Tài liệu Managing Users and Groups ppt

This question may seem patronizing at first, but in a Windows network domain and also the local computer, the definition of user relates to autonomous processes, network objects devices

Managing Users and Groups

If you are passionate about being a network or domain

administrator, then managing users and groups will give you a lot of satisfaction it can be a very powerful position

in a company On the other hand, unless you understand thefundamentals, manage the processes sensibly, and learn thetools and resources, it can become an extremely frustratingresponsibility Our administration mantra is: Use your commonsense and learn to do it right before you take up the task Thischapter helps you to get the best out of the Windows 2000 userand group management philosophy and tools

Despite Microsoft’s Zero Administration Windows (ZAW) initiative, user and group management has become a lot morecomplex in Windows 2000 The complexity has a lot to do withthe improved User and Group objects and the new support inActive Directory, such as Group Policy Combined with theburden of integrating Windows NT 4.0 and earlier networks,the administrative task will not be easy in the short-term

This might improve over the years because many companiesand, especially, administrators are certain to develop tools for the Active Directory that automate the repetitive stuff and enhance the experience of working with Active Directory (and we touch on that in here) In that the directory is openand supports a widely available API (ADSI) and access proto-col (LDAP), we have to give credit where credit is due Forexample, you can extend the User and Group objects to suityour enterprise requirements or custom applications Whatyou will learn in this chapter will put you on the road to suchadvanced administration

In this chapter, we will study User and Group objects and understand their function We will entertain user managementpractice and policy with respect to user, groups, and computers

We will also discuss the process of integrating legacy Windows

NT accounts with Windows 2000 domains and how to sensiblymanage users and groups on Windows 2000 mixed and nativemode networks

10C H A P T E R

In This Chapter

UnderstandingGroupsCreating UserAccountsCreating GroupsManaging Users and Groups

This chapter does not discuss management of the user workspace Advanced itemssuch as Group Policy, user profiles and logon scripts, workspace management, and

so on, are discussed in Chapter 11

The Windows 2000 Account: A User’s Resource

No one can work in a company, use any computer, or attach to any network withoutaccess to a user account A user account is like the key to your car Without the key,you cannot drive anywhere

What Is a User?

This question may seem patronizing at first, but in a Windows network domain (and also the local computer), the definition of user relates to autonomous processes, network objects (devices and computers), and humans Human users exploit the networks or machines to get work done, meet deadlines, and get paid But any process, machine, or technology that needs to exploit another object on the network or machine is treated as a user by the Windowsoperating systems In a nutshell, the Windows 2000 security subsystem does not differentiate between a human and a device using its resources All users are viewed as “security principals,” which at first are trusted

When you install Windows 2000 (not upgrade) or create a new Active Directorydomain, the operating system and its elements are completely exposed The governing policy on a new domain is that everyone can access everything Thismakes sense: Keep the doors open until the jewels have been delivered As soon

as you begin adding users to the system, and they begin adding resources thatneed protection, you should begin using the tools described in this chapter and inseveral others to lock down the elements and secure the network

User objects are derived from a single user class in Active Directory, which in turn derives from several parents Machine accounts are thus derived from the Userobject To obtain access to the User object, you need to reference its distinguishedname (DN) in program or script code This is handled automatically by the variousGUI objects, but if you plan to write scripts that access the object, you should bereferencing the object’s GUID

What Are Contacts?

Contacts are new objects in Windows 2000 networks They are derived from

the same class hierarchy as the User object; however, the Contact object does not inherit security attributes from its parent A contact is thus only used for communication purposes: for e-mail, faxing, phoning, and so on Windows 2000 distribution lists are made up of contacts

Note

You can access active directory contacts from the likes of Outlook and OutlookExpress and any other LDAP-compliant client software The Contact object isalmost identical to the object in the Windows Address Book (WAB) Later, we showyou how to force Outlook and Outlook Express to default to Active Directory as itscontact repository.

Local Users and “Local Users”

The term local user is often used to describe two types of users: users local to

machines that log on locally to the workstation service, and users that are local to

a network or domain Using the term interchangeably can cause confusion amongyour technical staff and you have enough confusing things to deal with

We believe it makes sense to refer to local users as users who log on locally to

a workstation or PC or a server In other words, the local user can log on to themachine he or she is actually sitting at, where accounts have been created, or into a remote machine that has granted the user the “right” to log on locally, such

as an application server that is accessed by a terminal session on a remote client

When referring to generic users on the domain or users collectively, it makes

more sense to refer to these users as domain users or domain members However,

as we will discuss later, a user can also be a member of a local domain, and such anaccount is often referred to as a local user On legacy NT domains, this was furtherconfused by the ability to create a “local account,” which was meant for users fromnon-trusted domains This is no longer the case with Windows 2000 domains

Whether you agree or not, we suggest you decide what the term local user

means to your environment and then stick to that definition

Domain controllers (DCs) are not supposed to provide local logon services otherthan to administrators, and it is documented that there is no way to log on locally(also known as interactive logon) to a DC from another machine However, we havefound that not to be true because Group Policy can be changed to allow local logon

See Chapter 25 for information on how to log on locally to a domain controller

What Is a Group?

Groups are collections of users, contacts, computers, and other groups (a process

known as nesting) Groups are supported in Active Directory (much to the horror

of directory purists) and in the local computer’s security subsystem How Windows

2000 works with groups is discussed later in this chapter Figure 10-1 illustrates thegroup container philosophy

You would be right to wonder why Microsoft gives us both groups and organizationalunits (OUs) to manage Groups, however, are a throwback to the Windows NT era

Remember, Windows 2000 is built on NT, and groups were thus inherited from theearlier technology and enhanced for Windows 2000 Although groups may appear

to be a redundant object next to OUs, they are a fact of Windows 2000 and are here

to stay They are also extremely powerful management objects

Note

Figure 10-1: Groups are collections or concentrations of users, computers,

and other groups

The difference between groups and OUs is explained in Chapters 2 and 7, andlater in this chapter

Specifically, we create and use groups to contain the access rights of User objectsand other groups within a security boundary We also use groups to contain Userobjects that share the same access rights to network objects, such as shares, folders, files, printers, and so on Groups thus provide a security filter againstwhich users and other groups are given access to resources This critical role

of the groups is illustrated in Figure 10-2

It is not good practice to stick user accounts into every nook and cranny of

a Windows domain If you start that practice, you will soon have a domain that resembles a bowl of rice noodles at your local dim sum It is a wonder thatMicrosoft engineers still allow us to stick a user account anywhere, because that practice is very rare on a well-run network We believe the only place youshould put a user is into a group even if the group never sees more than onemember Make this your number one user management rule: “Users live ingroups Period.”

Note Cross-

Reference

Figure 10-2: Groups provide a security “filter” against which users and other

groups are given access to resources

We can also use groups to create distribution lists (a new type of group) For example,

we can create a group, and every user in the group will receive any e-mail sent to it

This is a boon for e-mail administrators

Groups versus organizational units

Many now feel that the Group object has been rendered redundant by the OU

That might be the case if OUs were recognized by the security subsystem and theaccess control mechanisms; that is, if they were security principals But the Groupobject is a sophisticated management container that is able to bestow all manner

of control over the user accounts and other groups it contains

What we believe is good about the group is that it can be used to contain a bership across organizational and multiple domain boundaries An organizationalunit, on the other hand, belongs to a domain Complex mergers and acquisitions,and companies that are so dispersed that their only “geographical” boundary isbetween the earth and the moon, are excellent candidates that could use groups

mem-to contain memberships from the organizational units of their acquisitions or member companies and departments Figure 10-3 illustrates how one group

called Accounting can contain the department heads and key people from

several Accounting departments throughout the enterprise

object(objectname)

1 Read

2 Execute

3 Write

Figure 10-3: The Accounting group

is a universal container that allows itsmembers to access resources in thedepartments of several corporatedomains in a forest

Microsoft could have given the same power to the OU, but it did not, at least in thefirst version of Windows 2000 Instead, it is hoping we will see how groups and OUsfit into the overall management philosophy Our guess is that it would have caused

a serious delay in the release of Windows 2000 had Microsoft made OU securityprincipals behave like groups We look at the differences a little later; suffice it tosay now that the Group object is certainly not redundant; it is a very powerful management tool

What is a network from the viewpoint of users and groups?

There are several definitions of a network From the perspective of users and containers of users, a network is a collection of resources (collection of networkobjects as opposed to device) that can be accessed for services Users exploit network objects to assist them with their work Network resources include messaging, printers, telecommunications, information retrieval, collaboration services, and more

Administrators new to Windows 2000 should get familiar with the meaning of network object, for it is used to reference or “obtain a handle” on any network component, both hard and soft

Exploring the Users and Computers Management Tools

Windows 2000 ships with tools to manage local logon accounts and Active Directory

accounts These tools are Users and Passwords, Local Users and Groups on standalone

machines (including workstations running Windows 2000 Professional) and member

servers, and Active Directory Users and Computers on domain controllers.

The Active Directory Users and Computers MMC snap-in is the primary tool used to

create and manage users in network domains It is launched from the AdministrativeTools menu Figure 10-4 illustrates the Users and Computers snap-in This snap-inwill almost certainly become more sophisticated as the use of Active Directoryincreases

Figure 10-4: The Active Directory Users and Computers snap-in

Run the snap-in First, let’s put the snap-in into advanced mode so that we can seeall the menu options in the Users and Computers MMC library Select any node inthe tree and right-click Select View ➪ Advanced Features from the pop-up list thatappears A check mark will appear, meaning the entire snap-in is in advanced modeand you can access all menu options

You will notice that you can also check the item above Advanced Features, the

“Users, Groups, and Computers as Containers” menu item But this may give youtoo much information to deal with in the learning phase Select this feature whenyou know your way around this snap-in

In the left pane, the snap-in loads the tree that represents the domain you are managing Note that you can select a number of built-in folders:

✦ The Built-in folder contains the built-in or default groups created when you

install the Active Directory and promote the server to a domain controller

✦ The Computer folder contains any computers that are added to the domain

you are managing It will be empty if you have not added any computers tothe domain at this stage

✦ The Domain Controllers folder will always contain at least one computer

the domain controller you are currently working on

✦ The ForeignSecurityPrincipals folder is the default container for security

identifiers (SIDs) associated with objects from other trusted domains

✦ The Users folder contains built-in user and group accounts When you

upgrade Windows NT to Windows 2000, all the user accounts from the old

NT domain are placed into this folder This folder is not an OU, and no OUgroup policy can be linked to it For all intents and purposes, this foldershould be blank or at least should not contain any accounts when you first

do a clean install of Windows 2000 and promote it to Active Directory Instead,the built-in accounts should have been placed in the built-in folder, period

We guess it is one of those things that Microsoft did without very much forethought But they did give us the ability to move items from folder tofolder, and it may make more sense for you to move all the built-in objects

to the built-in folder especially since you cannot delete them

✦ The LostAndFound folder contains objects that have been orphaned.

✦ The System folder contains built-in system settings.

Now, before we proceed, know that there are two levels to understanding how user accounts work You can cover the basics of user accounts by poking around

in the Active Directory User and Computers snap-in MMC panels, or you can make

an effort to learn about the most important attributes (compulsory and optional)

of user accounts at a lower level If you are a serious network and Windows administrator, then we suggest the latter Why?

Firstly, as an administrator, knowing the stuff of which user accounts are made will take your management knowledge and skills to a higher level You will be able

to contribute much more to the overall management of your enterprise network

if you know how to perform advanced searches for users, scientifically managepasswords, better protect resources, troubleshoot, and so forth If you think administrators do not need to know how to program, then think again; it couldmake a $20K difference, positively, on your salary package

Secondly, senior administrators and corporate developers may need to circumventthe basic MMC panels and code directly to the Active Directory Service Interfaces(ADSI) On Windows NT 4.0, senior administrators often created scripts that wouldblock manipulate the accounts in the SAM, or security accounts database UserManager for Domains was often too dumb to be of use in major domain operations.Top Windows 2000 administrators will need to know how to code to the ActiveDirectory, and write scripts (which will require basic programming knowledge) that make life easier and lessen the administrative burden Knowing everythingabout User objects will make your services that much more in demand We suggest you first read Chapters 2 and 7 before you tackle the following text

Windows 2000 User Accounts

A Windows 2000 user account can be a domain account or a local account When

you first install any version of Windows 2000 or promote a server to a domain controller, a number of domain and local accounts are automatically created

When you install Active Directory on a server, that is, when you promote it to adomain controller, the local accounts are disabled

Domain accounts

Domain accounts or network accounts are User account objects that are stored in

Active Directory and that are exposed to the distributed Windows networking andsecurity environment Domain accounts are enterprise-wide Humans, machines,and processes use domain accounts to log on to a network and gain access to its resources Each logon attempt goes through a “security clearance” whereby the system compares the password provided by the user against the passwordstored in the password attribute field in the Active Directory (Refer to Chapters

2 and 7 for conceptual discussions on attributes.) If the password matches therecord, then the user is cleared to proceed and use network resources, performactivities on computers, and communicate

Remember, Active Directory is a “multi-master” directory service This means thatchanges to users and groups are replicated to other member DCs (but not to alocal account database) You can manage users on any DC on the network and notworry about locating a primary DC, as was the case with Windows NT 4.0 and earlier User objects also contain certain attributes that are not replicated to other DCs These attributes can be considered of interest only to the local domain controller For example, the attribute LastLogon is of interest only to the local network’s domain controller; it is of no importance to the other domain controllers in the domain or the forest

You can also create a user account in any part of the AD as long as you haverights to create or manage that User object While container objects such as OUsand groups serve to assist in the management of collections of users, there is nomechanism other than having admin rights to prevent a user account from beingcreated anywhere in a forest

no further An analogy might be that the key to your house only lets you enter yourhouse All other houses in your neighborhood are off limits

Note

If you are new to Windows networking, you may be wondering why machines on aWindows 2000 network would have local accounts As you know, you can create anetwork of machines and not manage it with Active Directory at all, which wouldcertainly send your cost of ownership soaring But there are also good reasons why these accounts are better off on the local machine rather than sitting in ActiveDirectory; you will discover these reasons in this chapter Active Directory userscan “connect” to local machines from remote services (such as to the local FTPaccount), which is achieved by virtue of having the “right” to log on locally at thetarget machine Local user accounts can also exist on machines that are part ofActive Directory domains, and which are not the domain controllers You can alsomake a domain controller an application server for a small business, and allow anumber or users to log on locally to the DC by way of terminal sessions This is discussed in detail in Chapter 25.

Local user accounts are restricted to the Access Control List of the local computer.The local domain itself does not replicate this information off the local machinebecause it only matters to the local account system, which is not distributed

The tools to manage the local, machine native domains can be accessed throughthe Users and Passwords and Administrative Tools applications in Control Panel

Predefined accounts

When you install Windows 2000, either as a standalone or member server, or as adomain controller supporting Active Directory, the operating system establishesdefault accounts On a standalone machine (server or workstation), the defaultaccounts are local to the machine native domain and established in the SAM

On a domain controller — in Active Directory — the default accounts are networkaccounts Built-in accounts cannot be deleted, but they can be renamed or movedfrom one container to another

The default accounts include administration accounts that enable you to log on and manage the network or the local machine Windows 2000 also installs built-inmachine or Guest accounts and anonymous Internet user accounts You will noticethat these so-called accounts are disabled by default and must be implicitly enabled

It is a good idea as soon as feasible to rename the Administrator account to hide itspurpose and thus its access and security level (hiding was not possible on WindowsNT) If you have security fears, you can audit the activity of the Administrator todetermine who or what is using the account and when

When you demote a domain controller (DC) to a standalone server, and especially

if it is the last DC on the network, the OS prompts you for the password you will use for the local Administrator account In the process of stripping away AD and its administrator accounts, the OS ensures that you will be able to log on locallyand gain access to the machine after the conversion When AD departs from theserver, it hands control of the machine back to the machine-specific domain andSecurity Account Manager (SAM)

Note

Administrator account

The Administrator account is the first user account created when you install Windows

2000, regardless of which of the four versions of Windows 2000 you are installing TheAdministrator account is created in both the local SAM and in Active Directory

The Administrator is the CEO on Windows 2000 and all earlier versions By logging on

as the Administrator, you get total access to the entire system and network Withoutthe power of this built-in user, it would be impossible to set up the first objects

The Administrator account is dangerous, however Over time, the password to thisaccount gets handed around, and your network goes to hell We have even seen situa-tions where the Administrator’s account password finds its way around the world inlarge corporations, even allowing users in foreign domains to mess things up withoutthe key MIS people at HQ finding out In one situation, it ended up in the hands of asubcontractor who managed to bring an office to a standstill for a week

So how do you protect this account from abuse? For starters, you cannot delete

or disable the account because then it would be too easy to get locked out of thesystem or fall victim to a denial-of-service (DoS) attack

But you can rename this account, which presents an opportunity to conceal theAdministrator’s true identity and lock down access to it It then makes commonsense, before new (flesh and blood) administrators are added to the domain, torecord the Administrator password in a document and then lock it away in a secure place

1 Rename the Administrator account Remember to provide a UPN and rename

the down-level or NETBIOS name as well, because renaming merely changesthe “hidden” attribute and label

2 Create a new user as a decoy Administrator and endow it with administrator

power by assigning the account to the Administrators group Or leave theaccount with no powers of administration

3 Appoint the Administrator (which can be under the new name) account

as the manager of this account This is done on the Organization tab, in theManager field

4 Cease using the real Administrator and lock away the password.

You would now be correct in saying, “But that still does not stop someone from getting hold of one of the other administrator accounts and abusing them.” But now you have accounts than can be monitored, audited, disabled, and deleted ifthey become a security risk And it might pay in certain circumstances to deleteand recreate administrators at certain intervals

To rename the Administrator account, you need to first give an Administratoraccount the “right to rename the Administrator account.” This right is granted byGroup Policy, which is discussed in the next chapter Once you have renamed thereal Administrator, you can create a decoy Administrator account

Tip

It is also a wise move to move the Administrator and administrator type accountsout of the Users folder There are several reasons for this advice:

✦ Anyone looking for the Administrator will go here first, and denying access

to this folder may be impractical

✦ The security policy governing the Users folder is inherited from the rootdomain This means that if for any reason the default or root domain policychanges, it may affect the account without you being aware of the event

✦ The Administrator accounts are better grouped in the main IS OU whereaccess is controlled by specific OU policy, focused management, and delegated responsibility

Here’s how to move the Administrator account:

1 Open Active Directory Users and Computers Double-click the Users folder.

2 Select the Administrator account in the right-hand pane and right-click your

mouse Now select the move option The list of folders and OUs appears

3 Drill down to a different OU of your choice Select that OU and click OK

The Administrator account is now moved to the new OU

Another means of protecting the network and the Administrator account, and a

sophisticated means of management and troubleshooting, is to use the RunAs

service Also known as the secondary login, it allows a user who is logged onwith their regular user account to perform functions with the privileges ofanother account, typically an administrator’s RunAs is demonstrated later

in this chapter in the configuration of user accounts (see also Chapter 25)

Guest account

The Guest account is the second of the default accounts that are pre-built when youinstall Windows 2000 the first time, and when you create a domain controller andinstall Active Directory The account is useful for guests and visitors who either donot have accounts on any domain in the forest, or whose accounts may be disabled

The Guest account does not require a password, and you can grant it certain accessand rights to resources on the computer (see Rights and Permissions discussedlater in this chapter) We believe the Guest account on any domain should be relo-cated to an OU whose security and account policy is appropriate to manage secu-rity risks You can leave the Guest account in the Users folder (which is a domainfolder and not an OU), but the security policy governing that account in the Usersfolder is inherited from the root domain This means that if for any reason thedefault or root domain policy changes, it will affect the Guest account without youbeing conscious of the event The Guest account is also automatically placed intothe Guest group, which you may wish to also place in the Visitors OU You canmove the Guest account with Active Directory Users and Computers, just as in the previous example In our Millennium City network, we’ve moved the Guestaccount to the City Hall-Visitors OU

Cross-Reference

In the User folder, the Guest account is granted the right to log on locally to a local computer or member server In the City Hall-Visitors OU, you can grant specific access to the domain resources, such as e-mail, access to printers anddevices, and so on You can also create several Visitor accounts for accounting and auditing purposes and to keep track of the objects each visitor accesses.

Using logon scripts and profiles, you can track activity between each logon andlogoff period and use that to generate reports From these reports, you can runinvoices, statements, bills, and so on If you run a service bureau, then this is thedirection you should be considering

Some organizations do not believe in Guest or Visitor accounts and keep these disabled from the get-go If you disable the Guest account, you are denying anyonewho does not have an account from logging on In highly secure environments, this policy may be valid And this was, and still is, the case in many Windows NTdomains that do not provide for the additional protection of the OU security policy

But these accounts can be handy even in sensitive environments Consider the following before taking the easy way out and disabling the account:

✦ With a Guest account, a new user awaiting a user account can get some workdone on a computer They can, for example, begin reading company policy orthe employee handbook, and they can fill in employee forms, and so on

✦ With a Guest account, a user who has been locked out for whatever reasoncan at least log on to the domain and gain access to the company intranet andlocal resources Let’s say you have an intranet Web site that allows the user toaccess the help-desk and open a ticket; then a user who cannot log onto thedomain can still generate a ticket for an account lockout problem Lockoutscan and will happen often

✦ An employee suspected of a misdeed can be asked to log on to a Guestaccount while the reason for an account lockout is being investigated Thismay help diffuse a situation that has the potential of becoming tense Theuser’s account can also be transferred out of his or her usual OU to theVisitors OU or a holding OU This gives the user the impression that he

or she is still able to log on to the domain, but certain access rights have been removed

The Internet user account

Windows 2000 also provides default or built-in accounts for anonymous access toIIS and for generic access to Terminal Services See Chapters 23 and 25

Account Policy

Before you go creating users, you must first take the time to fully understand howaccount policy on Windows 2000 affects account creation and management on anaccount-by-account basis

The Windows Group Policy technology (which also includes account and securitypolicy) governs how all accounts can be configured on both standalone servers and

in the Active Directory If you create users from the get-go, the accounts will be set

up with the default account policy attributes They will remain this way until ActiveDirectory site, domain, or OU policies override this (when a domain controller andActive Directory is installed and sites, domains, and OUs are created)

On Windows NT 4.0 and earlier, the account policy setup on a workstation or member server survived domain policy, but this is not so any more You have tospecifically force the local policy to take precedence over the domain policy Weexplain this in more detail in Chapter 11

What you should be aware of here, especially if you have been given certain responsibility to create an account and set up a computer, is the order of precedence for security and account policies The order of precedence, from the highest to the lowest, is as follows:

of higher precedence, unless you take the steps to avert that behavior

Security Principals and the Logon Authentication Process

The onus of “good behavior” rests on the shoulders of User and Group objects inWindows 2000 As mentioned earlier, these objects have the total trust of the OS

when first installed They are often referred to as security principals and trustees.

Every other object that is not a security principal or that does not exist in ADwithin a security context is rejected by the security subsystem, and thus cannotpresent for rights and access The Contact object is a good example of an objectthat is not a security principal You may create other non-security objects and register them in the Active Directory

Several security principals are defined to the security subsystem by default Theseinclude groups such as Domain Users, Domain Admins, and so on

When a user attempts to log on to Windows 2000, by way of the AD or the localsecurity authority (LSA), the security system checks to see if the user exists and

if the password provided matches the password stored in the relevant database

If the user is authenticated, Windows 2000 creates an access token for the user

(see Chapters 1 and 3)

If the domain controller does not receive the correct password or the user account

is unknown, the user is gracefully returned to the logon dialog box But once a user

is authenticated, Windows then proceeds to activate whatever rights and sions the user has on the network

permis-The process that Windows 2000 uses to “follow” the user through the domain is

known as access token assignment In other words, the access token is assigned to

the user for the duration of the logon and acts as a security tag a user wears when

“roaming” from computer to computer and from resource to resource User accountinformation is replicated to all domain controllers in the enterprise, even acrossslow WAN links

To more fully understand the authentication process at the lower levels ofWindows 2000 and the security subsystem, refer to Chapters 1 and 3

When you create an account, the system also creates the SID and stores it in thesecurity structures of AD or the SAM The first part of the SID identifies the domain

in which the SID was created The second part is called the relative ID (RID), and

that refers to the actual object created (which is thus relative to the domain)

When a user logs onto the computer or domain, the SID is retrieved from the databaseand placed in the user’s access token From the moment of logon, the SID is used inthe access token to identify the user in all security-related actions and interactions

Both Windows NT and Windows 2000 also use the SID for the following purposes:

✦ To identify the object’s owner

✦ To identify the object owner’s group

✦ To identify the account user in access related activity (see Access ControlEntries in Chapter 3)

Special well-known SIDs are also created by the system during installation to identifythe built-in users and groups When a user logs on to the system as Guest, the accesstoken for that user will include the well-known SID for the Guest group, which willrestrict the user from doing damage or accessing objects they are not entitled to

Cross-Reference

SAM and LSA Authentication

The Windows 2000 SAM is inherited from NT 4.0 SAM and works the same However,

it no longer plays a part in network domain management Standalone and memberservers use the Windows 2000 SAM to authenticate or validate users that have local accounts, including autonomous processes The SAM is still buried in the registry and plays an important role in Windows 2000, and it is an integral part ofthe Local Security Authority (LSA) LSA authentication exists for several reasons:

✦ To process local logon requests

✦ To allow ISVs and customers with special requirements to use the LSA to gainlocal authentication services An access control application might use the LSA

to validate holders of magnetic access control cards and the like

✦ To provide special local access to devices In order for a device to be installedand gain access to system resources, it might have to be authenticated by theLSA Such an example is a tape-backup device driver, which might need to gainaccess to a local database management system or to machine-protected pro-cesses that require it to be logged on locally

✦ To provide heterogeneous local authentication Not everyone will be able totake advantage of the Active Directory authentication and logon process, andnot everyone will want to The LSA thus provides these “users” (processes)with a local logon facility they were accustomed to, or built for, on Windows

NT 4.0 and earlier

As discussed earlier in Chapter 4, when you set up a standalone server, Windows

creates default or built-in accounts These are actually created in a local Windows

4.0-type domain stored in the local SAM The two local domains created are Accountand Builtin

When you first install Windows 2000, these local domain systems are named afterthe NETBIOS-type name of the machine If you change the machine’s name, thedomain name will be changed to the new machine name the next time you restartthe server In other words, if you set up a standalone server named LONELY1, alocal domain named LONELY1 will be created in the local SAM The OS will then create the built-in accounts for this domain Later, you’ll be able to create any local user in the local legacy domain Services will also use the local domain for system accounts

The Active Directory includes a SAM service provider that allows Windows 2000domain controllers to interoperate with NT 4.0 domain controllers Such serviceproviders also exist for other directory services, such as Novell NDS

Note

User Accounts in Action

A user account is like a bank account Without a bank account, there is no way you can access the services of a bank, store money, pay bills, take out loans, andmanage your financial affairs When a user comes to work and cannot log on, thescene that ensues is like a bank account that has been closed unexpectedly

Getting Familiar with RunAs

Before you proceed with account creation and management, you should take some

time to understand the RunAs application and service It will be invaluable to you in

your administration endeavors, especially for troubleshooting account problems

RunAs is also known as secondary or alternate logon.

RunAs allows you to execute applications, access resources, or load an environment

or profile, and so on, using the credentials of another user account, without having

to log off from the account you initially logged onto your computer with RunAs is

a non-graphical executable that resides in the %System%\System32folder of yourserver or workstation It is also a service that can be accessed from various loca-tions in the operating system You can link to it from the desktop, or create scriptsand applications that make use of its services You can also create a shortcut to

an application and allow it to be executed using the credentials of any another user account (provided you have the password to the other account)

In this chapter, we will not explain all the available parameters and switches thatcan be used with RunAs from the command line because that has been provided inAppendix A, and you can execute RunAs from the command line with the /?switchand obtain a list of RunAs options and their usage

RunAs essentially allows you to operate an environment or application in the security context of another user account, while remaining in your current securitycontext or in your current logged-on state The simplest, but very useful, feature ofRunAs lets you test a logon name and account password without having to log offfrom your workstation Perhaps the best way to describe RunAs usage is to provide

a simple example

Create a shortcut to the Command Console on the desktop and allow it to be used

to test a User ID and password as follows:

1 Create a shortcut to the command prompt on your desktop This is explained

at the beginning of Appendix A

2 Right-click the shortcut and select Properties On the Shortcut tab, check the

“Run as different user” option

3 Click OK.

Note

You will now notice that when you right-click the shortcut the Run as line hasbeen added into the Context menu in bold type But you can just double-click theshortcut icon and the Run As Other User dialog box will appear Now you can enteryour user’s account, domain, and password.

If you investigate RunAs further, you will discover that you can test alternate logonsand troubleshoot problems such as access to shares, printers, and so on You canlog on and switch to the environment provided by the alternate account, and youcan allow users to run an application in the context of another account

Naming User Accounts

You can make your life as a user administrator more enjoyable if you follow the recommended convention for naming user accounts You can and should plan your user namespace carefully, publish the rules and policy surrounding the chosen convention, and stick to it There is nothing worse than inheriting a directory of accounts where no naming convention exists

In order to set up your naming convention checklist, consider the following:

1 User account names must be unique in the domain the accounts are created.

For example, you cannot have two names set up as mcity\john samuelsorjohns@mcity.org One must become johns1@mcity.org You can, however,create an account with the same UPN prefix in another domain For example:johns@mcity.mcpd.orgor mcpd\johns

2 The user account prefix can contain a maximum of 20 characters in any case.

The logon process is not sensitive to the case The field, however, preservesthe case, allowing you to assist in naming convention, such as JohnSasopposed to johns

3 The following characters are not permissible in the account name:

“ < > ? * / \ | ; : = , + [ ]

4 You can use letters and dashes or underscores in the name to assist with

convention, but remember, account names may be used as e-mail addresses.Follow the suggestions in UPN naming convention described later

Passwords

Accounts do not always have to have passwords As discussed earlier, this is controlled by Group Policy Many administrators use the method of combining initials and numbers for passwords, and we keep them consistent throughout the enterprise

In order to set up your password convention checklist, consider the following:

1 The passwords can be up to 128 characters in length That does not mean

Microsoft expects you to saddle your users with a password that takes all day to input But smart cards and non-interactive logon devices can use afield of that length

2 Do not create passwords that are less than five characters; a minimum of

“experience” what might be going wrong Many administrators troubleshoot thisway; it helps to be in the user’s context when troubleshooting The new RunAs service we describe in this chapter is a useful tool for managing user accounts and troubleshooting passwords

The password issuance and management-style questions are similar from platform

to platform, especially from NetWare to Windows NT and Windows 2000 In givingusers passwords, you have three choices that can be adapted and become policy:

✦ Assign the passwords

✦ Let the user choose the password

✦ Assign passwords to certain users; allow others to set their own

All three choices have their pros and cons, and every company will have a reasonfor going with one option or the other

If you go with the first option, you will either have to adopt a password-namingscheme that lends itself to easy recollection by administrators (as secure as anopen field) or enter the user’s passwords in a secure database

The former is not really secure because it would not take much to figure out the scheme the administrators are using A popular password-forming approach

is to join the users’ initials and parts of their social security numbers, driver’s

licenses, or some other form of number society issues us For example: jrs0934.

This scheme has been in place at several companies we worked In that severalthousand accounts were set up under the scheme, it has been a nightmare tochange it

The second approach, letting users select their own passwords, is more secure but fraught with danger Firstly, users who have lots of sensitive stuff on theirmachines and in their folders often assign weak passwords that can easily be

cracked We have found users choosing 12345678 and giving us the excuse

they were going to change it later three months later

Secondly, having users choose their own passwords can be nightmarish on corporate networks When troubleshooting problems, administrators often have

to ask for the passwords over the telephone (for all to hear) and in e-mail And then there are the occasions when we have to reset the password anyway becausethe owner is either not present or Windows 2000 rejects the password We have not seen “correct password rejection” on Windows 2000 yet, but we have seen

it happen many times on Windows NT, even seconds after resetting it in the NTUser Manager It is just one of those quirky things we learned to live with

We believe the best policy is to go with the third choice: Assign a password formost corporate users and allow selected users (who demand the security and whocan justify it) to set their own passwords The latter users fall into groups that haveaccess to company financial information, bank account numbers, credit card num-bers, personnel records, and so on Paranoid executives fall into the latter group

as well

Generate secure passwords (as opposed to obvious acronyms) Record the word in a secure place: either a database management system that is hard to crack,like an encrypted Microsoft Access database file, or in an SQL server table The oneweakness of this option is giving new users their passwords Often, the passwordends up going through several hands before ending up at the user You could create

pass-a temporpass-ary ppass-assword pass-assignment scheme

You might also try your hand at adding a field to the Active Directory User object thatdisplays the password in plain text (the schema is there to be extended, see Chapter6) You can secure the objects in the AD so that only certain administrators haveaccess to the field You would also have to create a GUI to read the field because the Account tab on the User Properties dialog box is off limits to such wild ideas

Protecting passwords is more important under Windows 2000 than under Windows

NT, or any other OS for that matter The reason is the Single Sign-on Initiative (SSO)and the Kerberos ticket-granting service discussed in Chapter 3 On older OSs, youneed new user IDs and passwords for just about any service, such as voice mail, faxmail, SQL Server, Internet access, and so on As more applications support the SSO,one password will eventually suffice for all But this is a double-edged sword If thepassword or access falls into mischievous hands, the culprit will have access toeverything authenticated in the SSO process

We have discussed the concept of local logon in various places, but this is a right and not an automatic privilege In order for a user to connect to the machinestanding next to him or her or to a remote machine across the network, he or shewould need authority in two places:

1 The domain the user is a member of must allow the user to request logon

permission from a machine The default is to allow the user to request logonfrom any machine, which means the target machine’s SAM gets to say yes or

no and not the domain

2 The target machine must give the account the right to log on locally.

Unless the target machine has special software on it that requires local logon and authentication, it makes more sense to provide access to resources on remotemachines via domain groups

Granting Remote Access

Remote access privileges are the most sought after rights in any organization Bybeing given access to RAS, users may be allowed to telecommute, work from home,

or access the network and servers from the road Road warriors also give you themost headaches because remote policy is by its very nature governed by morestringent security requirements

When setting up groups, it may pay to also create remote user groups in specificOUs You will certainly run into problems putting every remote user into an enter-prise-wide remote user group Users who are restricted at certain levels when theywork on the premises will find life more open and accessible when connecting fromhome And users who have a wide berth in the office will find life claustrophobic onthe outside

Remote Access Service is discussed in detail in Chapter 15

Creating a User Account

In this example, we’re creating user accounts for the Driver Compensation Program(DCP) in Millennium City They exist in the DCP OU, which resides in the CITYHALLdomain

Select the domain, right-click the DCP OU created earlier, and select New ➪User The Create New Object dialog box loads, as shown in Figure 10-5 The most important information you will need here is the old SAM account name of

Cross-Reference

the user that is connecting or a new NetBIOS name This is the name the user used

or still uses to log on to the legacy NT domain It is not the name of the machinethat is connecting Remember that this is a NetBIOS name; it must be less than

20 characters, and you need to watch for the illegal characters discussed earlier

You can create a new user account anywhere in the domain and later move it

as needed

Figure 10-5: Create New

Object - User dialog box

The User Principal Name

In the beginning, on legacy NT, we had little flexibility with logon names We would

typically use contractions of first and last names, such as jshapiro or jeffreys, or names typically assigned to people serving 25 years to life, such as psjrs08676.

Now, everything is different The user’s logon name and e-mail addresses are thesame There are good reasons to do this First, this change supports the SSO initia-tive, better known as Single Sign-On As long as the resources the user needs access

to support TCP/IP, RFC 822 naming, and Kerberos authentication, the user ID or theresulting authentication certificates can be relayed to these technologies Second,the UPN allows you to use an e-mail address to log on to the domain from anywhere

on the Internet As long as the domain controller is exposed to the Internet, or thepackets find the DC through a firewall, it is possible to log on and access resources

As discussed earlier, if you can resolve CITYHALL.GENESIS.MCITY.ORG on theInternet, you’ll be able to log in The prefix part of the UPN provides the so-calleduser ID, while the suffix identifies the domain

So, given that life would be easier if your users’ logon IDs and e-mail addresses werethe same, you have some serious restructuring to do Perhaps the best place to start

is at your e-mail server Here, all the accounts are set up with UPNs already And ifyou have been running an Exchange server, then all the better Simply dump all thenames into a comma separated file (.csv) and use these as the basis for your UPNs

Note

Using first and last names as a UPN is a good idea RFC 822 requires that you

separate the elements of the UPN with acceptable characters Obviously, the @ sign is not acceptable, nor is the & (ampersand) Simple dot notation works the

best: user.name@adomain.comor jeffrey.shapiro@mcity.org

Figure 10-5 shows you the two logon types that can be used, the UPN (armando

martinez) and the down-level NetBIOS name (amartinez) In the first one, the userenters the prefix part of the UPN as the User ID and the suffix as the domain name

This may be less comfortable for people accustomed to logging into Windows NTdomains or NetWare

If you are not yet ready to move users to Windows 2000 but plan to in the nearfuture, now is the time to start preparing for UPNs For example, if your e-mailserver accounts do not make attractive UPNs (such as zp-badboy5.shapiroj@

wierdestofcorps.com), now is the time to change them You seldom if ever need

to type your e-mail address every time you send a message, but you do need totype at least the prefix every time you log in to Windows 2000 Try keeping theUPNs as short as possible without turning everyone’s name into an acronym Forexample jshapiroworks better than jeffrey.shapiro, which is better than

js Anyone who ends up with a UPN of more than, say, eight letters may never want to log in again

Before you add the name, you will need to check that the UPN you entered whenyou created the account conforms to the standards you have set for your network

This double-checking exercise is worthwhile here because there will be many timeswhen the UPN has to be entered after the account has been created If you copy anaccount, the UPN field will have to be updated Remember, the UPN conforms to the Internet standard e-mail address governed by RFC 822, such as jeffrey

shapiro@mcity.orgor jeffreys@mcity.org

Click Next to fill in the password in the next dialog box, shown in Figure 10-6 ClickFinish when you’re done That’s all there is to creating a user Next, you need to setthe properties for the user

Figure 10-6: Adding the password

to the New Object - User dialog box

Figure 10-7: The User Properties dialog box

The User Properties dialog box has a lot of tabs that you can use to configure theUser object and populate it with information Many of the tabs are self-explanatory,

so the following sections do not describe them all, just the ones that you need toset when creating a new user account

Account tab properties

The options on the Account tab are security options, and they need to be managedcarefully If you’ve used the NT 4.0 User Manager application, you will recognizemany of these

✦ Account expires: Set this to Never to indicate that the account never expires.

Set one of the other options, X and Y, if you want the account to exist for only

a certain period of time Locking a person out at some future date is valuablefor applications services and for temps and subcontractors who will be classified a security risk at some future date

✦ Home folder: This should be a directory on a file server somewhere When

the user logs in, his or her home directory will be immediately accessible

You can set this path to a folder on the user’s local machine In this case, wewant to set the path to a share on the SQL Server 2000 machine so that theuser has immediate access to data entry tools on that server

✦ First, Last and Initial: When you enter the First, Last, and Initials, the display

name is formed automatically You can also change the display name to suit acompany standard or policy We want to leave the display name as is — thatway, wherever users of CITYHALL are logged on, we will be able to spot themimmediately in open file lists, connection lists, owners, and so on

✦ Description: This information can describe the purpose of the account, or it

can be information that better identifies it The bigger the network, the moreimportant it is to fill in this field In this case, we’ll insert “DCP Entry TeamLeader” to describe the purpose of the account

✦ Office: Enter the user’s physical office address.

✦ Telephone number: Enter the user’s telephone number and extension, if any.

✦ E-mail: Enter the user’s e-mail address It might be intuitive for this field

to default to the UPN, but it doesn’t However, the field is also not e-mail format-sensitive, so if an SMTP format is out, you can enter a cc:Mail address,

an X:400 address, or something else It is important to keep the entries hereconsistent because access to this field is open via the ADSI and the field will

no doubt be a key repository of information for many people-tracking tools,ERP apps, communications applications, and more At the time of this writing, we don’t know what e-mail applications will be using this field, but it is available to access

✦ Web page: Enter the user’s home page, if applicable The idea of this field may

be foggy at first, because why would you have all your users worry about homepages? However, these fields can be used for other applications, such as an ISPwhose user accounts “rent” homepages If you are an ISP, you can set up useraccounts in the directory to manage access and accounting from the directory

The field is a string data type, so an IP address is feasible here too

✦ Address: On the Address tab, enter the user’s address.

✦ Logon to: This is the path of the workstation or server to which the users

can log in For an administrator, leave this at the default If the employee were new or questionable, we would restrict him or her to the department’smachine and lock the person out of the other MIS machines For the sake

of demonstration, Figure 10-8 shows the restriction in force This restrictionapplies to all member machines, not just workstations, as it might suggest

By not setting any values in this dialog box, you give the user access to allmachines on the network

Figure 10-8: Logon restrictions

By forcing the users to log on to their own workstations, we are by omissionbarring them from logging on locally to any other machines Of course, youcan restrict the local logon at the target machine

✦ Account Options: This is where you set password policies, which were

dis-cussed earlier in this chapter To comply with the Millennium City passwordpolicy, we’ll check the options “User cannot change password” and “Passwordnever expires.” Choose a secure password for the user

More account options

The Account options section on the Account tab determines how users and ers are authenticated on the network The following options are self-explanatory:

comput-✦ User must change password at next logon

✦ User cannot change password

✦ Password never expires

✦ Store password using reversible encryption Use this option if the user isauthenticating from an Apple computer

✦ Account is disabled Select this option to prevent the user from authenticating

✦ Smart card is required for interactive logon This option requires that the userhave a card reader attached to his or her machine before he or she can log on

✦ Account is trusted for delegation This will allow the user of this account todelegate administrative function in the domain tree to others

✦ Account is sensitive and cannot be delegated This negates the option ofallowing the user to delegate

✦ Use DES encryption types for this account DES supports multiple levels ofencryption, including MPPE Standard (40-bit), MPPE Standard (56-bit), MPPEStrong (128-bit), IPSec DES (40-bit), IPSec 56-bit DES, and IPSec Triple DES(3DES) See Chapter 3 for further information on DES and security.

✦ Do not require Kerberos pre-authentication Refer to Chapter 34 for moreinformation on Kerberos

Logon hours

The Logon Hours controls, shown in Figure 10-9, are available from the Account tab

By default, logon time is set to always, meaning that users can log in whenever theywant, but you may wish to restrict this for several reasons MCITY is set up to denyaccess to the domain controllers every Saturday night for about 12 hours This isthe time, once a week, when we power down the servers and perform maintenance

You may have a tighter security arrangement, for example, that only allows logonduring working hours

Figure 10-9: Logon hours

To set logon hours, do the following:

1 On the Properties dialog box, select the Account tab and click the Logon

Hours button The Logon Hours dialog box loads

2 To allow a user to log on at certain hours, click the rectangle on the days and

hours for which you wish to deny or allow a user logon time The blue boxesdenote logon times allowed, while the white boxes denote logon times disal-lowed By default, the entire box is blue, indicating that logon is allowed allthe time

3 When you click OK and close the dialog box, the logon hours are saved.