Class 10: Users, Groups, Profiles, and Policies

1
Class 10 Users, Groups, Profiles, and Policies
2
Objectives

• Create user profiles
• Work with group policies
• Troubleshoot cached credentials
• Understand the Files and Settings Transfer Wizard
  and the User State Migration Tool (USMT)

3
Windows XP as a Domain Client

• Can serve as a client to an Active Directory
  domain
• Centralized control of user accounts and overall
  security
• Resources centrally located
• Management of access easier than a workgroup
  network

4
Adding a System as a Domain Client

• Add a Windows XP Professional system as a client
  in domain network
• Administrator creates computer account in the
  domain
• Computer account in the domain is generated from
  the client
• Remove a client from a domain
• Join a workgroup

5
Controlling a Domain Client

• Domain enforces control using group policy
  objects (GPOs)
• GPOs
• Registry templates
• Forced onto a system each time it starts or each
  time a user logs on
• Domain-level version of the local security policy

6
Access to Systems and Resources by a Domain Client

• Only members of domain can access systems and
  resources within domain
• Resources accessed through My Network Places

7
Group Types assigned by a Domain Client

• Administrators
• Backup Operators
• Guests
• HelpServicesGroup
• Network Configuration Operators

8
Group Types assigned by a Domain Client
(continued)

• Power Users
• Remote Desktop Users
• Replicator
• Users

9
Active Directory Domain Containers

• Active Directory domain containers
• Logical
• Domain
• Organizational Unit (OU)
• Physical
• Site

10
User Profiles

• Collection of desktop and environmental
  configurations
• Computer maintains profile for each user
• Material such as
• Application data
• My Documents
• Cookies
• Etc.

11
Local Profiles

• Set of specifications and preferences
• For an individual user
• Stored on local machine
• Reside in the username subdirectory beneath the
  \Documents and Settings directory
• Set up by example
• Saved on logout

12
Roaming Profiles

• Resides on a network server
• Automatically downloaded to any system when user
  logs on
• Default path designation
• \\computername\username

13
Application of Group Policies

• Several security and access controls
• Group policies (GPOs) can be defined for
• Domain
• Sites
• Organizational units (OUs)
• Local computer group policy managed from a
  Windows XP Professional system
• Policies applied in order
• LSDOU (local, site, domain, organizational unit)

14
Password Policy

• Defines the restrictions on passwords
• Includes password age, length, etc.

15
Account Lockout Policy

• Conditions that result when a user account is
  locked out
• Used to prevent brute force attacks against user
  accounts
• Items
• Account lockout threshold
• Account lockout duration
• Reset account lockout counter after

16
Audit Policy

• Defines events recorded in Security log of Event
  Viewer
• Used to track resource usage
• Items (not full list)
• Audit directory service access
• Audit logon events
• Audit account logon events
• Audit system events

17
User Rights Assignment

• Defines which groups or users can perform the
  specific privileged action
• Items (not full list)
• Access this computer from the network
• Back up files and directories
• Change the system time
• Load and unload device drivers
• Profile single process
• Shut down the system

18
Security Options

• Controls various security features, functions,
  and controls of environment
• Items (not full list)
• Accounts
• Devices
• Domain member
• Microsoft network server

19
Group Policies

• Domain-level version of the local security policy
• Two primary divisions
• Computer Configuration
• User Configuration

20
Troubleshooting Cached Credentials

• Automatically caches users credentials in the
  Registry
• When domain logon or .NET Passport logon is
  performed
• Can be disabled
• Enable the group policy setting of Interactive
  logon
• Set the cachedlogonscount Registry value to 0

21
Files and Settings Transfer Wizard

• Move data files and personal desktop settings
  from another computer to new Windows XP
  Professional system
• Must have some sort of network connection between
  the two systems
• Transfer files from Windows 95, 98, SE, Me, NT,
  2000, or XP systems
• Transfer process can take considerable time

22
User State Migration Tool (USMT)

• Supports migration to user data from Windows 9x,
  Windows NT Workstation 4.0, and Windows 2000
  Professional to a Windows XP Professional system
• Able to transfer the same files and settings that
  the Files and Settings Transfer Wizard can
• Fully configurable and scriptable

23
User State Migration Tool (USMT) (continued)

• Two command-line utilities
• ScanState
• LoadState
• Read instructions and control parameters from INF
  files
• ScanState
• Used to create a backup of the user data
• LoadState
• Used to copy the data onto new target system

24
Summary

• Three types of users
• Locally created users
• Imported users
• Domain users
• Users are collected into groups
• Simplifies management and grant access or
  privileges
• There are two built-in users, Administrator and
  Guest, and several built-in groups
• Profiles can be local or roaming

25
Summary (continued)

• Group policies are domain-level versions of the
  local security policy.
• The Files and Settings Transfer Wizard
• Used to move data files and personal desktop
  settings from one system to another.
• The User State Migration Tool
• Used for enterprise migrations