Working with user accounts,modification,deletion and creating a group its policies and share and printer sharing over a network and windows server backup 2008
3. INDEX
4.1.working with user accounts
4.2.working with security groups
4.3 working with shares
4.4 working with printers
4.5 working with windows backup
4.6 using windows servers backup software
4. Network Management Tasks and Activities
Managing user access to the network is a major
challenge of network administration
Access to resources and data must be controlled but
not overly restricted
Assigning users to groups will make the
administration of user rights much easier
5. Managing Access and Accounts
Setting up user accounts is less complicated than
assigning access rights
Every OS has procedures and/or an interface for
setting up accounts
It is better to add privileges than to take them away
from users
Start with fairly restrictive account policies
6. User Accounts
A user account holds information about the
specific user
It can contain basic information such as name,
password, and the level of permission the user in
granted
It can also contain much more specific information
such as the department the user works in, a home
phone number, and the days and hours the user is
allowed to log on to specific workstations
7. Managing Groups
Groups are created to make the sharing of
resources more manageable
A group contains users that share a common need
for access to a particular resource
Even though the connotations may differ with each
operating system, all of these terms still refer to
the access that a user or group account is granted
8. Administrator Account
All operating systems have an administrative
account
The administrative account should be used only
for the purpose of administering the server
Granting users this type of access is a disaster
waiting to happen
Most operating systems set up the administrative
account during installation
9. Default Accounts
Windows has several accounts set up by default
No matter which system is used, it is important to
know what accounts are installed by default and
what access each account has
The purpose of the guest account is to allow
temporary access for a user that doesn’t have an
account set up
10. The Guest Account
The guest account has limited access, but many
times is disabled to keep intruders from accessing
the machine
11. Passwords
Allowing users to create simple passwords
produces an unsecured environment
If the passwords are too difficult to remember,
users will probably write them down and may even
post them
A weak password might be very short or only use
alphanumeric characters or contain information
easily guessed by someone profiling the user
12. Strong Passwords
Strong passwords can be derived from events or things
the user knows
For example, the phrase "Going to the Bahamas on
June 6, 2006 with Jean” can be converted to gtB6606@J
This creates a complex password that is easy for the
user to remember
13. Password Policies
Password policies help protect the network from
hackers and define the responsibilities of users
who have been given access to company resources
All users should read and sign security policies as
part of their employment process
Many times it is necessary to restrict logon hours
for maintenance purposes.
14. Access to Files
Auditing is the process of keeping track of who is
logging in and accessing what files
Network administrators assign user access rights and
set permissions
Limited group access overrides unlimited access in
another group
15. Types of Groups
Groups may be nested
Active Directory Services provides flexibility by
allowing two types of groups:
Security groups
Distribution groups
Both types of groups have what is called a scope
Scope determines where the group can be used in
the network and who can be a member
16. Group Scope
The three group scopes available in a Windows 2000
network are:
domain local
global
universal
The acronym GULP will help you remember how
groups are placed into other groups.
17. Permission Assignment
For a user-based model, permissions are assigned
to each user account
For group-based access control, permissions are
assigned to groups
For role-based access control, a role is associated
with a job and permissions are assigned to these
roles
Rule-based access control is based on access
control lists (ACLs)
18. Group Policy
After you create groups, group policy can be used
for ease of administration in managing the
environment of users
The group policy object (GPO) is used to apply
group policy to users and computers
A GPO is a virtual storage location for group policy
settings, which are stored in the Group Policy
container or template
19. Managing Access and Accounts
Group policy allows you to set consistent common
security standards
Group policies are applied in a specific order or
hierarchy
By default, group policy is inherited and
cumulative
Use the acronym LSDOU (local, site, domain,
organizational unit) to remember the order that a
group policy is applied.
20. Managing Network Performance
As your network changes, its performance must be
monitored and improved
A measure of normal activity is known as a baseline
Baselines must be updated on a regular basis, when
the network has changed, or new technology has been
deployed
55. 15. Check if the folder has been
already shared. Go to Start
menu> Computer> and then
network.
56.
57. 4.1 working with user accounts
For anyone—including the administrator—
to gain access to a server running Windows
Server 2008, the user must have an account
established on the server or in the domain
The account defines the user name and the
user’s password.
To maintain user accounts, you use the
Active Directory Users and Computers
console.
58. You can open this console
startprogramsadministrative tools.
59. Create a user account
1. Click Start, click Administrative Tools, and then
click Active Directory Users and Computers.
2. In the details pane, right-click the folder in which
you want to add a user account.
3. Where?
Active Directory Users and Computers/domain
node/folder
4. Point to New, and then click User.
5. In First name, type the user's first name.
6. In Initials, type the user's initials.
60. 7.In Last name, type the user's last name.
8.Modify Full name to add initials or reverse the order
of first and last names.
9.In User logon name, type the user logon name. Click
Next.
10.In New Object - User, in Password and Confirm
password, type the user's password, and then select
the appropriate password options.
11.Click Next, review the new user account settings, and
then click Finish.
61. Options while user account
creation
User Must Change Password at Next Logon Selecting this checkbox
forces users to choose their own password when they first log in to the
system.
User Cannot Change Password You might select this option for
resource accounts if you do not want to allow users to change their
passwords.
Generally, however, you should not select this option; most sites allow
users to change their own passwords, and you want to permit them to
do so if you’ve also set passwords to automatically expire.
Password Never Expires Choose this option to allow the password to
remain viable for as long as the user chooses to use it. Activating this
option for most users is generally considered a poor security practice.
Account Is Disabled Selecting this option disables the new account.
The administrator can enable the account when needed by clearing the
checkbox.
62. Enable or disable a user account
To enable or disable a user account Open the Windows
SBS(small business server) Console.
On the navigation bar, click the Users and Groups tab,
and then click Users.
From the list of user accounts, click the user account that
you want enable or disable.
Under <User Account> Tasks, do one of the following:
To enable a user account that is currently disabled, click
Enable user account.
To disable a user account that is currently enabled, click
Disable user account.
63. Remove a user account from the
network
To remove user account Open the Windows SBS
Console.
On the navigation bar, click the Users and Groups tab,
and then click Users.
In the list of user accounts, click the user account that you
want to remove, and then click Remove user account. A
warning message appears.
In the warning message, do the following:
Clear the Delete Mailbox check box if you do not want to
delete the mailbox for the user account.
Clear the Delete Shared Folder check box if you do not want
to delete the shared folder for the user account.
64. Change general information for a
user account
To change general information for a user account
Open the Windows SBS Console.
On the navigation bar, click the Users and Groups tab,
and then click Users.
From the list of user accounts, right-click the user account
that you want modify the general information for, and then
click Edit user account properties.
On the <User Account> Properties page, click the
General tab, and then update any of the following
information for this user account: First name, Last name,
User name, E-mail address, Description, or Phone
number.
Click Apply, and then click OK.
65. Change Remote Access
permissions for a user account
To change Remote Access permissions for a user account
Open the Windows SBS Console.
On the navigation bar, click the Users and Groups tab, and
then click Users.
In the list of user accounts, right-click the user account that you
want modify the Remote Access permissions for, and then click
Edit user account properties.
On the <User Account> Properties page, click the Remote
Access tab, and then do one of the following:
Select the User can access Remote Web Workplace check box to
allow the user account to access the network resources from a
remote location by using Remote Web Workplace.
Clear the User can access Remote Web Workplace check box to
prevent the user account from accessing the network resources from
a remote location by using Remote Web Workplace.
Click Apply, and then click OK.
66. Change virtual private network
permissions for a user account
Open the Windows SBS Console.
On the navigation bar, click the Users and Groups tab,
and then click Users.
In the list of user accounts, click the user account that you
want modify the virtual private network permissions for,
and then click Edit user account properties.
On the <User Account> Properties page, click the
Remote Access tab, and then do one of the following:
Select the User can access virtual private network check
box to allow the user account to create a VPN connection to
the network.
Clear the User can access virtual private network check
box to stop the user account from creating a VPN connection
to the network.
Click Apply, and then click OK.
67. Change e-mail information for a
user account
Open the Windows SBS Console.
On the navigation bar, click the Users and Groups
tab, and then click Users.
In the list of user accounts, click the user account that
you want modify e-mail information for, and then
click Edit user account properties.
On the <User Account> Properties page, click the
General tab, and then do one or both of the following:
To change the first name or last name for the user
account, type a new first name or last name.
68. to change the user's e-mail address, type a new e-mail
address.
Click Apply, and then click OK.
69. Change group memberships for a
user account
Open the Windows SBS Console.
On the navigation bar, click the Users and Groups tab,
and then click Users.
In the list of user accounts, click the user account that you
want modify the group memberships for, and then under
tasks, click Change group membership.
On the <User Account>’s Group Membership page, do
one of the following:
To add this user account to a group, select the group from
the Groups list, and then click Add.
To remove this user account from a group, select the group
in the <User Account>'s Groups list, and then click
Remove.
70. Understanding User Accounts
Three types of user accounts can be created and
configured in Windows Server 2008:
Local accounts.
Domain accounts.
Built-in user accounts.
71. Local Accounts
Used to access the local computer only and are stored
in the local Security Account Manager (SAM) database
on the computer where they reside.
Never replicated to other computers, nor do these
accounts have domain access.
72. Domain Accounts
Accounts used to access Active Directory or
network-based resources, such as shared folders or
printers.
Account information for these users is stored in
the Active Directory database and replicated to all
domain controllers within the same domain.
A subset of the domain user account information
is replicated to the global catalog, which is then
replicated to other global catalog servers
throughout the forest.
73. Built-in User Accounts
Automatically created when Microsoft Windows
Server 2008 is installed.
Built-in user accounts are created on a member server
or a standalone server.
When you install Windows Server 2008 as a domain
controller, the ability to create and manipulate these
accounts is disabled.
74. Built-in User Accounts
By default, two built-in user accounts are created on a
Windows Server 2008 computer:
Administrator account.
Guest account.
Built-in user accounts can be local accounts or domain
accounts, depending on whether the server is
configured as a standalone server or a domain
controller.
75. Creating and Managing User
Accounts
User accounts are usually created and managed with
Active Directory Users and Computers.
79. Group Accounts
Groups are implemented to allow administrators to
assign rights and permissions to multiple users
simultaneously.
A group can be defined as a collection of user or
computer accounts that is used to simplify the
assignment of rights or permissions to network
resources.
80. Group Accounts
When a user logs on, an access token is created that
identifies the user and all of the user’s group
memberships.
This access token is used to verify a user’s permissions
when the user attempts to access a local or network
resource.
By using groups, multiple users can be given the same
permission level for resources on the network.
Since a user’s access token is only generated when they
first log on to the network from their workstation, if
you add a user to a group, they will need to log off and
log back on again for that change to take effect.
81. Group Types
Distribution groups – Non-security-related groups
created for the distribution of information to one or
more persons.
Security groups - Security-related groups created for
purposes of granting resource access permissions to
multiple users.
82. Group Nesting
Users can be members of more than one group.
Groups can contain other Active Directory objects,
such as computers, and other groups.
Groups containing groups is called group nesting.
84. Using Global and Domain Local
Groups
Global
These groups can include users, computers, and
other global groups from the same domain.
You can use them to organize users who have similar
functions and therefore similar requirements on the
network.
Domain local
These groups can include users, computers, and
groups from any domain in the forest.
They are most often utilized to grant permissions
for local resources and may be used to provide
access to any resource in the domain in which they
are located.
85. Using Global and Domain Local
Groups
Assign users within a domain to global groups.
Add global groups to domain local groups.
Assign permissions to domain local group.
86. Universal Groups
These groups can include users and groups from any
domain in the AD DS forest and can be employed to
grant permissions to any resource in the forest.
A universal group can include users, computers, and
global groups from any domain in the forest.
Changes to universal group membership lists are
replicated to all global catalog servers throughout the
forest.
87. AGUDLP
Microsoft approach to using groups:
add Accounts to Global groups.
add those global groups to Universal groups.
Add universal groups to Domain Local groups.
Finally, assign Permissions to the domain local groups.
88. Creating and Managing Groups
Creating and managing groups is usually done with
Active Directory Users and Computers.
91. Working with Default Groups
Account Operators – Can create, modify and delete
accounts for users, groups, and computers in all
containers and OUs.
Cannot modify administrators, domain admins and
enterprise admin groups.
Administrators – Complete and unrestricted access to
the computer or domain controller.
Backup Operators - Can back up and restore all files
on the computer.
92. Working with Default Groups
Guests – Same privileges as members of the Users
group.
Disabled by default
Print Operators – Can manage printers and
document queues.
Server Operators – Can log on a server
interactively, create and delete shares, start and
stop some services, back up and restore files,
format the disk, shutdown the computer and
modify the system date and time.
93. Working with Default Groups
Users – Allows general access to run applications, use
printers, shut down and start the computer and use
network shares for which they are assigned
permissions.
DNSAdmins – Permits administrative access to the
DNS server service.
94. Working with Default Groups
Domain Admins – Can perform administrative tasks
on any computer anywhere in the domain.
Domain Computers – Contains all computers.
Used to make computer management easier through
group policies.
Domain Controllers – Contains all computers installed
in the domain as a domain controller.
95. Working with Default Groups
Domain Guests – Members include all domain guests.
Domain Users – Members include all domain users.
Used to assign permissions to all users in the domain.
Enterprise Admins – Allows the global administrative
privileges associated with this group, such as the
ability to create and delete domains.
96. Working with Default Groups
Schema Admins – Members can manage and modify
the Active Directory schema.
97. Special Identity Groups and Local
Groups
Authenticated Users – Used to allow controlled access
to resources throughout the forest or domain.
Everyone – Used to provide access to resource for all
users and guest.
Not recommended to not assign this group to resources.
98. Group Implementation Plan
A plan that states who has the ability and
responsibility to create, delete, and manage groups.
A policy that states how domain local, global, and
universal groups are to be used.
A policy that states guidelines for creating new groups
and deleting old groups.
A naming standards document to keep group names
consistent.
A standard for group nesting.
99. Creating Users and Groups
Active Directory Users and Computers.
Batch files.
Comma-Separated Value Directory Exchange
(CSVDE).
LDAP Data Interchange Format Directory Exchange
(LDIFDE).
Windows Script Host (WSH).
100. Overview of network printer
Understand network printing concepts.
Understand Windows network printing.
Understand NetWare network printing.
101. Understand Network Printing
Concepts
The network should be configured for sharing printers
to enable network printing.
Local printer, shared printer, and network printer
are the three basic printing configurations used while
designing a network and configuring printers.
104. Local Print Devices
A printer is referred to as the print device, and is used for providing
printed outputs.
It is essential to install the necessary drivers to ensure proper
working of the print device.
A software called printer is required to control the printing process.
105. The printer determines where and when the output
should be sent.
Local print devices provide the most convenient way of
printing from a workstation computer.
Local Print Devices
111. Shared Print Devices
Sharing a locally attached printer.
Sharing print devices directly connected to the
network.
112. Sharing a Locally Attached Printer
Repeated interruptions by multiple users may affect
the productivity of the user.
There is a reduction in speed and response time, since
the computer’s resources are used for providing the
required output for multiple users.
113. Sharing Print Devices Directly
Connected to the Network
Print devices connected to the network have their own
internal network interface card that provides network
identification to the device.
Print devices are generally configured on a centralized
network to provide convenient access to multiple
users.
Sharing of print devices decreases the purchase,
installation, and maintenance cost of the printer.
114. Understand Windows Network
Printing
On a workgroup, a shared print device’s attributes are
stored locally on the computer.
On a domain, the print device’s information is added
to the Active Directory (AD).
The AD can be used when configuring the network-
printing capabilities on Windows 2000 Server and
Windows XP Professional Workstation.
115. On non-domain Windows XP computers, information
about the print device can be obtained over the
network using the NetCrawler feature.
The NetCrawler searches for and automatically adds all
available shared network objects.
Understand Windows Network
Printing
118. The following information has to be provided while
installing a network-capable print device:
The print device’s IP address.
The print device’s manufacturer and printer
type.
A share name for the print device.
Understand Windows Network
Printing
119. Understand NetWare Network Printing
The NetWare 6.0 operating system’s printing service
includes a new printing option called iPrint.
The iPrint service is Internet-based, and it uses the
Internet Printing Protocol (IPP) to make printing
available from any computer having an Internet
browser.
It uses the Novell Distributed Print Services (NDPS) to
distribute the print process to all networked users.
120. The NDPS effectively combines older print
components like the printer, print queue, and print
server into one print object called the Printer Agent.
It manages the configuration of the printer through
Novell Directory Services (NDS).
The NDPS also handles the drivers used at the
workstations.
Understand NetWare Network
Printing
121. NDPS includes the following components:
Broker
Manager
Printer
Gateway
Client
Understand NetWare Network
Printing
122. Windows Server Backup
Windows Server 2008 introduces a new technology for
performing backups, called Windows Server Backup.
Similar to Shadow Copies of Shared Folders, Windows
Server Backup uses the Volume Shadow Copies Service
(VSS) to perform snapshots of the items being
protected by backup.
123. Windows Server Backups
Unlike previous versions of Windows, the new
Windows Server Backup tool does not allow you to
back up individual files or directories.
You must back up the entire volume that hosts the files
that you want to protect.
This means that you must configure a backup
destination that is at least as large as the volume or
volumes that you wish to back up.
124. Windows Server Backups
Windows Server 2008 supports two types of backup:
Manual backup - This backup can be initiated by using
Server Backup or the Wbadmin.exe command-line tool
when a backup is needed.
You must be a member of the Administrators group or the
Backup Operators group to launch a manual backup.
Scheduled backup - Members of the local Administrators
group can schedule backups using the Windows Server
Backup utility or the Wbadmin.exe command-line tool.
Scheduled backups will reformat the target drive that hosts the
backup files, and thus can be performed only on a local physical
drive that does not host any critical volumes.
135. Restoring from Backups
Whether you need to restore an individual file or
folder that a user has inadvertently deleted, or if you
need to restore all of the data stored on an entire
volume due to a hardware failure on a server, restores
of Windows Server 2008 can be performed using the
Windows Server Backup MMC snap-in, as well as the
wbadmin command-line utility.
136. Restoring from Backups
You can also perform a bare-metal restore of a server
that has experienced a catastrophic hardware failure
by using the Windows Recovery Environment
(WinRE), a special boot mode that provides a
centralized platform for operating system recovery.
Unlike traditional restores in which data files are
restored onto an existing operating system, a bare-
metal restore allows you to restore operating system
and data files onto a server that does not have a pre-
existing operating system.
Emphasize that when assigning rights, it is always preferred to assign first to groups before assigning to users.
Troubleshooting 101. You must log off to get new tokens when added to a group.
You cannot assign rights and permissions to a distribution group.
Show all tabs.
Mention that it is ideal to have two user accounts for administrators. One for everyday stuff, including checking email, and one for administration. Also, if you have Blackberry devices and you are added to domain admins or account operators, you may not work with a Blackberry device/Enterprise server.
This is a good time to review Full, Incremental and Differential backups and who would use them. You can also discuss using third-party backups that will usually give you more options and flexibility.