Chapter 15: Managing Users with Active Directory Users and Computers

Previous page
Table of content
Next page
team lib

User accounts are an indispensable element in the Windows Server 2003 environment. They're the central management and control tools used by the operating system to authenticate users, provide access, and enforce control for the resources on a local system and in the domain and forest as well. If you don't have a defined user account on a Windows Server 2003 stand-alone system or a Windows Server 2003 domain, you can't gain access to that system or to available resources in the forest. This chapter looks at managing domain user accounts and policies through the Active Directory Users and Computers console.

User Accounts Have Properties

Computers are typically used by more than one person. Even systems that workers use exclusively on their desks allow system administrators to log on locally. If these systems have computer accounts in the domain, it is possible for other users with domain accounts to log on to that system as well. The computer distinguishes between one person and another by employing a security device called the user account object . Each user on a computer or a network has a unique user account that contains details about the user, such as his or her rights and restrictions to access resources and more.

A Windows Server 2003 domain-based user account contains, is linked to, or is associated with the following items:

  • Password security: User accounts are protected by a password so that only the authorized person can gain access to the system.

  • Permissions: Permissions are the access privileges granted to a user account. These include group memberships and user-specific settings to access resources.

  • Identification: User accounts identify a person to the computer system and the network.

  • User rights: A user right is a high-level privilege that can be granted to users or groups to define or limit their actions on a computer system.

  • Roaming: You can define user accounts so that a user can log on to any system that is a member of a domain by using a domain user account (certain users may be able to log on to a local account in certain situations), Remote Access Service (RAS), or over a gateway.

  • Environment layout: Profiles are user-specific and store information about the layout, desktop, and user environment in general unless they are specifically restricted through the use of mandatory profiles. You can define profiles so that they follow the user account no matter where the user gains access on the network.

  • Auditing: Windows Server 2003 can track access and usage by domain user accounts if that level of auditing has been enabled in the domain.

Access to Windows Server 2003 requires that users successfully authenticate themselves with a domain user account. This means that when a user with the proper permission level (not everyone has permission to log on locally to all systems in a domain) sits down at a Windows Server 2003 system, he or she can log on at the local machine with a local account (called an interactive logon ) by pressing Ctrl+Alt+Del to start the logon process. Then the user must provider ˜a valid username and password. He or she may also log on to a domain user account in the same manner if the server is a member of the domain. After the system verifies this information, the user is granted access. When the user is finished, he or she can log out and leave the system available for the next user to log on.

When Windows Server 2003 is installed, three user accounts are automatically created by default on standalone (non-domain member) systems. One of these accounts, the Administrator account, is used to initially configure the system and to create other user accounts. The second account, the Guest account, is a quick method to grant low-level access to any user. The third user account that's created is the HelpAssistant, often named Support_ <random characters > , which is the primary account used for Remote Assistance sessions. The Remote Desktop Help Session Manager services manage the HelpAssistant account, which is disabled by default.

Administrators rule!

The Administrator account is the primary means by which you initially configure Windows Server 2003. It's also the most powerful local account on the Windows Server 2003 system; therefore, you should make sure that the password for the Administrator account is complex and secret. The Administrator account has full-control access to almost everything in Windows Server 2003 (the exceptions are a few system processes that the Administrator doesn't own and therefore doesn't have access to), such as managing user accounts, manipulating shares, and granting access privileges.

The Administrator account boasts the following features:

  • You can't delete it.

  • You can lock it out or disable it.

  • You can (and should) rename it (right-click the account and choose Rename).

  • Although defining a blank password on a local Administrator account is allowed, it is actively discouraged as a bad security practice. In certain situations, some services don't function properly if you do not provide a password. Therefore, you should provide a valid, complex password for this account.

Tip 

Renaming this account is a good security practice. Would-be hackers (that is, people who want to gain unauthorized access to your system) need only two items of information to gain access to your system: a user account name and password. Unless you rename this account, they already have half the information they need to gain access to the most powerful account on your system. It ends up being the only thing they need if you don't provide a password for the account.

Guests can wear out their welcome

The Guest account is the second default account created by Windows Server 2003. You can use this account as a temporary public-access method. It has minimal access rights and restricted privileges to resources.

The Guest account boasts the following features:

  • You can't delete it.

  • You can disable it and lock it out. (It's disabled by default.)

  • You can rename it.

  • It can have a blank password. (It has a blank password by default.)

  • Changes to the environment aren't retained by this user account. (That is, the user profile is mandatory because user changes to the environment are not retained.)

Tip 

The Guest account can be a security hole. Good security practices suggest that you keep this account disabled, rename it, and assign it a valid password.

team lib

Previous page
Table of content
Next page
Windows Server 2003 for Dummies
Windows Server 2003 for Dummies
ISBN: 0764516337
EAN: 2147483647
Year: 2003
Pages: 195
Authors: Ed Tittel, James Michael Stewart
BUY ON AMAZON
ERP and Data Warehousing in Organizations: Issues and Challenges
Absolute Beginner[ap]s Guide to Project Management
Metrics and Models in Software Quality Engineering (2nd Edition)
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
.NET-A Complete Development Cycle
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy