As the size of a network increases, the concept of sharing to the entire network can begin to present some problems. Peer-to-peer networks, for example, sacrifice a degree of security in order to offer simplicity. But imagine the consequences of sharing the directory of your employer's accounting department (or personnel department) to the entire network and perhaps the world over an Internet connection. For these reasons, among others, large networks employ server-based networking. In a client/server environment, sharing is managed through accounts. By creating accounts and then grouping the individual accounts, a network manager has the tools necessary to provide a higher level of security.
After this lesson, you will be able to:
- Describe user and group accounts.
- Describe the process for creating user and group accounts.
- Determine the appropriate types of accounts for a given network environment.
- Create a user account and a group account.
Estimated lesson time: 45 minutes
Accounts are the means by which users are given access to printer, file, and directory shares. These accounts are created and managed by the network administrator.
An account is composed of a user name and logon parameters established for that user. These parameters can include which computers can be used for access, days and times during which access is allowed, passwords, and so on. This information is entered by the administrator and stored on the network by the operating system. The network uses this account name to verify the account when the user attempts to log on.
By default, user accounts have no rights. All user accounts obtain rights through group membership. All user accounts within a group will have certain access rights and activities in common, according to the group in which they reside. By assigning permissions and rights to a group, the administrator can treat the group as a single account.
Access rights that apply to the system as a whole authorize a user to perform certain actions on the system. For example, a user, as a member of a group, might have the right to back up the system.
Groups are used to:
Networks can support hundreds of accounts. There will be occasions when the administrator needs to conduct network business with some or all of the accounts. For example, the administrator often needs to send messages to large numbers of users notifying them about an event or network policy. Or the administrator might need to identify every account that has a particular access. If 100 users need a change in their access, the administrator will need to change 100 accounts.
However, if the 100 accounts were to be placed in one group, the administrator could simply send one message to the group account, and each member of the group would automatically get the message. Permissions could be set for the group, and all the members of the group would automatically receive the permissions. Networks offer a way to gather many separate user accounts into one type of account called a group. A group is nothing more than an account that contains other accounts. The primary reason for implementing groups is the ease of administration. Groups make it possible for an administrator to manage large numbers of users as one account.
The easiest way to grant a large number of users similar permissions is to assign these permissions to a group. The users are then added to the group. The same process applies to adding users to an existing group. For example, if the administrator wanted a certain user to have administrative capabilities on the network, the administrator would make that user a member of the Administrators group.
All networks have a utility that the administrator can use to enter new account names into the network security database. This process is sometimes referred to as "creating a user."
There are some conventions in naming both users and groups. Unless otherwise stated, a user name cannot be identical to any other user or group name in the computer (and, in the case of Windows NT, of the domain) being administered. Each network operating system has its own set of characters that can be used, but generally, the user name can contain any uppercase or lowercase alphanumeric characters. There are some standard exceptions " / \ : ; | = , + * ? < > that cannot be used in user names.
Network operating systems can also contain information such as the account user's full name, a description of the account or user, and the account password.
Entering User Information
The new user account contains information that defines a user to the network security system. This includes:
Setting User Parameters
Administrators can set a number of parameters for users. Among these are:
Key User Accounts
Network operating systems are designed with certain categories of user accounts already created and that are automatically activated during installation.
The Initial Account
When a network operating system is installed, the installation program automatically creates an account with complete network authority. Some designated individual has to be able to:
In the Microsoft networking environment, this account is called administrator. In the Novell environment, this account is known as a supervisor. And in the Linux environment, it is known as root.
The first person to log on to the network is usually the person installing the network operating system. After logging on as administrator, that person has full control over all network functions.
The Guest Account
This default account is intended for people who do not have a valid user account, but who need temporary access to the network.
Passwords are not necessarily required by a network operating system. In situations where security is not an issue, it is possible to modify an account so that it no longer needs a password.
In most circumstances, however, passwords are required because they help ensure the security of a network environment. The first thing the administrator should do when setting up an account is to enter an initial password. This will prevent unauthorized users from logging on as administrator and creating accounts. Users should create their own unique password and should change it periodically. The account administrator can require users to do this automatically by setting a password-change time interval for the user.
Traditional guidelines exist that govern the use of passwords. All users, including the administrator, should:
The administrator must be informed when a user is no longer employed by the organization or for any reason no longer entitled to be a member of the group. In this case, the administrator should disable the account.
Occasionally, an administrator will need to prevent an account from being active on the network. Either disabling the account or deleting the account will deactivate it.
Disabling an Account
If an account has been disabled only, it still exists in the network's account database, but no one can use that account to log on to the network. A disabled account will appear not to exist.
It is best if the administrator disables an account as soon as it has been established that the user will no longer be using that account. If it has been determined that the account will never be needed again, it can be deleted.
Deleting an Account
Deleting an account erases the user's information from the network's user-account database; the user no longer has access to the network. A user account should be deleted when:
Microsoft Windows NT uses four types of group accounts, as described in the following section.
Types of Groups
Local, Global, System, and Built-In groups are used in the Windows NT network environment.
Built-in groups are divided into three categories:
Microsoft Windows NT Server offers the following built-in groups:
The Administrator group initially contains local and domain administrators. Members of this group can create, delete, and manage user accounts, global groups, and local groups. They can share directories and printers, grant resource permissions and rights, and install operating system files and programs.
The User and Guest groups, which are global, contain domain users who can perform tasks for which they have been given rights. They can also access resources to which they have been given permissions. User groups can be modified by administrators and account operators.
The Server Operator group, which can be modified by administrators only, can share and stop sharing resources, lock or override the lock of a server, format the server's disks, log on at servers, back up and restore servers, and shut down servers.
The Print Operator group, which can be modified by administrators only, can share, stop sharing, and manage printers. This group can also log on locally at servers and shut servers down.
Backup operators can log on locally, back up and restore servers, and shut down servers.
The Account Operator group can create, delete, and modify users, global groups, and local groups, but cannot modify administrator or server operator groups.
The Replicator group, which can be modified by Administrators, Account Operators, and Server Operators, is used in conjunction with the Directory Replicator Service.
In Microsoft Windows NT Server, the group management interface is called User Manager for Domains and is located in the Start menu. Click Programs and select the Administrative Tools (Common) area.
In User Manager, click New Local Group on the User menu. This selection presents you with a dialog box for entering the information to create a new local group, as shown in Figure 9.7.
Figure 9.7 New Local Group dialog box
The Group Name field identifies the local group. A group name cannot be identical to any other group or user name of the domain or computer being administered. It can contain any uppercase or lowercase characters apart from these exceptions " / \ : ; | = + * ? < > that cannot be used in group names.
The Description field contains text describing the group or the users in the group.
The Members field displays the user names of the group members.
A newly created group account will have no members until the administrator assigns one or more existing users to the group. The administrator does this from the New Local Group dialog box by clicking Add and selecting the user account to be added.
All the network management tools are consolidated in the Start menu, Programs, Administrative Tools (Common) area. As shown in Figure 9.8, the Microsoft Windows NT Server network utility for creating accounts is called the User Manager for Domains. To manage user accounts, click Start, select Programs, and click Administrative Tools (Common).
Figure 9.8 Windows NT Administrative Tools area
After you open User Manager, on the User menu, select the menu option New User as shown in Figure 9.9. A window appears for entering the information to create a new user.
Figure 9.9 Menu showing the New User selection
Figure 9.10 shows all the essential information that the administrator needs in order to create the account.
Figure 9.10 New User dialog box
Windows NT Server offers an account-copying feature. An administrator can create a template that has characteristics and parameters that are common among multiple users. To create a new account with the template characteristics, the administrator highlights the template account, selects User, Copy (F8), then enters the new user name and other identifying information (full name, description, and so on).
An administrator will find it helpful to structure a network environment for certain users. This might be necessary, for example, to maintain a specific level of security, or to guide users who are not sufficiently familiar with computers and networks to have full access to the system.
Profiles used to configure and maintain a user's logon environment, including network connections and the appearance of the desktop, include:
Profile parameters can also include special logon conditions and information about where the user can store personal files.
Microsoft Windows NT Server disables the Guest account by default after installation. The network administrator must enable the account if it will be used.
Windows NT Server uses the User Properties window in User Manager to disable users. To disable a user, double-click the name of the account, select the Account Disabled check box, and then click OK. The account is now disabled, as shown in Figure 9.11.
Figure 9.11 Disabling an account
Figure 9.12 shows deleting an account with User Manager.
Figure 9.12 Deleting an account
To delete an account, in User Manager, select the account to be deleted, and then press the DELETE key. A dialog box is displayed (see figure 9.12). If OK is clicked, another dialog box will be displayed asking for confirmation that the specified user account will be deleted. Clicking Yes will delete the account; clicking No will cancel the operation.
Deleting an account permanently removes the account, along with the permissions and rights associated with it. Recreating the user account with the same name will not restore the user's rights or permissions. Each user account has a unique security identifier (SID); deleting and recreating a user will generate a new SID, not reuse the previous one. Internal processes in Windows NT refer to the account's SID rather than to the account's user or group name.
The default Apple networking environment includes two users: the person who installed the operating system and a guest. Managing a network of more than a few users is made easier by creating users and groups.
From the Apple Chooser select Users & Groups to open the Users & Groups Control Panel. This dialog box lists all the computer's users and groups, and allows you to create, edit, duplicate, and delete users and groups as necessary. In AppleShare, there are three categories of users:
To create a new user, click the New User button and enter the appropriate information for this user. You will be able to supply the user's name, password, the groups to which the user will belong, and whether or not the user will be allowed to change the assigned password.
To create a new group, click the New Group button and enter the appropriate information for this group. You will be able to supply the group's name and the names of users who are to be members of the group.
The basis of NetWare security and accounts is NetWare Directory Services (NDS). NDS is a hierarchically organized database.
Security is provided at three levels.
NetWare uses several naming conventions. Names used must be unique, must include no spaces, and must be made up of fewer than 64 case-insensitive alphanumeric characters. (Case-insensitive characters are characters, such as numbers, that cannot appear in both lower- and uppercase forms.)
Before you can create, delete, or manage users and groups, you must log on to the network at a workstation or server with administrative privileges. Once logged on, you can launch the Novell Easy Administration Tool (NEAT) to begin managing users and groups. To do so, double-click the NEAT icon. A view of the directory tree in the left frame of the user interface shows all the network objects and their relationships to each other. In the right frame are the properties of any object selected.
To create a network account for a new user from the NEAT New menu, select User or click Add a New User on the toolbar. This will open a dialog box in which you can enter the required information, including the user's full name, the login name, and the home directory.
Click the next button to go to the next page and add this user to a group. After the user is added, click the next button to go to the next page to enter the password information. If this is left blank, no password will be required by the user to log on. To create additional users, check the Create another user check box before selecting the Finish button.
To delete a user, from the directory view in the NEAT menu, select the User object. Then, from the Edit menu, select Delete selected item and click Yes.
If you delete a user who has relationships with another object, and that object relies on the user who is being deleted, you may encounter problems.
Managing Groups is similar to managing users. From the NEAT menu, select Add a New Group. This will launch the New Group wizard. Be sure to follow the naming conventions when assigning a group name. After the group is created, you can select the group and add users.
You can add only users that appear in the directory.
Viewing or editing the properties of any object is easy. Open the NEAT administration tool and select the object's icon from the directory in the frame on the left. In the frame on the right are the property sheets for the object. The properties for the object are organized into tabs. User properties are in five tabs (General, Groups, Applications, Security, and Login Script ). Groups properties are organized into three tabs (Users, Security, and Applications ).
Most UNIX configuration information is stored in text files that are read as needed. These text files can be edited manually to add users and groups and to set their permissions. Because the different versions of UNIX vary in the details of how they are managed, the names and locations of these files are not consistent from one manufacturer to another. The same holds true for Linux distributions, in which system directory and file locations can be quite different. A graphic interface often spares the administrator from having to know these differences, because user and group parameters can be set from interactive dialog boxes.
The initial account, the administrative user, is usually named root. The other name to remember is nobody. Default UNIX groups can include root, bin, daemon, tty, disk, lp, mail, news, dialout, trusted, modem, users, and so on.
The open-source UNIX incarnation known as Linux creates a number of accounts. Which accounts are created depends on the base operating system and the software installed. The administrative user, root, is always created. Additional default accounts are used for tasks not otherwise thought of as meriting accounts at all. These include processes such as file transfer protocol (ftp) and lp (printers).
For this exercise we will return to the same 20-employee company that was the subject of Exercise 9.1 in Lesson 1. Your job is to design user and group accounts for the 10-computer server-based network. To do this, you should determine what kinds of groups are appropriate to the company and its work. You will also need to establish a password policy and a personnel policy that takes into account what will happen when an employee departs from the company.
After you have established the account policies, create the appropriate user and group accounts and set whatever restrictions will be necessary for each of the groups. These should include the days and hours during which groups can log on to the network. Assign printing rights to the groups as needed and, finally, add the users to the appropriate groups.
The following points summarize the main elements of this lesson.