Title: 70-270:%20MCSE%20Guide%20to%20Microsoft%20Windows%20XP%20Professional%20%20Chapter%205:%20Users,%20Groups,%20Profiles,%20and%20Policies
170-270 MCSE Guide to Microsoft Windows XP
Professional Chapter 5 Users, Groups,
Profiles, and Policies
2Objectives
- Understand Windows XP Professional user accounts
- Understand the different types of logons
- Understand how to log on to Windows XP
- Understand naming conventions
- Create and manage local user accounts
- Planning groups and system groups
3Objectives (continue)
- Work with Windows XP as a domain client
- Create user profiles
- Work with group policies
- Troubleshoot cached credentials
- Understand the Files and Settings Transfer Wizard
and the User State Migration Tool (USMT)
4Windows XP Professional User Accounts
- Designed for use as a network client for
- Windows NT
- Windows 2000
- Windows Server 2003
- Member of a workgroup
- Standalone operating system
5Types of Windows XP Professional User Accounts
- Local user account
- Exists on a single computer
- No domain access
- Domain user account
- Exists throughout a domain
- Can be used on any domain member computer
6How Accounts Interact with a Windows XP
Professional System
- Standalone system, automatic logon
- Standalone system
- Workgroup member
- Domain network client
7Supporting More Than One User
- Multiple-user systems
- Implemented through
- Groups
- Resources
- Policies
- Profiles
8Types of Logon
- Logon authentication has two purposes
- Maintain security
- Track computer usage
9Windows Welcome Logon Method
- Completely new logon method
- Designed for use on standalone or workgroup
member systems - List of user accounts with icons
- Fast User Switching,
- Switch users without logoff
10Classic Logon Method
- Press CtrlAltDelete to access WinLogon security
dialog box - Required for domain member systems
11Logging On to Windows XP
- XP automatically creates accounts
- Administrator
- Guest
12Administrator
- Most powerful user account possible
- Unlimited access and unrestricted privileges
- Must be protected from misuse
- Complicated password should be used
- Should rename this account
13Administrator (continued)
- Characteristics
- Cannot be deleted
- Cannot be locked out
- Can be disabled
- Can have a blank password (however, this is not
recommended) - Can be renamed (which is recommended)
- Cannot be removed from the Administrators local
group
14Guest
- One of the least privileged user accounts
- Limited access to resources and computer
activities - Should rename account
- Member of the Everyone group
- Recommended to leave the Guest account disabled
15Guest (continued)
- Characteristics
- Cannot be deleted
- Can be locked out
- Can be disabled (it is disabled by default)
- Can have a blank password (it is blank by
default) - Can be renamed (which is recommended)
- Can be removed from the Guests local group
16Naming Conventions
- Predetermined process for creating names on
network or standalone system - Should incorporate a scheme for
- User accounts
- Computers
- Directories
- Network shares
- Printers
- Servers
17Managing Local User Accounts
- Two types
- Local representations of domain/network user
accounts - Created from scratch locally
- User Accounts applet
- Used to create local representation
- Local Users and Groups snap-in
- Used to create accounts from scratch
18User Accounts Applet
- Users tab
- Lists active users
- Add New User wizard to add users
- Advanced tab
- Access to
- Password and passport management
- Advanced user management
- Secure logon settings
19Local Users and Groups
- Create and manage local users
- Console tree nodes
- Users
- Groups
20Planning Groups and System Groups
- Plan how to manage groups
- Pair groups with resources for administrative
control - Ongoing administrative task
- Adding and removing users from groups
21Working with Groups Youve Made
- Must have a Windows NT, 2000, or Server 2003 in
client/server environment - Resource
- Has local groups assigned to it
- Global user groups
- Assigned to local resource groups
- Users
- Assigned to global groups
22Assigning users access to resources using groups
23Working with Default Groups
- Administrators
- Backup Operators
- Guests
- Network Configuration Operators
- Power Users
24Working with Default Groups (continued)
- Remote Desktop Users
- Replicator
- Users
- HelpServicesGroup
25Working with System Groups and Other Important
Groups
- Built-in system-controlled groups
- Preexisting groups
- Cannot be edited
- Used by system to control or place restrictions
on specific groups of users based on activities
26Windows XP as a Domain Client
- Can serve as a client to an Active Directory
domain - Centralized control of user accounts and overall
security - Resources centrally located
- Management of access easier than a workgroup
network
27Adding a System as a Domain Client
- Add a Windows XP Professional system as a client
in domain network - Administrator creates computer account in the
domain - Computer account in the domain is generated from
the client - Remove a client from a domain
- Join a workgroup
28Controlling a Domain Client
- Domain enforces control using group policy
objects (GPOs) - GPOs
- Registry templates
- Forced onto a system each time it starts or each
time a user logs on - Domain-level version of the local security policy
29Access to Systems and Resources by a Domain Client
- Only members of domain can access systems and
resources within domain - Resources accessed through My Network Places
30Group Types assigned by a Domain Client
- Administrators
- Backup Operators
- Guests
- HelpServicesGroup
- Network Configuration Operators
31Group Types assigned by a Domain Client
(continued)
- Power Users
- Remote Desktop Users
- Replicator
- Users
32Active Directory Domain Containers
- Active Directory domain containers
- Logical
- Domain
- Organizational Unit (OU)
- Physical
- Site
33User Profiles
- Collection of desktop and environmental
configurations - Computer maintains profile for each user
- Material such as
- Application data
- My Documents
- Cookies
- Etc.
34Local Profiles
- Set of specifications and preferences
- For an individual user
- Stored on local machine
- Reside in the username subdirectory beneath the
\Documents and Settings directory - Set up by example
- Saved on logout
35Roaming Profiles
- Resides on a network server
- Automatically downloaded to any system when user
logs on - Default path designation
- \\computername\username
36Application of Group Policies
- Several security and access controls
- Group policies (GPOs) can be defined for
- Domain
- Sites
- Organizational units (OUs)
- Local computer group policy managed from a
Windows XP Professional system - Policies applied in order
- LSDOU (local, site, domain, organizational unit)
37Password Policy
- Defines the restrictions on passwords
- Includes password age, length, etc.
38Account Lockout Policy
- Conditions that result when a user account is
locked out - Used to prevent brute force attacks against user
accounts - Items
- Account lockout threshold
- Account lockout duration
- Reset account lockout counter after
39Audit Policy
- Defines events recorded in Security log of Event
Viewer - Used to track resource usage
- Items (not full list)
- Audit directory service access
- Audit logon events
- Audit account logon events
- Audit system events
40User Rights Assignment
- Defines which groups or users can perform the
specific privileged action - Items (not full list)
- Access this computer from the network
- Back up files and directories
- Change the system time
- Load and unload device drivers
- Profile single process
- Shut down the system
41Security Options
- Controls various security features, functions,
and controls of environment - Items (not full list)
- Accounts
- Devices
- Domain member
- Microsoft network server
42Group Policies
- Domain-level version of the local security policy
- Two primary divisions
- Computer Configuration
- User Configuration
43Troubleshooting Cached Credentials
- Automatically caches users credentials in the
Registry - When domain logon or .NET Passport logon is
performed - Can be disabled
- Enable the group policy setting of Interactive
logon - Set the cachedlogonscount Registry value to 0
44Files and Settings Transfer Wizard
- Move data files and personal desktop settings
from another computer to new Windows XP
Professional system - Must have some sort of network connection between
the two systems - Transfer files from Windows 95, 98, SE, Me, NT,
2000, or XP systems - Transfer process can take considerable time
45User State Migration Tool (USMT)
- Supports migration to user data from Windows 9x,
Windows NT Workstation 4.0, and Windows 2000
Professional to a Windows XP Professional system - Able to transfer the same files and settings that
the Files and Settings Transfer Wizard can - Fully configurable and scriptable
46User State Migration Tool (USMT) (continued)
- Two command-line utilities
- ScanState
- LoadState
- Read instructions and control parameters from INF
files - ScanState
- Used to create a backup of the user data
- LoadState
- Used to copy the data onto new target system
47Summary
- Three types of users
- Locally created users
- Imported users
- Domain users
- Users are collected into groups
- Simplifies management and grant access or
privileges - There are two built-in users, Administrator and
Guest, and several built-in groups - Profiles can be local or roaming
48Summary (continued)
- Group policies are domain-level versions of the
local security policy. - The Files and Settings Transfer Wizard
- Used to move data files and personal desktop
settings from one system to another. - The User State Migration Tool
- Used for enterprise migrations