Windows XP Users, Groups, Profiles and Policies

1
Windows XP Users, Groups, Profiles and Policies

• 70-270 MCSE Guide to Microsoft Windows XP
  Professional

2
Windows XP Professional User Accounts

• Designed for use as a network client for
• Windows NT
• Windows 2000
• Windows Server 2003
• Member of a workgroup
• Standalone operating system when more than one
  user is using the computer
• Home or business environment

3
Types of Windows XP Professional User Accounts

• Local user account
• Exists on a single computer
• Can provide access to resources if the user is a
  member in a workgroup
• No domain access
• Domain user account
• Created on a domain controller using "Active
  Directory" and exists throughout the domain
• Available on any domain member computer

4
User Account Details

• Uniquely identified to the system by user account
  name and password
• Provides secure access to authorized users
• Preferences are environmental settings that are
  stored in a profile
• Desktop, Favorites, My Documents, Start Menu,
  Internet files and Cookies, etc.

5
Accounts Interaction with an XP Professional
System (Page 1)

• Standalone system, automatic logon
• All users access local resources through a
  "common user account" that automatically logins
  in when computer starts
• Standalone system
• Each user logs into system with access to "their
  own" local resources

6
Accounts Interaction with an XP Professional
System (Page 2)

• Workgroup member
• Users login to an account both local and shared
  resources
• Domain network client
• Users login to system with a unique domain user
  account to gain access to local and domain
  resources

7
Supporting More Than One User

• Multiple-user systemssupport more than one user
  on the same machine, either on a single computer
  or in a domain
• Implemented through
• Groups
• Resources
• Policies
• Profiles

8
Groups

• Named collections of user accounts
• One user account may be a member of more than one
  group
• Members of group receive access rights and
  restrictions for that group
• Local groups are created using Windows XP
  professional and provide privileges at the
  machine level

9
Resources

• Useful objects including printers, shared
  directories, software applications, etc.
• Limited to a single user, group or all users on a
  machine or within a network

10
Policies

• A set of configuration options for a user,
  computer or group
• Define password restrictions, i.e.
• Is the user required to change their password at
  prescribed intervals?
• Account lockouts, i.e.
• What happens if a user enters an incorrect login
  several times in sequence?
• User rights
• Event auditing

11
Profiles

• User environmental settings including Desktop,
  Favorites, My Documents, Start Menu, etc.
• A local profile exists on local computer
• A domain profile follows a user no matter which
  computer he/she logons to in the domain

12
Types of Logon

• Two types
• Windows Welcome Logon Method
• Classic Logon Method
• Changing between the login types is found in
  "User Accounts" applet in Control Panel
• Logon authentication has two purposes
• Maintain security
• Track computer usage

13
Windows Welcome Logon Method (Page 1)

• Completely new logon method designed for use on
  standalone or workgroup member systems
• Not available when the Windows XP client is a
  member of a domain
• Displayed as a list of user accounts each with
  its own icon which the user clicks
• For accounts with password, user is prompted for
  it before access is granted

View Windows Welcome Logon Screen
14
Windows Welcome Logon Method (Page 1)
Last slide viewed
15
Windows Welcome Logon Method (Page 2)

• To turn the Welcome screen on or off
• Open User Accounts in Control Panel
• Click Change the way users log on or off command
• Do one of the following
• Specify that users log onto computer using the
  Welcome screen, select the Use the Welcome screen
  check box
• Specify that users log onto computer using
  "Windows Classic Logon" dialog, clear the Use the
  Welcome screen check box

View Classic Logon Dialog
View Windows Welcome Logon Screen
16
Windows Welcome Logon Method (Page 3)

• Fast User Switching
• Allows switching from one user to another without
  logging off (not in a domain and only for Welcome
  Screen logon)
• Also updated in "User Accounts" from Change the
  way users log on or off
• From "Start" menu, select the Log Off command
  then in the "Logoff Windows" dialog click the
  ltSwitch Usergt button
• When switching back, environment and all programs
  that were active are restored

17
Activity

• Turn on Fast User Switching in the "User
  Accounts" applet
• Activate the Guest account and then practice
  switching between it and your user account

18
Classic Logon Method

• Press the ltCtrlgtltAltgtltDeletegt key combination
  to access the "WinLogon" security dialog box
• Required for domain member systems
• Selected automatically when a Windows XP system
  becomes part of a domain
• No user switching available
• Must log off computer to make it available to the
  next user

View Classic Logon Dialog
19
Classic Logon Method
Last slide viewed
20
Activity

• In the "User Accounts" applet change between the
  "Windows Welcome" and "Classic" logon methods
• Try logging on using each

21
Logging On to Windows XP

• When Windows XP Professional first is installed,
  two accounts are automatically created
• Administrator
• Guest

22
Administrator (Page 1)

• Most powerful user account possible
• Unlimited access and unrestricted privileges to
  manage users, groups, O/S environment, printers,
  shares, storage devices, etc.
• Must be protected from misuse
• Complicated password should be used
• Account should be renamed

23
Administrator (Page 2)

• The original Administrator account
• Cannot be deleted
• Cannot be locked out (occurs when user attempts
  to logon unsuccessfully)
• Can be disabled (only performed manually by
  another administrator account)
• Can have a blank password (not recommended)
• Can be renamed (recommended)
• Cannot be removed from Administrators local group

24
Guest (Page 1)

• One of the least privileged user accounts
• Limited access to resources and computer
  activities
• Account should be renamed
• Member of the "Everyone" group
• Recommended to leave account disabled since by
  default all new objects and shares give full
  control for group "Everyone"

25
Guest (Page 2)

• The original Guest account
• Cannot be deleted
• Can be locked out
• Can be disabled (disabled by default)
• Can have a blank password (blank by default)
• Can be renamed (recommended)
• Can be removed from the Guests local group

26
Naming Conventions (Page 1)

• A predetermined process should be used for
  creating names on either a network or a
  standalone system
• A convention is an accepted practice within an
  organization or even industry-wide
• Important since networks usually tend to grow
  very quickly

27
Naming Conventions (Page 2)

• Should incorporate a schemes for naming
• User accounts
• Computers
• Directories
• Network shares
• Printers
• Servers

28
Naming Conventions (Page 3)

• Two common conventions
• User name employs first and last name, and a code
  indicating user's department
• Group name represents the organization of the
  firm department, location, project name, and/or
  combination of the above

29
Naming Conventions (Page 4)

• Needs to be
• Consistent
• Easy to use and understand
• Easy to create new names using the convention
  (variations are predetermined)
• Clearly identify the object's type

30
Managing Local User Accounts

• Two types of local accounts
• Accounts created from scratch locally
• Local representations of domain/network user
  accounts
• User Accounts applet
• Used to create local representation (only for a
  domain client)
• In a standalone system, applet becomes a task
  wizard with easy-to-follow tasks

31
User Accounts Applet in a Domain

• Users tab
• Lists active users
• Add New User wizard to add users
• Advanced tab
• Access to
• Password and passport management
• Advanced user management
• Secure logon settings

32
User Accounts Applet in a Domain
Last slide viewed
33
User Accounts Applet in a Domain
34
Add a User in a Domain
User Accounts applet
35
Add a User in a Domain
User Accounts applet
36
Properties in a Domain
User Accounts applet
37
User Accounts Applet for a Standalone Computer
38
User Accounts Applet for a Standalone Computer
39
Activity

• Create a new user account named Jan Walters using
  the "User Accounts" applet
• Limited privileges
• No password

40
Local Users and Groups Console

• Found in "Computer Management" applet of
  Administrative Tools
• Console tree nodes (in left frame) are Users and
  Groups
• The list frame (on the right) shows the names of
  the user and/or group accounts
• "Local Users and Groups" MMC snap-in also can be
  used to create and manage user accounts and groups

41
Local Users and Groups (Computer Management
Console)
42
Local Users and Groups MMC Console
43
Local Users and Groups MMC Console
44
Users Node (Page 1)

• Creating a new user account
• Select User node within the Local Users and
  Groups node
• With no user selected, click Action ? New User
  from the menu bar
• Or right-click on any white space in list (right)
  frame and select New User
• Fill-in form and click the ltCreategt button

45
Users Node (Page 2)

• Select any user account and click Action from
  menu bar (or right-click any user account name)
  to
• Set (reset) password
• Delete user account
• Rename user account
• View user account properties
• Help

46
Users Node (Page 3)

• The Properties window for user accounts has three
  tabs
• General update Fullname and Description, modify
  password properties, enable/disable the account,
  and manage locked out accounts
• Member Of list of group memberships with ltAddgt
  and ltRemovegt buttons

47
Users Node (Page 4)

• The Properties (con.)
• Profile defines
• Alternate location for the user's profile
• By default stored in "c\Documents and
  Settings\username"
• Name of an optional logon script that executes
  after successful login
• Alternate home directory, either a local folder
  or mapped network drive
• By default "c\Documents and Settings\username\My
  Documents"

48
Activity

• Create an MMC console with the "Local Users and
  Groups" snap-in
• Save it on the Desktop as filename "Local Users
  and Groups.msc"

49
Activity 5-4

• Create a local account with the "Local Users and
  Groups" MMC console snap-in
• Username BobTemp
• Full Name Bob Smith
• Description A temporary account for Bob
• Password provide and confirm
• User must change password at next logon
  deselected

50
Activity 5-5

• Add BobTemp account to the PowerUsers group from
  "User Accounts"
• Found on the Members Of tab of Properties
• Requires clicking the ltAdvancedgt button, then the
  ltFind Nowgt button

51
Planning Groups and System Groups

• Plan well in advance how to groups are to be
  managed
• Pair groups with resources
• Some sample organizational groupings
• Organizational units or departments
• Authorized users of applications
• Events, projects or special assignments
• Location or geography
• Individual function or job description

52
Working with Default Groups (Page 1)

• Administrators
• Full access the local Administrator account is
  always a member
• Backup Operators
• Has the ability to backup and restore all files
  and folders no default members
• Guests
• Can operate the computer and save files cannot
  install programs or alter system settings
  default member of group Guest

53
Working with Default Groups (Page 2)

• Network Configuration Operators
• Able to configure network components no default
  members
• Power Users
• Can modify the computer and create user accounts,
  share resources and install programs cannot
  access files that belong to others no default
  members
• Remote Desktop Users
• Can logon remotely no default users

54
Working with Default Groups (Page 3)

• Replicator
• Facilitates directory replication between systems
  and domains no default users
• Users
• Able to operate computer and save files cannot
  install programs modify user accounts, share
  resources, or alter system settings all new
  users are default members
• HelpServicesGroup
• Used by Microsoft's "Help and Support" center to
  provide remote support

55
Groups Node (Page 1)

• Creating a new group account
• Select Group node within the Local Users and
  Groups node
• With no group selected, click Action ? New Group
  from the menu bar
• Or right-click on any white space in list (right)
  frame and select New Group
• Fill-in Group Name and Description
• The ltAddgt button is for adding user accounts to
  the group
• Click ltCreategt button when finished

56
Groups Node (Page 2)

• Select any group account and click the Action
  command from menu bar (or right-click any group
  account name) to
• Add (new user accounts) to group
• Delete group account
• Rename group account
• View group account properties
• Help

57
Groups Node (Page 3)

• The Properties window for user accounts has one
  tab
• General update the Description, and display
  list of group members with ltAddgt and ltRemovegt
  buttons

58
Activity 5-6

• Create a local group account and add user account
  BobTemp to group with the "Local Users and
  Groups" MMC console snap-in
• Group name SalesGroup
• Description Members of the Sales Department
• Requires first clicking the ltAddgt button in
  "Properties", then the ltAdvancedgt button, and
  then the ltFind Nowgt button

59
User Profiles

• Collection of desktop and environmental
  configurations
• Computer maintains profile for each user
• Material such as Application data, My Documents,
  cookies, etc.
• A new profile is created for a user at the first
  successful logon
• Even for the Guest account

60
Local Profiles

• Set of specifications and preferences for an
  individual user
• Stored on the local machine residing in the
  username subdirectory beneath the \Documents
  and Settings directory
• Set up by example
• As the user modifies the system
• Saved on logout

61
Roaming Profiles (Page 1)

• Roaming profiles are user profiles that are
  stored in the server
• Each time the user logs on, their profile is
  requested and sent to whatever machine makes the
  request
• Default path designation
• \\computername\username

62
Roaming Profiles (Page 2)

• To create a roaming profile
• Click Start, right-click My Computer, and select
  Properties from shortcut menu
• Click the Advanced tab, and then click Settings
  under "User Profiles"
• In the Profiles stored on this computer list,
  click the profile that you want
• To change the type of profile, click Change Type,
  click Roaming profile, and then click ltOKgt button

63
Activity

• On the Desktop create a shortcut for the
  previously created "Local Users and Groups" MMC
  console
• Now move the console itself (not the shortcut) to
  your "My Documents" folder
• Create a new folder named Consoles in
  "C\Documents and Settings\username\Start
  Menu\Programs" move the shortcut to it
• Now click Start menu ? Programs ? etc.

64
Application of Local and Group Policies

• Several security and access controls
• Local computer group policy is managed from a
  Windows XP Professional system
• Found in "Local Security Settings" dialog of
  Administrative Tools applet in Control Panel
• Group policies (GPOs) can be defined for the
  domain, sites, and organizational units (OUs)
  from Active Directory

65
Local Security Settings Console
66
Password Policy (Page 1)

• Defines the restrictions on passwords
• Restrictions include
• Enforce password history to prevent reuse of
  old passwords
• Maximum password age how often it must be reset
• Minimum password age how long before it can be
  changed

Password Policy screen
67
Password Policy (Page 2)

• Restrictions include (con.)
• Minimum password length minimum characters in
  the password
• Password must meet complexity requirements as
  defined by Microsoft, i.e. minimum number of
  alphabetic characters, plus minimum number of
  numeric characters

Password Policy screen
68
Password Policy
Last slide viewed
69
Activity 5-11 (Part 1)

• Update password policies
• Security Settings
• Account Policies
• Password Policy
• Enforce password history 5
• Maximum password age 60
• Minimum password age 2
• Minimum password length 6

70
Account Lockout Policy (Page 1)

• Conditions that result when a user account is
  locked out from too may failed login attempts
• Used to prevent brute force attacks against user
  accounts

Account Lockout Policy
71
Account Lockout Policy (Page 2)

• Policy items include
• Account lockout threshold number of failed
  logins before account locked out
• Account lockout duration minutes account
  remains locked out if set to zero, requires
  administrative action to unlock
• Reset account lockout counter after length of
  time before lockout counter resets

Account Lockout Policy
72
Account Lockout Policy
Last slide viewed
73
Activity 5-11 (Part 2)

• Update password policies
• Security Settings
• Account Policies
• Account Lockout Policy
• Account lockout threshold 3
• Account lockout duration 30
• Reset account lockout after 15

74
Audit Policy

• Defines events recorded in Security log of Event
  Viewer (covered in Chapter 6)
• Used to track resource usage
• Items (not full list)
• Audit directory service access (access to "Active
  Directory")
• Audit logon events
• Audit account logon events
• Audit system events

Audit Policy
75
Audit Policy
Last slide viewed
76
Activity 5-11 (Part 3)

• Update password policies
• Security Settings
• Local Policies
• Audit Policy
• Audit logon events Failure
• Audit system events Failure

77
User Rights Assignment

• Defines who (which groups or users) can perform
  the specific privileged action
• Items (not full list)
• Access this computer from the network
• Add workstations to domain
• Back up files and directories
• Change the system time
• Load and unload device drivers
• Profile single process
• Shut down the system

User Rights Assignment
78
User Rights Assignment
Last slide viewed
79
Activity 5-12

• Update password policies
• Security Settings
• Local Policies
• User Rights Assignment
• Add workstations to domain Power Users

80
Security Options

• Controls a wide variety of security features,
  functions, and controls of environment
• Items (not full list)
• Accountsincluding enabling and renaming
  Administrator and Guest accounts
• Devicesaccess to and installation options
• Domain memberrequirements
• Interactive logonmodifying logon process
• Microsoft network serverbehaviors

Security Options
81
Security Options
Last slide viewed
82
Customizing the Logon Process

• The Administrator can alter the default logon
  process by modifying Winlogon, the process that
  produces the logon dialog, i.e.
• Deactivating CtrlAltDelete to start logon
• Disabling display of the last username
• Adding a security warning message
• Disabling the shutdown button
• Changing the shell
• Automating logons
• Automatic account lockout

83
Deactivating ltCtrlgtltAltgtltDeletegt to Start Logon

• Access to Windows Classic logon window usually is
  initiated by pressing together the keys
  ltCtrlgtltAltgtltDeletegt
• Forces the XP security logon sequence
• However requirement can be disabled
• Edit with Local Security Policy dialog in
  "Administrative Tools" (Security Options)
• Interactive logon Do not require CtrlAltDelete
  set to "Enabled"

84
Activity

• Deactivate ltCtrlgtltAltgtltDeletegt for Windows
  Classic logon dialog
• Security Settings
• Local Policies
• Security Options
• Interactive logon Do not require CTRL ALT
  DELETE Enabled

85
Disabling the Default Username (Page 1)

• By default the Classic Logon Window displays name
  of the last user to logon
• May not be secure if the workstation often is
  left unattended
• Edit with Local Security Policy dialog in
  "Administrative Tools" (Security Options)
• Interactive logon Do not display last username
  set to "Enabled"

86
Activity 6-3

• Disabling the default username for Windows
  Classic logon dialog
• Security Settings
• Local Policies
• Security Options
• Interactive logon Do not display last username
  Enabled

87
Disabling the Default Username (Page 2)

• Many security values also can be viewed and even
  updated directly in the Registry
• To view display of last username value in the
  registry, run the "regedit" command from Start
  menu ? Run

88
Disabling the Default Username (Page 3)

• Locate the key at
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
  NT\CurrentVersion\Winlogin
• Select the DontDisplayLastUserName value and
  change it
• Enabled "0"
• Disabled "1"

89
Adding Security Warning Message (Page 1)

• Might be legally obligated to add a warning
  message for unauthorized usage
• Edit with Local Security Policy dialog in
  "Administrative Tools" (Security Options)
• Interactive logon Message text for users
  attempting to logonset to any warning message
• Interactive logon Message title for users
  attempting to logontitle bar text

90
Activity 6-4

• Adding a security warning caption and message
  before logon
• Security Settings
• Local Policies
• Security Options
• Interactive logon Message text for users
  attempting to logon Authorized CS28 users only!
  Unauthorized access will be punished to the full
  extent of the law
• Interactive logon Message title for users
  attempting to logon Warning!

91
Adding Security Warning Message (Page 2)

• To modify the warning title and text in the
  registry, locate their keys at
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
  NT\CurrentVersion\Winlogin
• Select the following
• LegalNoticeCaption title bar text
• LegalNoticeText the text message

92
Disabling the Shutdown Button (Page 1)

• Windows XP logon window includes Shutdown button
• Eliminates the potential for unwanted system
  shutdowns
• Edit with Local Security Policy dialog in
  "Administrative Tools" (Security Options)
• Shutdown Allow system to be shut down without
  having to log on set to "Disabled"
• Machine still can be physically powered-off

93
Activity

• Disable the shutdown button
• Security Settings
• Local Policies
• Security Options
• Shutdown Allow system to be shut down without
  having to log on Disabled

94
Disabling the Shutdown Button (Page 2)

• To disable the shutdown button in the registry,
  locate the key at
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
  NT\CurrentVersion\Winlogin
• Select the ShutdownWithoutLogon value and change
  it
• Enabled "1"
• Disabled "0"

95
Automating Logons (Page 1)

• Values for username and password can be coded
  into Registry to automate logons
• When enabled, the login dialog is bypassed
• Execute "regedit" from Start menu ? Run
• Locate the key
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
  NT\CurrentVersion\Winlogin

96
Automating Logons (Page 2)

• Registry settings
• DefaultDomainName only when logging into a
  domain
• DefaultUserName your logon name
• DefaultPassword delete this key if automatic
  logon is not turned on
• AutoAdminLogon value set to "1" to automate
  login
• (Keys that do not exist must be created
  right-click on parent node and select the command
  New ? String)

97
Activity

• Turn on automatic logon
• DefaultDomainName not required (should be your
  computer name)
• DefaultUserName your account name
• DefaultPassword create this key if it already
  does not exist leave blank if there is no
  password
• AutoAdminLogon 1

98
Automating Logons (Page 3)

• Dialog window to control automatic logons
• Execute "control userpasswords2 " from Start menu
  ? Run
• In new window select the account you wish to make
  the primary logon
• Unselect "Users must enter a username and
  password..." checkbox
• Click ltApplygt and a dialog box will appear asking
  you to confirm password
• Click ltOKgt when you are done

99
Files and Settings Transfer Wizard

• Move data files and personal desktop settings
  from another computer to new Windows XP
  Professional system
• Must have some sort of network connection between
  the two systems
• Transfer files from Windows 95, 98, SE, Me, NT,
  2000, or XP systems
• Transfer process can take considerable time

100
Activity 5-13

• Transfer files and settings using the "Files and
  Settings Transfer Wizard"
• Start menu ? Programs
• Quit at the Auto detect

101
User State Migration Tool (USMT) (Page 1)

• Alternate to "Files and Settings Transfer Wizard"
  which also supports migration of user data from
• Windows 9x
• Windows NT Workstation 4.0
• Windows 2000 Professional
• to a Windows XP Professional system
• Permits administrators to fully customize
  specific settings such as modifications to the
  registry

102
User State Migration Tool (USMT) (Page 2)

• The utilities are
• ScanState.exe collects user data and settings
  based on the information that is contained in the
  Migapp.inf, Migsys.inf, Miguser.inf and
  Sysfiles.inf files
• LoadState.exe deposits user-state data on
  computer running clean (not upgraded)
  installation of Windows XP Professional
• Requires client computer be connected to a
  Microsoft Windows server-based domain controller

103
Project--not from the textbook
104
(No Transcript)