Chapter 3: Restricting Accounts, Users, and Groups

Chapter 3

Restricting Accounts, Users, and Groups

About This Chapter

This chapter builds on the security features introduced in Chapter 2, "User Accounts and Security Groups." It covers account policy, user rights, restricted groups, and security templates.

Account policies are restrictions that are applied to all users logging on because they must take effect before the user who is logging on is identified. For example, a restriction on the number of times that any user can mistype a password is applied to all users, because the user has not yet logged on and the account settings are not yet known. Account policies are managed by using Group Policy settings.

User rights and restricted groups are also managed on a per-machine rather than a per-user basis. User rights control a user's ability to perform operations that affect the system as a whole, such as shutting down the computer. User rights are required to perform these actions because they affect every program running on the computer. Restricted groups are security groups that have controlled memberships. Periodically (during the Group Policy refresh period described in Chapter 1, "Group Policy"), users that may have been improperly added to security groups can be removed automatically by the system.

This chapter covers the following major Windows account-based security features:

  • Account policies

  • User rights

  • Restricted groups

This chapter also discusses using security templates to establish a level of security across the network. It discusses what you need to know to manage and deploy security templates and provides information about troubleshooting common problems.

Before You Begin

To complete this chapter, you must have a pair of networked test computers

  • One configured with Microsoft Windows 2000 Server and with Active Directory installed

  • One running Microsoft Windows 2000 Professional and joined to the server's domain

  • A domain controller with Active Directory installed and a domain-wide Group Policy Object (GPO) configured

  • A client workstation connected to the same domain as the Active Directory domain controller

    You can use Microsoft Windows XP Professional in these exercises if you enable the Classic Start Menu option in the Taskbar Properties menu.



MCSA(s)MCSE Self-Paced Training Kit Exam 70-214(c) Implementing and Administering in a Microsoft Windows 2[.  .. ]twork
MCSA/MCSE Self-Paced Training Kit (Exam 70-214): Implementing and Administering Security in a Microsoft Windows 2000 Network (Pro-Certification)
ISBN: 073561878X
EAN: 2147483647
Year: 2003
Pages: 82

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net