Chapter 3
Restricting Accounts, Users, and Groups
About This Chapter
This chapter builds on the security features introduced in Chapter 2, "User Accounts and Security Groups." It covers account policy, user rights, restricted groups, and security templates.
Account policies are restrictions that are applied to all users logging on because they must take effect before the user who is logging on is identified. For example, a restriction on the number of times that any user can mistype a password is applied to all users, because the user has not yet logged on and the account settings are not yet known. Account policies are managed by using Group Policy settings.
User rights and restricted groups are also managed on a per-machine rather than a per-user basis. User rights control a user's ability to perform operations that affect the system as a whole, such as shutting down the computer. User rights are required to perform these actions because they affect every program running on the computer. Restricted groups are security groups that have controlled memberships. Periodically (during the Group Policy refresh period described in Chapter 1, "Group Policy"), users that may have been improperly added to security groups can be removed automatically by the system.
This chapter covers the following major Windows account-based security features:
Account policies
User rights
Restricted groups
This chapter also discusses using security templates to establish a level of security across the network. It discusses what you need to know to manage and deploy security templates and provides information about troubleshooting common problems.
Before You Begin
To complete this chapter, you must have a pair of networked test computers
One configured with Microsoft Windows 2000 Server and with Active Directory installed
One running Microsoft Windows 2000 Professional and joined to the server's domain
A domain controller with Active Directory installed and a domain-wide Group Policy Object (GPO) configured
A client workstation connected to the same domain as the Active Directory domain controller
You can use Microsoft Windows XP Professional in these exercises if you enable the Classic Start Menu option in the Taskbar Properties menu.