WINDOWS 2000 NETWORK ENVIRONMENTS

1
WINDOWS 2000 NETWORK ENVIRONMENTS
2
WINDOWS 2000 WORKGROUP MODEL
A workgroup is a logical grouping of networked
computers that share resources, such as files and
printers. All computers in the workgroup can
share resources as equals, or peers, without a
dedicated server. Each computer in a workgroup (
running either Server or Professional ) maintains
a local security database. A local security
database is a list of user accounts and resource
security information for the computer on which it
resides.
3
WINDOWS 2000 WORKGROUP MODEL
Advantages Does not require a computer running
Windows 2000 Server to hold centralized security
information. Simple to design and implement. A
workgroup does not require the extensive planning
and administration that a domain does. Convenient
for a limited number of computers in close
proximity.
4
WINDOWS 2000 WORKGROUP MODEL
Disadvantages User must have a user account on
each computer to which he or she wants to gain
access. Any changes to user accounts, such as
changing password or adding a new user, must be
made on each computer in the workgroup.
5
WINDOWS 2000 DOMAIN MODEL
A domain is a logical grouping of network
computers that share a central directory
database. A directory database contains user
accounts and security information for the domain.
In a domain, the directory resides on computers
that are configured as domain controllers.
Security and administration are centralized.
Only computers running Windows 2000 Server may
be designated at Domain Controllers.
6
WINDOWS 2000 DOMAIN MODEL
Benefits Computers in a domain can share physical
proximity on a small LAN or can be located in
different corners of the world. Domain allows
centralized administration because all user
information is stored centrally. If a user
changes his or her password, the change is
replicated throughout the domain. A domain
provides a single logon process for users to gain
access to network resources for which they have
permissions. A domain provides scalability so
that an administrator can create very large
networks.
7
DIRECTORY SERVICES
A directory is a stored collection of information
about objects that are related to one another in
some way. You use a directory service to
uniquely identify users and resources on a
network. Windows 2000 Server uses Active
Directory to provide directory services.
8
Why Have a Directory Service ?
A directory service provides the means to
organize and simplify access to resources of a
networked computer system. A directory service
makes it possible to find an object based on one
or more of its attributes. Administrators and
Users can use a directory service to query the
directory for a list of objects that match known
attributes.
9
ROLES AND BENEFITS OF DIRECTORY SERVICES
Active Directory further simplifies
administration by providing a single point of
administration for all objects on the network.
Because Active Directory provides a single point
of logon for all network resources, an
administrator can log on to one computer and
administer objects on any computer in the
network.
10
ADMINISTRATIVE TASKS AND TOOLS

• Administrative Tasks
• 1. Account Administration
• 2. Security Administration
• 3. Printer Administration
• 4. Monitoring Network Events and Resources
• 5. Backing Up and Restoring Data

Administrative Tools
1. Computer Management 2. Event Viewer 3.
Backup Utility
11
ADMINISTRATIVE TASKS
As a Network Administrator you are responsible
for creating all user accounts that will be used
either locally or within your domain. This
includes Setting all permissions for the user
account Passwords ( security briefings and
expiration ) Assigning Group memberships
12
Logging On

• A user can log on to either of the following
• A computer that is a member of a workgroup.
• A computer that is a member of a domain but is
  not a domain controller. The user selects the
  computer name in the Log On To list in the Log On
  To Windows dialog box.

13
THE AUTHENTICATION PROCESS

• In a WINDOWS 2000 environment there are 2
  sources of log- on
• Local
• Server

14
THE WINDOWS 2000 SECURITY DIALOG BOX

15
THE WINDOWS 2000 SECURITYDIALOG BOX
The Windows Security dialog box displays the user
account currently logged on, the domain or
computer to which the user is logged on, and the
date and time at which the user logged on. The
Windows Security dialog box is accessed by
pressing CTRL ALT and DEL
16
THE WINDOWS 2000 SECURITYDIALOG BOX
Lock Computer Allows you to secure the computer
without logging off. All programs remain running.
Log Off Allows you to log off as the current
user and close all running programs, but leaves
Windows 2000 running. Shut Down Prepares the
computer so that you can safely turn it off.
17
THE WINDOWS 2000 SECURITYDIALOG BOX
Change Password Allows you to change your user
account password. You must know the old password
to create a new one. Task Manager Provides a
means to end a program that is running or has
stop responding Cancel Closes the Windows
Security dialog box.
18
SUMMARY
19
QUESTIONS
20
CHECK FOR LEARNING
True or False In a Workgroup there is no
centralized account management ?
True
Yes or No In a Workgroup does each computer
manage its own resources and accounts ?
Yes
In a Windows 2000 environment what are the 2
sources of log on ?
Local and Server
21
CHECK FOR LEARNING
What does Directory Services provide ?
A directory service provides the means to
organize and simplify access to resources of a
networked computer system.
What option in the Windows 2000 Security dialog
box allows a user to leave his workstation
unattended allowing no access ?
Lock
What allows a user to close a program that has
failed to respond ?
Task Manager
22
CREATING AND MANAGING USER ACCOUNTS
User accounts are records that contain unique
user information, such as user name, password,
and any logon restrictions. User accounts enable
users to log on to Windows 2000 computers or
domains. There are two types of user accounts
built-in accounts and user accounts that you
create (Local or Domain).
23
LOCAL USER ACCOUNTS
Local user accounts allow users to log on at and
gain access to resources on only the computer
where you create the local user account.
24
DOMAIN USERS ACCOUNTS
Domain user accounts allow users to log on to the
domain and gain access to resources anywhere on
the network. Domain accounts are created on the
domain controller.
25
BUILT IN USER ACCOUNTS
Windows 2000 automatically creates accounts
called built-in accounts. Two commonly used
built-in accounts are Administrator and
Guest. Use the built-in Administrator account to
manage the overall computer or to manage the
domain configuration. Use the built-in Guest
account to give occasional users the ability to
log on and gain access to resources. By Default
the Guest account is disabled during
installation.
26
PLANNING NEW USER ACCOUNTS
27
NAMING CONVENTIONS

• User Account Names Must Be Unique
• User Accounts Can Contain Up to 20 Characters
• Example Naming Conventions

Duplicate Names
Temporary Employees
BarbaraL or BarbaraLa Barbara1 or Barbara2
T-BarbaraL
28
PASSWORD REQUIREMENTS

• ASSIGN THE ADMINISTRATOR ACCOUNT A PASSWORD
• Determine whether the Administrator or the
  users will control passwords.
• Passwords are case sensitive.
• Passwords can be up to 127 characters a
  minimum length of eight characters is
  recommended.
• Use both uppercase and lowercase letters,
  numerals, and valid non alphanumeric characters.

29
WHERE ARE ACCOUNTS CREATED
When you create a local user account, Windows
2000 creates the account only in that computer's
security database, which is called the local
security database. Windows 2000 doesn't replicate
local user account information to any other
computer. You create a domain user account in
the copy of the Active Directory database (the
Directory) on a domain controller. The domain
controller replicates the new user account
information to all domain controllers in the
domain.
30
COMPUTER MANAGEMENT SNAP - IN
Use the Computer Management snap-in to create a
new local user account. When you create a local
user account, it is always created in the local
security database of that computer.
31
COMPUTER MANAGEMENT SNAP - IN
Using the Local Users and Groups snap-in you
create, delete, or disable local user accounts on
the local computer in a workgroup. You cannot
create local user accounts on a domain
controller.
32
CREATING A USER ACCOUNT
Local Users and Groups snap-in and the New User
dialog box
33
CREATING A USER ACCOUNT
To add a new user, open your Computer Management
Console. Click on Action, New User.
34
CREATING A USER ACCOUNT
The New User dialog box opens. Type in your
Username full name and student for
description. Enter password and click Create.
35
CREATING A USER ACCOUNT
A New User dialog box reappears, click Close.
36
CREATING A USER ACCOUNT
At the Computer Management Console the New Local
User now appears in the list of Local Users.
37
SETTING ACCOUNT PROPERTIES(WORKSTATION)
To set account properties, highlight the account
, click Action in the menu bar, then Properties.
38
SETTING ACCOUNT PROPERTIES(WORKSTATION)
The Account Properties dialog box appears. Here
it states the Username and description. Click
the Member Of tab.
39
SETTING ACCOUNT PROPERTIES(WORKSTATION)
The Members of dialog box displays the Group
Membership. Click the ADD button.
40
SETTING ACCOUNT PROPERTIES(WORKSTATION)
The Select Group dialog box appears. Here you
have the choices of Groups to add this account to.
41
SETTING ACCOUNT PROPERTIES(WORKSTATION)
To add a membership, highlight the Group and
click the ADD button. Leave the User Account just
created a member of the Users Group. Click Cancel.
42
SETTING ACCOUNT PROPERTIES(WORKSTATION)
Here is an example of adding Administrator Group
membership.
43
SETTING ACCOUNT PROPERTIES(WORKSTATION)
At the User Account Properties dialog box click
the Apply button. Next click the Profile tab.
44
SETTING ACCOUNT PROPERTIES(WORKSTATION)
The login script can be used to establish network
connections or start applications. Each time a
user logs on, the assigned logon script is
run. Windows 2000 provides you with the means to
create another location for users to store their
personal documents. Click OK.
45
DELETING AND RENAMING USER ACCOUNTS
Occasionally you may want to rename or delete a
user account. Renaming a user account retains
all info to the account properties including
group memberships, permissions and rights for the
new user of the account. Deleting a user
account the user account is Permanently
removed. The two built-in accounts,
Administrator and Guest, cant be deleted,
although they can be renamed.
46
RENAMING A USER ACCOUNT
To Rename a User Account, highlight the account,
Click Action in the menu bar, then Rename.
47
RENAMING A USER ACCOUNT
You are now able to type a new name for the user
account. Enter your last name and press Enter.
48
RENAMING A USER ACCOUNT
The user account name is now changed.
49
DELETING A USER ACCOUNT
To Rename a User Account, Highlight the User
Name, Click Action in the menu bar and select
Delete.
50
DELETING A USER ACCOUNT
The Local Users and Groups dialog box
appears. Click YES to confirm that you want to
delete the User Account.
51
DELETING A USER ACCOUNT
The Computer Management Console now shows that
the User Account has been deleted.
52
CREATING USER PROFILES
A user profile is a collection of folders and
data that stores the users current desktop
environment, application settings, and personal
data. User profiles maintain consistency for
users in their desktop environments by providing
each user with the same desktop environment that
he or she had the last time that he or she was
logged on to the computer.
53
CREATING USER PROFILES

• A user profile is created for each user when he
  or she logs on to a computer for the first time.
  Some advantages to users are
• More than one user can use the same computer,
  and each receives desktop settings when the user
  logs on.
• Customization of the desktop environment by one
  user does not affect another users settings.

54
PROFILE TYPES
There are three types of user profiles Local
User Profile Roaming User Profile Mandatory User
Profile
55
LOCAL USER PROFILE
A local user profile is created the first time
you log on to a computer and is stored on a
computers local hard disk. Any changes made to
your local user profile are specific to the
computer on which you make the changes.
56
ROAMING USER PROFILE
To support users who work at multiple computers,
you can set up roaming user profiles. A roaming
user profile is a user profile that you set up on
a network server so that the profile is available
to the user no matter where the user logs on in
the domain.
57
MANDATORY USER PROFILE
A mandatory user profile is a read-only roaming
user profile. Users can modify the desktop
settings of the computer while they are logged
on, but none of these changes is saved when they
log off. The next time that the user logs on,
the profile is the same as the last time that the
user logged on.
58
MAINTAINING USER ACCOUNTS
Disabling and enabling a user account. You
disable a user account when a user does not need
an account for an extended period of time.
Resetting passwords. If a users password
expires before they can change it, or if a user
forgets their password, you need to reset the
password. Unlocking user accounts. A Windows
2000 policy locks out a user account when the
user violates the policy for example, if the
user exceeds the limit that a policy allows for
bad logon attempts, they get locked out.
59
QUESTIONS
60
CHECK FOR LEARNING
Q What Windows 2000 tool can you use to create
a user accounts ?
A The Computer Management snap-in
Q What are the two built-in user accounts ?
A Administrator and Guest
61
PRACTICAL EXERCISE 1Part 1CREATEPart 2
RENAME Part 3DELETE LOCAL USER ACCOUNTS
62
ACCOUNT POLICIES
The Windows 2000 system policy file is a
collection of user, group and computer polices.
System policy restricts the users ability to
perform certain tasks on any Windows 2000
computer on the network to which the user logs
on. In addition to enabling the administrator to
limit the changes users can make to their work
environments, system policy can be used as a
security measure to limit access to parts of the
network.
63
ACCOUNT POLICIES
There are 2 main configurable sections within
Account Policies. Password Policy Account
Lockout Policy
64
ACCOUNT POLICIES

• Only members of the administrators local group
  can manage account policy, user rights, and
  auditing
• Policy applies to ALL user of the domain or of
  the Local computer

65
Configuring Password Policy
Password Policy allows you to improve security on
your computer by controlling how passwords are
created and managed. Other settings are
available in Password Policy that you can use to
improve your computer's security. For example,
you can specify a minimum password length. And or
maintain a history of the passwords used. This
prevents a user from having two passwords and
alternating between them.
66
Configuring Password Policy

Enforce Password History The value you enter in
this setting indicates the number of passwords to
be kept in a password history. You can set the
value from 0 to 24, indicating the number of
passwords to be kept in password history. This
value indicates the number of new passwords that
a user must access before he or she can reuse an
old password.
67
Configuring Password Policy

Maximum / Minimum Password Age The value you
enter in this setting is the number of days a
user can access a password before he or she is
required to change it. A value of 0 indicates
that the password will not expire. The default
value is 42 days. You can set the range of values
from 0 to 999 days.
68
Configuring Password Policy
Minimum Password Length The value you enter in
this setting is the minimum number of characters
required in a password. Maximum Password
Length The value you enter in this setting is the
maximum numbers of characters that is
recognizable in a Domain utilizing all Windows
Operating Systems. This maximum is 14 characters
even though in a Windows 2000 Domain you could
enter up to 127 characters.

69
ACCOUNT LOCKOUT
The Account Lockout Policy settings also allow
you to improve the security on your computer. If
no account lockout policy is in place, an
unauthorized user can repeatedly try to break
into your computer. If, however, you have set an
account lockout policy, the system will lock out
the user account under the conditions you specify
in Account Lockout Policy.
70
ACCOUNT LOCKOUT
Account Lockout Duration This value indicates the
number of minutes that the account is locked out.
A value of 0 indicates that the user account is
locked out indefinitely until the Administrator
unlocks the user account. You can set the value
from 0 to 99999 minutes. (The maximum value of
99999 minutes is approximately 69.4 days.)
71
ACCOUNT LOCKOUT
Account Lockout Threshold The value you enter in
this setting is the number of invalid logon
attempts it takes before the user account is
locked out from logging on to the computer. You
can set the range of values from 0 to 999
attempts. Reset Account Lockout Counter
After The value you enter in this setting is the
number of minutes to wait before resetting the
account lockout counter.
72
Planning Good Account Policies
73
TROUBLESHOOTING LOGON PROBLEMS
74
QUESTIONS
75
CHECK FOR LEARNING
Q What is the default setting for Maximum
Password Age ?
A Expires 42 days
Q What are the two main configurable sections
in the Account Policy dialog box?
A The Password restriction section, and the
Account lockout section
76
PRACTICAL EXERCISE 2MANAGING ACCOUNT POLICIES
77
GROUP ACCOUNT ADMINISTRATION
78
INTRODUCTION TO GROUPS
A group is a collection of user accounts. Groups
simplify administration by allowing you to assign
permissions and rights to a group of users rather
than having to assign permissions to each
individual user account
79
PERMISSIONS
Permissions control what users can do with a
resource, such as a folder, file, or printer.
When you assign permissions, you give users the
capability to gain access to a resource, and you
define the type of access that they have.
80
LOCAL GROUPS
A local group is a collection of user accounts on
a computer. Use local groups to assign
permissions to resources residing on the computer
on which the local group is created. Windows 2000
creates local groups in the local security
database. Local Groups are used to control
access to network resources.
81
GUIDELINES FOR LOCAL GROUPS

• You can use local groups only on the
  computer
• where you create the local groups.
• You can assign permissions to local groups for
  access to only the resources on the computer
  where you create the local groups.

82
MEMBERSHIP RULES FOR LOCAL GROUPS

• Local groups can contain local user accounts
• from the computer where you create the local
• groups as well as members of the Domain.
• Local groups can't be a member of any other
• group.

83
CREATING LOCAL GROUPS
Use the Computer Management snap-in to create
local groups. NOTE You can't create local
groups on domain controllers because domain
controllers cannot have a security database that
is independent of the database in Active
Directory directory services.
84
Deleting Local Groups
Each group that you create has a unique, non
reusable identifier. Windows 2000 uses this value
to identify the group and the permissions that
are assigned to it. When you delete a group,
Windows 2000 doesn't use the identifier again,
even if you create a new group with the same name
as the group that you deleted. Therefore, you
cannot restore access to resources by recreating
the group.
85
Deleting Local Groups
When you delete a group, you delete only the
group and remove the permissions and rights that
are associated with it. Deleting a group doesn't
delete the user accounts that are members of the
group.
86
SUMMARY ON CREATING LOCAL GROUPS

• A group is a collection of user accounts. Groups
  simplify administration by allowing you to assign
  permissions and rights to a group of users rather
  than having to assign permissions to each
  individual user account.
• When naming a group, you make the name intuitive.
  You also learned that you use the Computer
  Management snap-in to create groups, to add
  members to a group, to remove members from a
  group, and to delete groups.

87
Built-In Groups
Windows 2000 has two categories of built-in
groups local and system. Built-in groups have a
predetermined set of user rights or group
membership. Windows 2000 creates these groups for
you so you don't have to create groups and assign
rights and permissions for commonly used
functions.
88
Built-In Local Groups
All computers running Windows 2000 have built-in
local groups. Built-in local groups give rights
to perform system tasks on a single computer,
such as backing up and restoring files, changing
the system time, and administering system
resources.
89
Built-In Local Groups
Administrators Members can perform all
administrative tasks on the computer. Backup
Operators Members can use Windows Backup to back
up and restore the computer.
90
Built-In Local Groups
Guests Members can perform only tasks for which
you have specifically granted rights and can gain
access only to resources for which you have
assigned permissions. Power Users Members can
create and modify local user accounts on the
computer and share resources.
91
Built-In Local Groups
Replicator Supports file replication in a
domain. Users Members can perform only tasks for
which you have specifically granted rights and
can gain access only to resources for which you
have assigned permissions.
92
Built-In System Groups
Built-in system groups exist on all computers
running Windows 2000. System groups don't have
specific memberships that you can modify. You
don't see system groups when you administer
groups, but they are available for use when you
assign rights and permissions to resources. An
example of a System Group is the Everyone Group
seen when Sharing Resources such as files or
printers.
93
Built-In System Groups
EXAMPLE OF A SYSTEM GROUP
Everyone Includes all users who access the
computer.
94
BUILT IN GROUP SUMMARY
Windows 2000 has two categories of built-in
groups local and system. Windows 2000 creates
these groups for you so you don't have to create
groups and assign rights and permissions for
commonly used functions.
95
QUESTIONS
96
CHECK FOR LEARNING
Where can local groups be created ?
Local groups can be created on any Windows 2000
computer that is not a Domain Controller.
Which groups can be renamed ?
All groups can be renamed
What are the two categories of Built In Local
Groups ?
Local and System
97
PRACTICAL EXERCISE 3Part 1CREATE A LOCAL
GROUPPart 2DELETE A LOCAL GROUP
98
ADMINISTERING SHARED FOLDERS
99
ADMINISTERING SHARED FOLDERS
You use shared folders to provide network users
with access to file resources. When a folder is
shared, users can connect to the folder over the
network and gain access to the files that it
contains. However, to gain access to the files,
users must have permissions to access the shared
folders.
100
SHARED FOLDER PERMISSIONS

• Shared folder permissions apply to folders, not
  individual files. Since you can apply shared
  folder permissions only to the entire shared
  folder, and not to individual files or subfolders
  in the shared folder.
• Shared folder permissions don't restrict access
• to users who gain access to the folder at the
  computer where the folder is stored. They apply
  only to users who connect to the folder over the
  network.

101
SHARED FOLDER PERMISSIONS
A shared folder appears in Windows Explorer as an
icon of a hand holding the shared folder. To
control how users gain access to a shared folder,
you assign shared folder permissions.
102
MODIFYING SHARED FOLDERS
After a shared folder is created, you may want to
modify its properties.
103
Best Practices
104
REQUIREMENTS FOR SHARING FOLDERS
In a Windows 2000 , the Administrators and Power
Users groups can share folders. When you share a
folder, you can give it a share name, provide
comments to describe the folder and its content,
limit the number of users who have access to the
folder, assign permissions.
105
QUESTIONS
106
CHECK FOR LEARNING
What is the purpose of a shared folder ?
You use shared folders to provide network users
with access to file resources.
What controls how users gain access to shared
folders ?
Share Permissions
107
PRACTICAL EXERCISE 4CREATING SHARED FOLDERS
108
Intro to Windows 2000 Printing
109
PRINTING TERMS
Print Device Actual hardware device that
produces printed documents.
Printer Software interface between the
operating system and the print device.
Network-Interface Print Device Print devices
with their own network cards that connect
directly to the network.
Print Server Computer running the printer
software, receives and processes documents from
clients.
110
PRINTING TERMS CONT.
Queue Group of documents waiting to be printed.
Print Spooler Collection of dynamic-link
libraries (DLL) that receive, process, schedule,
and distribute documents
Spooling Process of writing a print job to a
file, called a spool file, on disk.
111
REQUIREMENTS FOR SETTING UP PRINTING

• Computer configured as print server running
  Windows 2000 Server or Windows 2000 Professional.
• Hard-disk spool file space.
• Client computers running one of the following
• Windows NT
• Windows 9X Series
• Windows 2000

112
How Documents Print
113
Setting Up a Network Print Device
1
2
3
4
114
SHARING A PRINT DEVICE
The purpose of sharing a print device on a
Windows 2000 computer is to enable users of other
computers on the network to connect to and send
print jobs to the shared print device. The
computer that hosts the shared print device is
called a print server. The print server performs
all of the spooling, print job management,
scheduling, and sending of the final print jobs
to the print device.
115
ASSIGNING PRINTER PERMISSIONS
FOUR LEVEL OF PERMISSIONS
116
Best Practices
117
CHECK FOR LEARNING
What is a printer in Windows 2000 Terminology ?
A printer is the software interface between
Windows 2000 and the device that produces the
printed output
What is the purpose of sharing a print device ?
The purpose of sharing a print device is to
enable users of other computers on the network to
connect to and send print jobs to that print
device.
118
PRACTICAL EXERCISE 7ADDING A NETWORK PRINTER