Introduction
| When dealing with Windows XP systems, there are three types of accounts you'll work with most often. These include user, group, and computer accounts. You create user accounts to represent the employees, customers, or students in your environment. User accounts represent the virtual identity of the user in the system. It is important to understand how to properly configure and automate the management of user accounts so you cut down on many of the day-to-day tasks required to support them. We'll include a lot of scripts in this chapter to show you how to do this. As far as Active Directory is concerned, computers are very similar to users. In fact, computer accounts have all of the same attributes as user accounts. Computers need to be represented in Active Directory for many of the same reasons users do, including the need to access resources securely, to use Group Policy objects (GPOs), and to have permissions granted or restricted on them. To participate in a domain, computers need a secure channel to a domain controller. A secure channel is an authenticated connection that can transmit encrypted data. To set up the secure channel, a computer has to present a password to a domain controller. The domain controller then verifies that password against the password stored in Active Directory with the computer's account. Without the computer account, and subsequently the password stored within it, there would be no way for the domain controller to verify a computer is what it claims to be. A group is a simple concept that has been used in many different types of systems over the years. In generic terms, a group is just a collection of things. Groups are used most frequently in a security context whereby you set up a group of users and apply certain permissions or rights to that group. Using a group is much easier when applying file permissions, for example, than using individual users, because you have to apply the permissions only once for the group instead of once per user. In an Active Directory environment, groups are flexible objects that can contain virtually any other type of object as a member. Active Directory groups can be used for many different purposes including controlling access to resources, defining a filter for the application of group policies, and as an email distribution list. The scope and type of a group defines how the group can be used in a forest. The type of a group can be either security or distribution. Security groups can be used to restrict access to resources whereas distribution groups can be used only as a simple grouping mechanism. Both group types can be used as email lists. The scope of a group determines where members of the group can be located in the forest and where in the forest you can use the group in access control lists (ACLs). The supported group scopes include universal, global, and domain local. Universal groups and domain local groups can have members that are part of any domain in the forest. Global groups can only have members that are part of the same domain the group is in. As is evident by this introduction, this chapter will include information on both local accounts those that reside on an individual Windows XP system, and accounts stored in Active Directory also called domain accounts. In a small office/home office environment, you may only use local accounts. If you have more than ten systems, it is likely you'll want to centralize account management using Active Directory. Most recipes in this chapter cover both types of accounts. Using a Graphical User InterfaceThere are two primary graphical interfaces for managing accounts. For local system accounts, there is the Computer Management snap-in. Within this snap-in under the Local Users and Groups folder, you have options for creating and managing users and groups. This tool is available by default in the Administrative Tools applet of the Control Panel. For Active Directory user, group and computer accounts, you'll need to use the Active Directory Users and Computers snap-in. You can install this snap-in along with several other Active Directory tools by installing the Active Directory Administrative Pack at the following URL: http://www.microsoft.com/downloads/details.aspx?FamilyID=C16AE515-C8F4-47EF-A1E4-A8DCBACFF8E3&displaylang=en. Using a Command-Line InterfaceMicrosoft does not provide many good tools for managing local accounts via the command-line. The net user command allows you to create and modify local user accounts, but not group accounts. There is no shortage of tools for managing Active Directory accounts. With the release of Windows Server 2003, Microsoft released several command-line utilities (e.g., dsadd and dsmod), which can be run on Windows XP, to manage user, group and computer accounts. See the AD Administrative Pack URL in the previous section for more details. Using Downloadable SoftwareJoe Richards has authored numerous command-line tools for managing local accounts and we will use many of his tools in this chapter. You can download all of Joe's tools (referred to as Joeware) from the following URL: http://www.joeware.net/. Using VBScriptWith VBScript you can manage both local and Active Directory accounts using Active Directory Service Interfaces (ADSI). ADSI supports several providers that allow you to manage information in repositories such as the System Account Manager (SAM), Active Directory, and the IIS Metabase to name a few all using the same interfaces and methods. For local accounts, you use the WinNT provider. For Active Directory, you use the LDAP provider. You'll see numerous examples of both throughout this chapter. |
EAN: 2147483647
Pages: 408
- Article 310 Conductors for General Wiring
- Article 312 Cabinets, Cutout Boxes, and Meter Socket Enclosures
- Article 324 Flat Conductor Cable Type FCC
- Article 344 Rigid Metal Conduit Type RMC
- Example No. D2(b) Optional Calculation for One-Family Dwelling, Air Conditioning Larger than Heating [See 220.82(A) and 220.82(C)]