fall 2011 nassau community college ite153 – operating systems session 21 administering user...

Fall 2011Nassau Community College ITE153 – Operating Systems

Session 21 Administering User Accounts and

Groups

1

Overview

• Introducing User Accounts• Planning and Creating New Users• Identifying User Properties• Creating Local Groups• Adding a User & Group in Linux

Fall 2011 2Nassau Community College ITE153 – Operating Systems


Session 21Windows 7 Professional

Administering User Accounts and Groups

3

Introducing User Accounts

• The logon process can be customized• Why do this? Automation, restricted

access, limited views, etc.• Some choices: local security policy,

registry settings, Group Policy in domains

• Built-in User Accounts:• Administrator• Guest

Fall 2011Nassau Community College ITE153 – Operating Systems 4

Introducing User Accounts - Administrator

• The Administrator account is disabled by default, but you can enable it

• When it is enabled, the Administrator account has full control of the computer, and it can assign user rights and access control permissions to users as necessary

• This account must be used only for tasks that require administrative credentials. Use a strong password!

• See Local Users and Groups best practices under Links



• The Administrator account is a member of the Administrators group on the computer.

• The Administrator account can never be deleted or removed from the Administrators group, but it can be renamed or disabled.

• Because the Administrator account is known to exist on many versions of Windows, renaming or disabling this account will make it more difficult for malicious users to try and gain access to it



• Kinds of tasks performed:

• Creating and modifying user accounts and groups

• Managing security policies

• Assigning rights and permissions to user accounts

• Installing printers

• Installing hardware devices and drivers

• Changing system data and other system settings


Introducing User Accounts - Guest

• The Guest account is used by people who do not have an actual account on the computer

• A user whose account is disabled, but not deleted, can also use the Guest account

• The Guest account does not require a password

• The Guest account is disabled by default, but you can enable it, although not recommended

• You can set rights and permissions for the Guest account just like any user account

• By default, the Guest account is a member of the default Guests group, which allows a user to log on to a computer.


Introducing User Accounts - Domain

• We are only concerned with local accounts and groups• Prerequisite for creating a domain user is a domain• At least one computer on the network must be running

a Windows Server product and be configured as a domain controller

• Active Directory is the main control mechanism


Introducing User Account - MMC

Snap-in: mmc compmgmt.msc


Administrator and Guest Accounts

Home directory

Lab A: Introducing User Accounts


Planning User Accounts - Names

A naming convention establishes how users will be identified on the network. A consistent naming convention makes it easy for you and your users to remember user names and locate them in lists.

•User names must be unique. Domain user accounts must be unique to the domain. Local user accounts must be unique to the local computer.

•User names can contain up to 20 uppercase or lowercase characters except for the following: " / \ [ ] : ; | = , + * ? < >.

•Accommodate employees with duplicate names


Planning User Accounts - Passwords

The next element in planning new user accounts is identifying the password requirements. Every user account should require a password. Some guidelines:

•Always assign the Administrator account a password to prevent unauthorized users from using the account

•Determine who controls the password:• Assign users unique passwords and then prevent users

from changing them (administrator control)• Assign users an initial password and then require users

to change them the first time they log on; only individual users will know their passwords. (user control)

•Determine whether an account needs to expire (temps, etc).


Creating a New User To create a local user account:

• Open Computer Management.

• In the console tree, click Users.

• On the Action menu, click New User.

• Type the appropriate information in the dialog box.

• Select or clear the check boxes for:• User must change password at next logon • User cannot change password • Password never expires • Account is disabled

• Click Create, and then click Close.


Creating a New User• Open Computer Manager (compmgmt.msc) console


Right click User and click the New User

Lab B: Creating a New User


User Account Utility


Identifying User Properties • Every local user account you create has a set of

default properties that can be modified in the Properties dialog box for that user.

• The properties dialog box contains three tabs:• General – change full name or description of a

user and configure password usage and account lockout

• Member Of – add or remove user account from a group

• Profile – set the path for the user profile, logon script, and home folder


Identifying User Properties




Item DetailsFull name Provides a space for you to type the

user's complete name. Description Provides a space for you to type any text

that describes the user account or the user.

User must change password at next logoncheck box

Specifies whether the user must change the password at the next logon.

User cannot change passwordcheck box

Specifies whether the user cannot change the assigned password. This option is usually selected only for accounts that are used by more than one person, such as the Guest account. This setting has no effect on members of the Administrators group.

Password never expirescheck box

Specifies whether the password will never expire, and overrides the Maximum Password Age setting in the Password policy in Group Policy.

Account is disabled check box

Specifies whether the selected account is disabled.

Account is locked outcheck box

Indicates whether the account is locked out, which means that the user is not able to log on.If the check box is unavailable and cleared, the account is not currently locked out.If this check box is available and selected, the account is currently locked out. You can clear the check box to unlock the account.



Item Details

Member of Lists the groups that the user account is a member of.

Add Click to select the group that you want to add this user account to.

Remove Removes the user from the selected group.



Item DetailsProfile path

Provides a space for you to type a user profile path to the user account.

Logon script

Provides a space for you to type the name of a logon script. If the logon script is located in a subdirectory of the default logon script path, precede the file name with that relative path.

Local path Specifies a local path as the home folder. Type a local path, for example, c:\users\erricom.

Connect Specifies a shared network directory as the home folder for this user. Select a drive letter in the menu.

To Provides a space for you to type the network path for this user's home folder. For example, you might specify drive J, and then type \\airedale\users\dorenap.

Lab C: Identifying User Properties


Creating Local GroupsTo create a local group:

• Open Computer Management.

• In the console tree, click Groups

• On the Action menu, click New Group

• In Group name, type a name for the new group

• In Description, type a description of the new group

• To add one or more members to the new group, click Add


Creating Local Groups• In the Select Users, Computers, or Groups dialog

box, do the following:• To add a user or group account to this group,

under Enter the object names to select, type the name of the user account or group account that you want to add, and then click OK.

• To add a computer account to this group, click Object Types, select the Computers check box, and then click OK. Under Enter the object names to select, type the name of the computer account that you want to add, and then click OK.

• In the New Group dialog box, click Create, and then click Close.


Creating Local Groups• Open Computer Manager (compmgmt.msc) console


Right click Groupsand click the New

Group

Creating Local Groups• Open Computer Manager (compmgmt.msc) console


Lab D: Creating Local Groups


Implementing Built-in Groups• Open Local Security Policy(secpol.msc) console



Session 21UNIX

User Account and Groups

31

Adding A User In Ubuntu


Using the Command Line

• To create a new user account under any Linux distribution use command called useradd.

• The system administrator is responsible for creating account. Login as root user (or use sudo command)

• useradd [options] {username}e.g., useradd errico passwd malatesta


Using the Command Line• useradd [-c comment] [-d home_dir] [-e expire_date] [-f inactive_days] [-g initial_group] [-G group[,...]] [-m [-k skeleton_dir]] [-o] [-p passwd] [-s shell] [-u uid] login

• usermod [-c comment] [-d home_dir [-m]] [-e expire_date] [-f inactive_days][-g initial_group] [-G group [,...]] [-l login_name] [-p passwd] [-s shell] [-u uid [-o]] [-L|-U] login

• userdel [-r] login

• This is similar for groups: groupadd, groupmod, groupdel


Important URLS• Local Users and Groups - use Local Users and

Groups to create and manage users and groups that are stored locally on a computer

• Local Users and Groupssimilar to link above but for Windows 7, Windows Server 2008, Windows Server 2008 R2

• Local Users and Groups best practices - excellent tips

• Microsoft Security TechCenter - links to technical bulletins, advisories, updates, tools, and prescriptive guidance. This is a very good site to visit frequently.


Homework

Review the SlidesReview Lesson 8 In The Text


fall 2011 nassau community college ite153 – operating systems session 21 administering user...

Documents

administrator account

user accounts domain

user group

guest account

domain user

user rights

user properties

domains builtin user