QUES : DESCRIBE USER ADMINISTRATION

ANS :

This section discusses user account administration. For a user to log onto a Windows
2000 network, a user account must be created. It is unique to every user and includes
a user name and a password for authentication. A user can logon as a local user
and a domain user as well. Thus by having an account a user has access to all network
resources. As discussed in previous sections, in the Windows 2000 operating system
two kinds of user accounts can be created:


• Domain account
• Local account


User account Administration includes setting up user profiles and name directories
and modifying existing user accounts.


The next section discusses Group Account Administration.

Existing User Accounts Modification
Many different kinds of modifications are required with user accounts. These
modifications may be required because of organizational or personal changes. An
instance is whenever a new employee joins, the company may want to modify an
existing account and give access to the new employee. Also, personal profiles may
need to be updated at times.


Modification may include the following:
• Renaming
• Erasing
• Disabling
• Deleting User Accounts

  1. To Rename a user Account: Normally renaming an account is done so that all
    access services to an account remain intact. When an account that has been
    created for a particular user is to be assigned to another user, all permissions,
    rights, properties set for that account are retained.

2. To Enable/Disable a user account: A user account is disabled when it is not
needed for some time but would be accessed after a certain period of time. It is
a situation when a user temporarily disables the account and needs access to it
after a fixed period of time.

3. To Delete a user account: When a user no longer needs it, it is deleted.


Use Active Directory Users And Computers Snap-In,


Modify properties. To Reset the User Password:

  1. Open Active Directory Users And Computers Snap-In and select the user
    object.

2. Activate the Action menu, click Reset Password. In the Reset Password dialog
box, enter a password and select.


User must change password at next logon to force the user to change his or her
password the next time that the user logs on.


Managing User Profiles
A user profile contains all data pertaining to a user. It also contains current desktop
settings, all connected networked computers and all mapped drives. Modifying desktop settings can modify a user profile. It is created the first time when a user logs on to a computer.

When you log on to a network computer in Windows 2000 environment you get
individual desktop settings and connections.


Windows 2000 supports Roaming User Profiles (RUPs), for users who work on more
than one computer. A user set up a RUP on a network server and it is available to all
the computers or the domain network. It is copied to client computer from Windows
2000 server when a user logs on. Thus, unlike user profile, with a Roaming User
Profile the user always gets his individual desktop settings. Also a local user profile is
on single client computer only.


Home Folder: A home folder is one that is provided to the user in addition to my
documents folder to store personal data. It is not included in RISP (Routing and
Remote Access Screen).

Group Accounts Administration
User accounts can be collected together. Such collections are called as groups. The
grouping simplifies administration as new access permissions are assigned to a group
rather than to individual accounts. All user accounts belonging to that group have
access privileges. Moreover user(s) can belong to multiple groups.


In Windows 2000 environment there are two kinds of groups, Security groups and
Distribution groups.


Windows 2000 has 4 built-in groups:
• Global groups
• Domain Local groups
• Local groups
• System groups.


Common types of user accounts are contained in groups. The group scope is
responsible for membership of a group. Active Directory Users and Computers Snapin are used to create a user group in a domain.

Group Policy
A group policy primarily comprises configuration settings that determine the layout of
an object and its successors (children) objects. Group policies provide for controlling
the programs, desktop settings, and network. In a network, group policies are
normally set for the domain. Policy administrators administer group policies.
Types of Group Policies:


• Scripts: let the policy administrator specify applications and batch files to run
at specified times.
• Software settings execute the applications. These policies can automate
application installation.
• Security Settings are responsible for restricting user access to files etc.
• Remote Installation Services (RIS).
• While executing client installation wizard, it controls RIS installation options.
• Folder Redirection facilitates movement of Windows 2000 folders from their
default user profile location to a place where they can be managed centrally

• Administration Templates consist of registry based group policies for managing
registry settings, etc.


GPO (Group Policy Objects)
These objects contain configuration settings for group policies. Information is stored
in two ways in a GPO:

  1. In containers
  2. In Templates

  • Creation of GPOs takes place before group policies. Group Policies can be modified
    using:
    1. Group Policy snap-in or
    2. Using Active Directory Users and templates snap-in.
      Only administrators, creator owner or a user with access to GPO can edit a group
      policy

    Auditing
    Windows 2000 auditing is a facility responsible for security. It is responsible for
    tracking user activities, keeps a check on them. Windows 2000 maintains a security
    log. User events are written onto their security log. All the events related actions are
    entered onto security log. An audit entry in security log not only comprises action that
    takes place, but also the user and success or failure of the event and when the action
    occurred. Thus whatever event takes place in Windows 2000, Security Log has an
    entry for the same.

    An audit group policy is configured for all domain controllers in a domain. Auditing is
    assigned to parent container and it passes it down the hierarchy to the child containers.
    However, if explicitly a child container is assigned a group policy then child container
    group overrides parent container settings.

    To plan an audit policy, computers must identify on which auditing is to be applied.
    By default, auditing option is turned off.


    Only certain specific events can be audited on computers:


    • User logging on and off.
    • User accounts and group changes.
    • Changes to Active Directory Objects.
    • Files access.
    • Shutting down Windows 2000 Server
    • Restarting Windows 2000 Server.

    Leave a Reply