Managing Local Users & Groups

Managing Local Users & Groups

OVERVIEW

• Configure and manage user accounts

• Manage user account properties

• Manage user and group rights

• Configure user account policy

Managing Local Users & Groups

USER ACCOUNTS

• Identify users to the system and to each other

• All processes in Windows run under the guise of a user account

• System and service processes even run as users

• Used to grant access to resources

• Associate SID with DACLs belonging to objects

• Collect information about users

• Active Directory user properties – phone/fax numbers, etc…

Managing Local Users & Groups

Local user account

•Exists on a single computer

•Cannot be used to gain domain access of any kind

•Stores details about Security & Preferences

Domain user account

•Exists in a domain or in any trusting domain by virtue of being created on a domain controller

Managing Local Users & Groups

GROUPS

• Collections of user accounts

• Simplify access to resources

• Can be used for security and messaging (Active Directory)

• Local Groups exist only on the computer on which they were created

Managing Local Users & Groups

BUILT-IN USER ACCOUNTS

• Configured during setup

• Administrator

• Guest

• Used for administration or guest access

• Can be renamed but not deleted

Managing Local Users & Groups

BUILT-IN USER ACCOUNTS

• Administrator account (most powerful in XP)

• Retains its distinctive SID even if renamed

• Cannot be locked out

• Can have a blank password

• Can be disabled

Managing Local Users & Groups

BUILT-IN USER ACCOUNTS

• Guest (least privileged user)

• Disabled by default - should be left disabled

• Cannot be deleted

• Can be disabled

• Can be locked out

• Can have a blank password

• Cannot be identified in security audit

Managing Local Users & Groups

BUILT-IN GROUPS

• Created during setup

• Administrators

• Backup Operators

• Power Users

• Remote Desktop Users

• Users

• Guests

Managing Local Users & Groups

BUILT-IN GROUPS

• Designed for specific use or administrative roles

• User accounts can be added as members

• Built-in groups cannot be removed

• Local user can be a member of multiple groups

Managing Local Users & Groups

DEFAULT GROUPS

• Administrators

• Backup Operators

• Guests

• Network Configuration Operators

• Power Users

• Remote Desktop Users

Managing Local Users & Groups

DOMAIN ACCOUNTS AND GROUPS

• Give domain users rights and permissions on local system

• Include built-in and user-defined accounts and groups

• Provide logon and resource access to local system

• Can be placed into local groups

Managing Local Users & Groups

LOCAL USERS AND GROUPS

Managing Local Users & Groups

CONTROL PANEL USER ACCOUNTS

Managing Local Users & Groups

ACTIVE DIRECTORY USER ACCOUNTS

Managing Local Users & Groups

Managing Local Users & Groups

TROUBLESHOOTING USER ACCOUNTS

• Most common problem associated with user accounts is password issues

• Another issue might be mis-configuration of user account details or group membership

• Provide logon and resource access to local system

• Can be placed into local groups