Unit4 NMA working with user accounts WINDOWS SERVER 2008

INDEX
4.1.working with user accounts
4.2.working with security groups
4.3 working with shares
4.4 working with printers
4.5 working with windows backup
4.6 using windows servers backup software

Network Management Tasks and Activities
 Managing user access to the network is a major
challenge of network administration
 Access to resources and data must be controlled but
not overly restricted
 Assigning users to groups will make the
administration of user rights much easier

Managing Access and Accounts
 Setting up user accounts is less complicated than
assigning access rights
 Every OS has procedures and/or an interface for
setting up accounts
 It is better to add privileges than to take them away
from users
 Start with fairly restrictive account policies

User Accounts
 A user account holds information about the
specific user
 It can contain basic information such as name,
password, and the level of permission the user in
granted
 It can also contain much more specific information
such as the department the user works in, a home
phone number, and the days and hours the user is
allowed to log on to specific workstations

Managing Groups
 Groups are created to make the sharing of
resources more manageable
 A group contains users that share a common need
for access to a particular resource
 Even though the connotations may differ with each
operating system, all of these terms still refer to
the access that a user or group account is granted

Administrator Account
 All operating systems have an administrative
account
 The administrative account should be used only
for the purpose of administering the server
 Granting users this type of access is a disaster
waiting to happen
 Most operating systems set up the administrative
account during installation

Default Accounts
 Windows has several accounts set up by default
 No matter which system is used, it is important to
know what accounts are installed by default and
what access each account has
 The purpose of the guest account is to allow
temporary access for a user that doesn’t have an
account set up

The Guest Account
 The guest account has limited access, but many
times is disabled to keep intruders from accessing
the machine

Passwords
 Allowing users to create simple passwords
produces an unsecured environment
 If the passwords are too difficult to remember,
users will probably write them down and may even
post them
 A weak password might be very short or only use
alphanumeric characters or contain information
easily guessed by someone profiling the user

Strong Passwords
 Strong passwords can be derived from events or things
the user knows
 For example, the phrase "Going to the Bahamas on
June 6, 2006 with Jean” can be converted to gtB6606@J
 This creates a complex password that is easy for the
user to remember

Password Policies
 Password policies help protect the network from
hackers and define the responsibilities of users
who have been given access to company resources
 All users should read and sign security policies as
part of their employment process
 Many times it is necessary to restrict logon hours
for maintenance purposes.

Access to Files
 Auditing is the process of keeping track of who is
logging in and accessing what files
 Network administrators assign user access rights and
set permissions
 Limited group access overrides unlimited access in
another group

Types of Groups
 Groups may be nested
 Active Directory Services provides flexibility by
allowing two types of groups:
 Security groups
 Distribution groups
 Both types of groups have what is called a scope
 Scope determines where the group can be used in
the network and who can be a member

Group Scope
 The three group scopes available in a Windows 2000
network are:
 domain local
 global
 universal
 The acronym GULP will help you remember how
groups are placed into other groups.

Permission Assignment
 For a user-based model, permissions are assigned
to each user account
 For group-based access control, permissions are
assigned to groups
 For role-based access control, a role is associated
with a job and permissions are assigned to these
roles
 Rule-based access control is based on access
control lists (ACLs)

Group Policy
 After you create groups, group policy can be used
for ease of administration in managing the
environment of users
 The group policy object (GPO) is used to apply
group policy to users and computers
 A GPO is a virtual storage location for group policy
settings, which are stored in the Group Policy
container or template

Managing Access and Accounts
 Group policy allows you to set consistent common
security standards
 Group policies are applied in a specific order or
hierarchy
 By default, group policy is inherited and
cumulative
 Use the acronym LSDOU (local, site, domain,
organizational unit) to remember the order that a
group policy is applied.

Managing Network Performance
 As your network changes, its performance must be
monitored and improved
 A measure of normal activity is known as a baseline
 Baselines must be updated on a regular basis, when
the network has changed, or new technology has been
deployed

FILE SHARING
1.Connect both ends of Ethernet cable to the
two computers.

2. Change the Adapter Settings. Go the Control
Panel > Network and Sharing Center and then
Click Change Adapter Settings.

3. Right click the Local Area
Connection then click properties.

4. Choose the Internet Protocol
Version4 then click properties.

5. Choose both the Obtain an IP
address and DNS server address
automatically then Click Ok.

7. Determine the IP Address of
the computer you will share of.

8. To determine if the computer
already connected to the other
computer, type ping and IP
Address of it.

9. Right click the folder then
choose Share with the Specific
people and click Ok.

10. From the drop down menu,
choose Everyone then add. Don’t
forget to change the category from
Read to Read/Write. Last. Click share
then done.

11. Right click again the desired
folder then chooses Properties.

12. Click Sharing then choose
Advanced sharing.

13. Check the Share This Folder,
then Apply and click Ok.

14. Click Permissions then Click
Full Control, then Apply, Click
Caching then Ok.

15. Check if the folder has been
already shared. Go to Start
menu> Computer> and then
network.

4.1 working with user accounts
 For anyone—including the administrator—
to gain access to a server running Windows
Server 2008, the user must have an account
established on the server or in the domain
 The account defines the user name and the
user’s password.
 To maintain user accounts, you use the
Active Directory Users and Computers
console.

 You can open this console
startprogramsadministrative tools.

Create a user account
1. Click Start, click Administrative Tools, and then
click Active Directory Users and Computers.
2. In the details pane, right-click the folder in which
you want to add a user account.
3. Where?
Active Directory Users and Computers/domain
node/folder
4. Point to New, and then click User.
5. In First name, type the user's first name.
6. In Initials, type the user's initials.

7.In Last name, type the user's last name.
8.Modify Full name to add initials or reverse the order
of first and last names.
9.In User logon name, type the user logon name. Click
Next.
10.In New Object - User, in Password and Confirm
password, type the user's password, and then select
the appropriate password options.
11.Click Next, review the new user account settings, and
then click Finish.

Options while user account
creation
 User Must Change Password at Next Logon Selecting this checkbox
forces users to choose their own password when they first log in to the
system.
 User Cannot Change Password You might select this option for
resource accounts if you do not want to allow users to change their
passwords.
 Generally, however, you should not select this option; most sites allow
users to change their own passwords, and you want to permit them to
do so if you’ve also set passwords to automatically expire.
 Password Never Expires Choose this option to allow the password to
remain viable for as long as the user chooses to use it. Activating this
option for most users is generally considered a poor security practice.
 Account Is Disabled Selecting this option disables the new account.
The administrator can enable the account when needed by clearing the
checkbox.

Enable or disable a user account
 To enable or disable a user account Open the Windows
SBS(small business server) Console.
 On the navigation bar, click the Users and Groups tab,
and then click Users.
 From the list of user accounts, click the user account that
you want enable or disable.
 Under <User Account> Tasks, do one of the following:
 To enable a user account that is currently disabled, click
Enable user account.
 To disable a user account that is currently enabled, click
Disable user account.

Remove a user account from the
network
 To remove user account Open the Windows SBS
Console.
 In the list of user accounts, click the user account that you
want to remove, and then click Remove user account. A
warning message appears.
 In the warning message, do the following:
 Clear the Delete Mailbox check box if you do not want to
delete the mailbox for the user account.
 Clear the Delete Shared Folder check box if you do not want
to delete the shared folder for the user account.

Change general information for a
user account
 To change general information for a user account
Open the Windows SBS Console.
 From the list of user accounts, right-click the user account
that you want modify the general information for, and then
click Edit user account properties.
 On the <User Account> Properties page, click the
General tab, and then update any of the following
information for this user account: First name, Last name,
User name, E-mail address, Description, or Phone
number.
 Click Apply, and then click OK.

Change Remote Access
permissions for a user account
 To change Remote Access permissions for a user account
Open the Windows SBS Console.
 On the navigation bar, click the Users and Groups tab, and
then click Users.
 In the list of user accounts, right-click the user account that you
want modify the Remote Access permissions for, and then click
Edit user account properties.
 On the <User Account> Properties page, click the Remote
Access tab, and then do one of the following:
 Select the User can access Remote Web Workplace check box to
allow the user account to access the network resources from a
remote location by using Remote Web Workplace.
 Clear the User can access Remote Web Workplace check box to
prevent the user account from accessing the network resources from
a remote location by using Remote Web Workplace.

Change virtual private network
permissions for a user account
 Open the Windows SBS Console.
want modify the virtual private network permissions for,
and then click Edit user account properties.
Remote Access tab, and then do one of the following:
 Select the User can access virtual private network check
box to allow the user account to create a VPN connection to
the network.
 Clear the User can access virtual private network check
box to stop the user account from creating a VPN connection
to the network.

Change e-mail information for a
user account
 On the navigation bar, click the Users and Groups
tab, and then click Users.
 In the list of user accounts, click the user account that
you want modify e-mail information for, and then
click Edit user account properties.
General tab, and then do one or both of the following:
 To change the first name or last name for the user
account, type a new first name or last name.

 to change the user's e-mail address, type a new e-mail
address.

Change group memberships for a
user account
want modify the group memberships for, and then under
tasks, click Change group membership.
 On the <User Account>’s Group Membership page, do
one of the following:
 To add this user account to a group, select the group from
the Groups list, and then click Add.
 To remove this user account from a group, select the group
in the <User Account>'s Groups list, and then click
Remove.

Understanding User Accounts
 Three types of user accounts can be created and
configured in Windows Server 2008:
 Local accounts.
 Domain accounts.
 Built-in user accounts.

Local Accounts
 Used to access the local computer only and are stored
in the local Security Account Manager (SAM) database
on the computer where they reside.
 Never replicated to other computers, nor do these
accounts have domain access.

Domain Accounts
 Accounts used to access Active Directory or
network-based resources, such as shared folders or
printers.
 Account information for these users is stored in
the Active Directory database and replicated to all
domain controllers within the same domain.
 A subset of the domain user account information
is replicated to the global catalog, which is then
replicated to other global catalog servers
throughout the forest.

Built-in User Accounts
 Automatically created when Microsoft Windows
Server 2008 is installed.
 Built-in user accounts are created on a member server
or a standalone server.
 When you install Windows Server 2008 as a domain
controller, the ability to create and manipulate these
accounts is disabled.

Built-in User Accounts
 By default, two built-in user accounts are created on a
Windows Server 2008 computer:
 Administrator account.
 Guest account.
 Built-in user accounts can be local accounts or domain
accounts, depending on whether the server is
configured as a standalone server or a domain
controller.

Creating and Managing User
Accounts
 User accounts are usually created and managed with
Active Directory Users and Computers.

Group Accounts
 Groups are implemented to allow administrators to
assign rights and permissions to multiple users
simultaneously.
 A group can be defined as a collection of user or
computer accounts that is used to simplify the
assignment of rights or permissions to network
resources.

Group Accounts
 When a user logs on, an access token is created that
identifies the user and all of the user’s group
memberships.
 This access token is used to verify a user’s permissions
when the user attempts to access a local or network
resource.
 By using groups, multiple users can be given the same
permission level for resources on the network.
 Since a user’s access token is only generated when they
first log on to the network from their workstation, if
you add a user to a group, they will need to log off and
log back on again for that change to take effect.

Group Types
 Distribution groups – Non-security-related groups
created for the distribution of information to one or
more persons.
 Security groups - Security-related groups created for
purposes of granting resource access permissions to
multiple users.

Group Nesting
 Users can be members of more than one group.
 Groups can contain other Active Directory objects,
such as computers, and other groups.
 Groups containing groups is called group nesting.

Group Scopes
 Global
 Domain Local
 Universal

Using Global and Domain Local
Groups
 Global
 These groups can include users, computers, and
other global groups from the same domain.
 You can use them to organize users who have similar
functions and therefore similar requirements on the
network.
 Domain local
 These groups can include users, computers, and
groups from any domain in the forest.
 They are most often utilized to grant permissions
for local resources and may be used to provide
access to any resource in the domain in which they
are located.

Using Global and Domain Local
Groups
 Assign users within a domain to global groups.
 Add global groups to domain local groups.
 Assign permissions to domain local group.

Universal Groups
 These groups can include users and groups from any
domain in the AD DS forest and can be employed to
grant permissions to any resource in the forest.
 A universal group can include users, computers, and
global groups from any domain in the forest.
 Changes to universal group membership lists are
replicated to all global catalog servers throughout the
forest.

AGUDLP
 Microsoft approach to using groups:
 add Accounts to Global groups.
 add those global groups to Universal groups.
 Add universal groups to Domain Local groups.
 Finally, assign Permissions to the domain local groups.

Creating and Managing Groups
 Creating and managing groups is usually done with
Active Directory Users and Computers.

Working with Default Groups
 Account Operators – Can create, modify and delete
accounts for users, groups, and computers in all
containers and OUs.
 Cannot modify administrators, domain admins and
enterprise admin groups.
 Administrators – Complete and unrestricted access to
the computer or domain controller.
 Backup Operators - Can back up and restore all files
on the computer.

 Guests – Same privileges as members of the Users
group.
 Disabled by default
 Print Operators – Can manage printers and
document queues.
 Server Operators – Can log on a server
interactively, create and delete shares, start and
stop some services, back up and restore files,
format the disk, shutdown the computer and
modify the system date and time.

 Users – Allows general access to run applications, use
printers, shut down and start the computer and use
network shares for which they are assigned
permissions.
 DNSAdmins – Permits administrative access to the
DNS server service.

 Domain Admins – Can perform administrative tasks
on any computer anywhere in the domain.
 Domain Computers – Contains all computers.
 Used to make computer management easier through
group policies.
 Domain Controllers – Contains all computers installed
in the domain as a domain controller.

 Domain Guests – Members include all domain guests.
 Domain Users – Members include all domain users.
 Used to assign permissions to all users in the domain.
 Enterprise Admins – Allows the global administrative
privileges associated with this group, such as the
ability to create and delete domains.

 Schema Admins – Members can manage and modify
the Active Directory schema.

Special Identity Groups and Local
Groups
 Authenticated Users – Used to allow controlled access
to resources throughout the forest or domain.
 Everyone – Used to provide access to resource for all
users and guest.
 Not recommended to not assign this group to resources.

Group Implementation Plan
 A plan that states who has the ability and
responsibility to create, delete, and manage groups.
 A policy that states how domain local, global, and
universal groups are to be used.
 A policy that states guidelines for creating new groups
and deleting old groups.
 A naming standards document to keep group names
consistent.
 A standard for group nesting.

Creating Users and Groups
 Active Directory Users and Computers.
 Batch files.
 Comma-Separated Value Directory Exchange
(CSVDE).
 LDAP Data Interchange Format Directory Exchange
(LDIFDE).
 Windows Script Host (WSH).

Overview of network printer
 Understand network printing concepts.
 Understand Windows network printing.
 Understand NetWare network printing.

Understand Network Printing
Concepts
 The network should be configured for sharing printers
to enable network printing.
 Local printer, shared printer, and network printer
are the three basic printing configurations used while
designing a network and configuring printers.

Basic printing configurations for networked computers
Concepts

 Local print devices.
 Shared print devices.
Concepts

Local Print Devices
 A printer is referred to as the print device, and is used for providing
printed outputs.
 It is essential to install the necessary drivers to ensure proper
working of the print device.
 A software called printer is required to control the printing process.

 The printer determines where and when the output
should be sent.
 Local print devices provide the most convenient way of
printing from a workstation computer.
Local Print Devices

Local Print Devices
Add
Printer
Wizard

Khan
Local Print Devices
Selecting a
Printer port

Local Print Devices
Installing
the Printer
software

Local Print Devices
Printer
Sharing
window

Local Print Devices
Printers
and Faxes
window

Shared Print Devices
 Sharing a locally attached printer.
 Sharing print devices directly connected to the
network.

Sharing a Locally Attached Printer
 Repeated interruptions by multiple users may affect
the productivity of the user.
 There is a reduction in speed and response time, since
the computer’s resources are used for providing the
required output for multiple users.

Sharing Print Devices Directly
Connected to the Network
 Print devices connected to the network have their own
internal network interface card that provides network
identification to the device.
 Print devices are generally configured on a centralized
network to provide convenient access to multiple
users.
 Sharing of print devices decreases the purchase,
installation, and maintenance cost of the printer.

Understand Windows Network
Printing
 On a workgroup, a shared print device’s attributes are
stored locally on the computer.
 On a domain, the print device’s information is added
to the Active Directory (AD).
 The AD can be used when configuring the network-
printing capabilities on Windows 2000 Server and
Windows XP Professional Workstation.

 On non-domain Windows XP computers, information
about the print device can be obtained over the
network using the NetCrawler feature.
 The NetCrawler searches for and automatically adds all
available shared network objects.
Printing

Add
Printer
Wizard
Printing

Selecting a
Printer port
Printing

The following information has to be provided while
installing a network-capable print device:
 The print device’s IP address.
 The print device’s manufacturer and printer
type.
 A share name for the print device.
Printing

Understand NetWare Network Printing
 The NetWare 6.0 operating system’s printing service
includes a new printing option called iPrint.
 The iPrint service is Internet-based, and it uses the
Internet Printing Protocol (IPP) to make printing
available from any computer having an Internet
browser.
 It uses the Novell Distributed Print Services (NDPS) to
distribute the print process to all networked users.

 The NDPS effectively combines older print
components like the printer, print queue, and print
server into one print object called the Printer Agent.
 It manages the configuration of the printer through
Novell Directory Services (NDS).
 The NDPS also handles the drivers used at the
workstations.
Understand NetWare Network
Printing

NDPS includes the following components:
 Broker
 Manager
 Printer
 Gateway
 Client
Understand NetWare Network
Printing

Windows Server Backup
 Windows Server 2008 introduces a new technology for
performing backups, called Windows Server Backup.
 Similar to Shadow Copies of Shared Folders, Windows
Server Backup uses the Volume Shadow Copies Service
(VSS) to perform snapshots of the items being
protected by backup.

Windows Server Backups
 Unlike previous versions of Windows, the new
Windows Server Backup tool does not allow you to
back up individual files or directories.
 You must back up the entire volume that hosts the files
that you want to protect.
 This means that you must configure a backup
destination that is at least as large as the volume or
volumes that you wish to back up.

Windows Server Backups
 Windows Server 2008 supports two types of backup:
 Manual backup - This backup can be initiated by using
Server Backup or the Wbadmin.exe command-line tool
when a backup is needed.
 You must be a member of the Administrators group or the
Backup Operators group to launch a manual backup.
 Scheduled backup - Members of the local Administrators
group can schedule backups using the Windows Server
Backup utility or the Wbadmin.exe command-line tool.
 Scheduled backups will reformat the target drive that hosts the
backup files, and thus can be performed only on a local physical
drive that does not host any critical volumes.

Specifying the Destination Type

Selecting the Backup Destination

Specifying the VSS Backup Type

Restoring from Backups
 Whether you need to restore an individual file or
folder that a user has inadvertently deleted, or if you
need to restore all of the data stored on an entire
volume due to a hardware failure on a server, restores
of Windows Server 2008 can be performed using the
Windows Server Backup MMC snap-in, as well as the
wbadmin command-line utility.

Restoring from Backups
 You can also perform a bare-metal restore of a server
that has experienced a catastrophic hardware failure
by using the Windows Recovery Environment
(WinRE), a special boot mode that provides a
centralized platform for operating system recovery.
 Unlike traditional restores in which data files are
restored onto an existing operating system, a bare-
metal restore allows you to restore operating system
and data files onto a server that does not have a pre-
existing operating system.

Inspiration Credits:My Students

Unit4 NMA working with user accounts WINDOWS SERVER 2008

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Unit4 NMA working with user accounts WINDOWS SERVER 2008

Similar to Unit4 NMA working with user accounts WINDOWS SERVER 2008 (20)

More from Sangeetha Rangarajan

More from Sangeetha Rangarajan (8)

Recently uploaded

Recently uploaded (20)

Unit4 NMA working with user accounts WINDOWS SERVER 2008

Editor's Notes