user accounts of the users that are currently logged on to the system.

• Network This group contains the user accounts of the users that are connected to resources on the server over a network connection.

Assigning permissions to the Everyone group can be a huge security exposure if the Guest account is enabled. Windows 2000 will authenticate a user without a valid user account as Guest. This automatically gives this user all rights and permissions that you have assigned to the Everyone group. A better strategy would be to assign rights and permissions for resources to the Authenticated Users group instead of the Everyone Group, and never enable the Guest account, or, at a minimum, rename it.

The Local Users and Groups Snap-In

Local User accounts and groups are created and managed using the Local Users and Groups snap-in, as shown in Figure 8.4. To open the snap-in, select Start, Programs, Administrative Tools, Computer Management.

The Local Users and Groups snap-in is part of the Computer Management MMC. To create a new user

1. In the left pane of the Computer Management window, click Local Users and Groups.

2. In the right pane, right-click the Users folder and select New User from the pop-up menu.

3. In the New User dialog box shown in Figure 8.5, fill in the appropriate fields, then click Create.

   Figure 8.5. The Local Computers and Groups snap-in, showing the New User dialog box.

   

4. When the fields in the New User dialog box have cleared, you can either create another user or click Close to quit.

You cannot create local groups and accounts on a domain controller, because domain controllers do not have a local security database.

The rules for usernames in Windows 2000 are as follows :

• Can be up to 20 characters

• Must be unique

• Cannot contain any of the following characters: "/\[]:;=,+*?<>

• Are not case sensitive.

The rules for passwords in Windows 2000 are:

• Can be up to 128 characters

• Are case sensitive

• Cannot contain any of the following characters: "/\[]:;=,+*?<>

You can configure other restrictions for passwords via policies. This will be covered later in this chapter.

User Authentication

When a user logs on to a Windows 2000 computer, the user supplies a user account and a password, or possibly a Smart Card, if that technology is being used. This information is used to authenticate the user. In other words, these items are used to confirm that the user is who he says he is. After the user is properly authenticated, an access token is created for that user. This access token consists of

• Security Identifier (SID) Each object in Windows 2000 has a unique SID that identifies it. SIDs are never reused.

• Member of List This list contains the SIDs of the groups of which the user account is a member.

• User Rights This list contains all the user rights that have been assigned to this user account.

After the user is logged on to the server, each process or resource that the user attempts to access will examine this access token to confirm that the user has been granted the appropriate access.

All Windows 2000 objects have security restrictions. These security restrictions are configured in the Access Control List (ACL) . The ACL containsa listing of the users and groups that have access to the object, and specifically what type of access.

Although the username is how we identify accounts, Windows 2000 uses the account's SID for authentication and access levels. Note that the SID will always be a unique string, such as S-1-5-25-1123561935-920026236-84092546-1000. For example, if you accidentally delete a user account and create another one using the same username and other properties, it will have a totally different SID. The new user account will not have access to the same resources as the old account unless you manually grant the permissions by assigning the user account to the same groups. The access permissions were assigned to the deleted SID. Windows 2000 never reuses a SID; they will always be unique.

If you have a user who leaves the organization and is replaced by a new employee who will be performing the same tasks, you should rename the old user account for use by the new user. This ensures that the new user has access to the same resources as the old user.