| Here are some points to remember about user accounts: Every user account is assigned a unique Security Identifier (SID). SIDs are never reused. An account can be renamed without losing any of the permissions assigned to it because the SID doesn't change. User, computer, and group accounts are created and managed using the Active Directory Users and Computers MMC. Local users and groups are created using the Local Users and Groups snap-in. csvde and ldifde can be used to import and export users and groups.
Password Complexity Password complexity is determined by the domain account policies. If enabled, this policy requires that passwords meet the following minimum requirements: They must not contain all or part of the user's account name. They must be at least six characters in length. They must contain characters from three of the following four categories: English uppercase characters (A through Z) English lowercase characters (a through z) Base-10 digits (0 through 9) Nonalphabetic characters (such as !, $, #, %)
Managing Local, Roaming, and Mandatory User Profiles The settings for a user's work environment are stored in a file known as the user profile. This file is automatically created the first time a user logs on to a computer running any version of Windows, and any changes to the environment (Favorites, Start menu items, icons, colors, My Documents, Local Settings, and so on) are saved when the user logs off. The profile is reloaded when the user logs on again. Table 2 lists the components of a user profile (from Windows Server 2003 Help and Support): Table 2. User Profile Folders and Their ContentsUser Profile Folder | Contents |
|---|
Application Data | Program-specific data (for example, a custom dictionary). Program vendors decide what data to store in this user profile folder. | Cookies | User information and preferences. | Desktop | Desktop items, including files, shortcuts, and folders. | Favorites | Shortcuts to favorite locations on the Internet. | Local Settings | Application data, history, and temporary files. Application data roams with the user by way of roaming user profiles. | My Documents | User documents and subfolders. | My Recent Documents | Shortcuts to the most recently used documents and accessed folders. | NetHood | Shortcuts to My Network Places items. | PrintHood | Shortcuts to printer folder items. | SendTo | Shortcuts to document-handling utilities. | Start Menu | Shortcuts to program items. | Templates | User template items. |
The user profiles facility allows several people to use the same computer running Windows and each to see his or her own desktop. The types of user profiles are shown in Table 3. Table 3. Profile TypesProfile | Created For | How It Works |
|---|
Roaming profile | Users who log on to different computers on the network | Stored on a server. When a user logs on to a network computer, the profile is copied locally to the computer. When the user logs off the network, any changes to the profile are copied back to the server. | Mandatory profile | Administrative enforcement of settings A user account that is shared by two or more users | Stored on a server. When a user logs on to a network computer, the profile is copied locally to the computer. No changes are ever saved when the user logs off the server. Only the administrator can make changes to the profile. | Local profile | Every user at first logon | When the user logs on to a computer, whether it is connected to the network or not, a local profile is created and saved in the local Documents and Settings folder for that user. All changes are saved when the user logs off. | Temporary profile | Users who were unable to load their profile | When there is an error condition that prevents a user from loading the normal profile, a temporary profile is loaded. When the user logs off, all changes are deleted. | All Users files and folders | All users who log on to the computer | When a user logs on to the computer, the All Users files and folders contents, which include desktop and Start Menu items, are combined with the individual's profile. | Default user profile | Users who log on for the first time | When a user logs on for the first time, the default profile is used as a template to create a new profile for the user. |
Each user account has a Profile tab in its Properties sheet where you can specify a network location to use as a roaming profile. A mandatory profile is a roaming profile that can't be changed by the user. To create a mandatory profile, you create a roaming profile and rename the Ntuser.dat file to Ntuser.man.
The Four Domain Functionality Levels The default domain functionality level of a domain installed on a new Windows Server 2003 machine is Windows 2000 mixed (which was called "mixed mode" in Windows 2000). At this level, a domain can contain domain controllers on computers running Windows NT, Windows 2000, or Windows Server 2003. After you have removed all Windows NT domain controllers from the domain, you can increase the domain functionality level to Windows 2000 native or to Windows Server 2003. At the Windows 2000 native level, you get the improved group capabilities of Active Directory as delivered in Windows 2000, such as the ability to "nest" groups and the availability of groups of Universal scope. The most advanced level of domain functionality is the Windows Server 2003 level. Only domains where there are no Windows 2000 or Windows NT domain controllers can be raised to this level of domain functionality. A fourth level of domain functionality is known as Windows Server 2003 interim. Both Windows NT and Windows Server 2003 domain controllers can exist in a domain at this level. As with the Windows 2000 mixed level, enhanced group functionality cannot be used! Group Types The two types of groups are as follows: Distribution Used for email distribution lists only. Cannot be used to assign permissions for resource access. Security Used for the assignment of permissions for resource access and for email distribution.
Group Scope A way of classifying a group is by defining its scope. This means determining what locations the members can come from, and where the resources can be located that the group can be granted access permissions to. In Table 4, the first column lists the scope of the group object (Domain Local, Global, or Universal), the second column lists the object types that can be members of this kind of group, and the third column lists the locations of the resources that a group can be given access to. Note that in several cases, the characteristics of the group object differ depending on the functionality of the domain. Table 4. Group Scopes and Applicable Members and RightsScope | Can Include | Can Be Granted Access to Resources In... |
|---|
Domain Local | Accounts, Global groups, and Universal groups from any domain and Windows 2000 native or in Windows Server 2003 functionality level domains, other Domain Local groups from the same domain as the group object. | The local domain | Global | In domains at the Windows 2000 mixed level or at the Windows Server 2003 interim level, only accounts from the same domain as the group object. In Windows 2000 native or Windows Server 2003 functional level domains, accounts and other global groups from the same domain as the group object. | Any domain in the forest and any domain in any other forest that trusts the local domain | Universal | (Not available in domains at the Windows 2000 mixed level or the Windows Server 2003 interim level.) Accounts, Global groups, and Universal groups from any domain. | Any domain in the forest and any domain in any other forest that trusts the local domain |
The following are some important points to remember about groups: When you grant rights to domain users, the best practice is to use the AGDLP method. This means that you place Accounts in Global groups. Then you place the Global groups into Domain Local groups, to which you grant (or deny) permissions. When a permission is explicitly denied to a user or group, even if the user is a member of another group where the same permission is explicitly granted, the Deny permission overrides all others and the user will not be allowed access. Whenever a user requests authorization to use a prohibited object or resource, the user will see an Access is Denied message.
Tables 5 and 6 list the default groups included in Windows Server 2003. Table 5. Default Local Groups in Windows Server 2003Local Group | Default Access | Default Members Locally | Default Domain Members When Joined to a Domain |
|---|
Administrators | Unrestricted access to the computer | Administrator | Domain Admins Global Group | Backup Operators | Access to run Windows Backup and sufficient access rights that override other rights when performing backup | N/A | N/A | Guests | Limited only to explicitly granted rights and restricted usage of computer | Guest IUSR_machine | Domain Guests Global group | Power Users | Create\modify local user accounts, share resources | N/A | N/A | Users | Limited to use of the computer, personal files and folders, and explicitly granted rights | All newly created users NT Authority\Authenticated Users special built-in group NT Authority\Interactive special built-in group | Domain Users Global group |
Table 6. Built-in Special Groups in Windows Server 2003Built-in Group | Default Access | Default Members Locally | Default Domain Members When Joined to a Domain |
|---|
Anonymous Logon | Not provided any default access rights. | User accounts that Windows XP cannot authenticate locally | N/A | Authenticated Users | Not given any default access rights. | All users with valid local user accounts on this computer | All Active Directory users in the computer's domain or any trusted domain | Creator Owner | Designated full control over resources created or taken over by a member of the Administrators group. | Administrators group | N/A | Dialup | No specific rights; this group is not shown on systems without configured modems and dial-up connections. | All users who have connected to the computer with a dial-up connection | N/A | Everyone | Full Control is the default permission granted for all files and folders on NTFS volumes; you must remove this permission to implicitly deny access. | All users who access the computer | N/A | Interactive | No specific rights. | All users who have logged on locally to the computer | N/A | Network | No specific rights. | All users who have established a connection to this computer's shared resource from a remote network computer | N/A |
|
