Most computers that are members of a domain have only the local Administrator and Guest user accounts in their security databases. You can get to the snap-in by choosing Start, Settings, Control Panel, Administrative Tools, Computer Management and then by expanding the tree pane of the Computer Management console until you see snap-in. In this snap-in, you can create, modify, duplicate, and delete users in the Users folder and groups in the Groups folder.
As mentioned earlier in this chapter, there are two built-in user accounts: Administrator and Guest. The Administrator account. Has, through its membership in the Administrators group, all privileges required to perform system administration duties. Is disabled by default. Only a member of the Administrators group can enable the account. If the Guest account is enabled, it should be given a password, and User Cannot Change Password should be set if multiple users will log on with the account.
Built-in local groups have assigned to them specific privileges also called user rights that allow them to perform specific sets of tasks on a system. The following are the default local group accounts on a Windows Professional system:. They can create and modify user and group accounts, manage security policies, create printers, and manage permissions to resources on the system. The local Administrator account is the default member and cannot be removed.
Other accounts can be added and removed. When a system joins a domain, the Domain Admins group is added, but it can be removed. They can log on and shut down a system but cannot change security settings. They cannot modify user accounts they did not create, nor can they modify the Administrators or Backup Operators groups. Members of the Power Users group cannot take ownership of files, back up or restore directories, load or unload device drivers, or manage the security and auditing logs.
If you want certain users to have broad system administration capabilities but do not want them to be able to access all system resources, you should consider putting them in the Backup Operators and Power Users groups rather than in the Administrators group. They cannot create local printers or share folders. Some older legacy applications do not run for members of the Users group because security settings are tighter for the Users group in Windows than in Windows NT 4.
By default, all local user accounts you create are added to the Users group. In addition, when a system joins a domain, the Domain Users group is made a member of that system's local Users group. Members of the Guests group cannot make permanent changes to their desktops or profiles. By default, the built-in local Guest account is a member of this group. When a system joins a domain, the Domain Guests group is added to the local Guests group. A Windows Professional system also has built-in s ystem groups, which you do not see in the user interface while managing other group accounts.
Membership of system groups changes based on how the computer is being accessed or utilized, not based on who is accessing the computer. Built-in system groups are also referred to as special identity groups and include the following:. You should use the Authenticated Users group rather than the Everyone group to assign privileges and group permissions because doing so prevents anonymous access to resources.
If the user is a member of the Administrators group, the Creator Owner group is the owner of the resource. To create a local user or group account, you right-click the appropriate folder Users or Groups and choose New User or New Group , enter the appropriate attributes, and then click Create. They are not case sensitive, although the user account's name property displays the case as entered.
You should determine a policy for accommodating users who have the same name. For example, you can add a number after the username for example, JohnD1 , JohnD2. Some organizations also identify certain types of users by their usernames for example, JohnDoe-Temp for a temporary employee. They can contain up to characters, although down-level operating systems such as Windows NT 4 and Windows 9x support only character passwords.
They should be difficult to guess and, preferably, should mix uppercase and lowercase letters, numerals, and nonalphanumeric characters other than those listed previously as being prohibited. They can be set by the administrator who can then determine whether users must, can, or cannot change their passwords or the user if the administrator has not specified otherwise.
From the Local Users and Groups node of the Computer Management console, or from the Active Directory Users and Computers console on a domain controller, you can select User Must Change Password at Next Logon to ensure that the user is the only one who knows the account's password.
You can select User Cannot Change Password when more than one person such as the Guest user account uses the account. The Password Never Expires option is helpful when a program or a service uses an account. To avoid having to reconfigure the service with a new password, you can simply set the service's account to retain its password indefinitely.
The information you can specify when creating an account is limited in Windows Therefore, after you create an account, you often need to go to the account's properties sheet, which you can access by right-clicking the account and choosing Properties. Figure 3. To manage the membership of a local group, you right-click the group and choose Properties. To remove a member, you select the account and click Remove. To add a member, you click Add and select or enter the name of the account.
In a workgroup, local groups can contain only accounts defined in the same machine's local security database. When a system belongs to a domain, its local groups can also include domain accounts, including user accounts, universal groups, and global groups from the enterprise's Active Directory database, as well as domain local groups from within the system's domain.
Universal groups and domain local groups can be added as members only when the domain is in native mode, meaning that it contains only Windows domain controllers and no legacy that is, Windows NT 4. To rename an account, you right-click the account and choose Rename.
Then you type the new name and press Enter. Each user and group account is represented in the local security database by a long, unique string called a security identifier SID , which is generated when the account is created.
The SID is what is actually assigned permissions and privileges. The user or group name is just a user-friendly "face" on that process.
Therefore, when you rename an account, the account's SID remains the same, so the account retains all its group memberships, permissions, and privileges. Two situations mandate renaming an account.
The first occurs when one user stops using a system and a new user requires the same access as the first. Rather than create a new local user account for the new user, you can simply rename the old user account. The account's SID remains the same, so its group memberships, privileges, and permissions are retained. You should also specify a new password in the account's properties sheet and select the User Must Change Password at Next Logon option. The easiest way to "replace" a user is to rename the account.
Therefore, when one user leaves and another requires the same group memberships, rights, and resource access permissions as the first, you can simply rename the former user's account. You should not forget to reset the account's password because the new user won't otherwise know the old user's password. The second situation that warrants renaming a user account is the security practice of renaming the built-in Administrator and Guest accounts.
You cannot delete these accounts, nor can you disable or remove the Administrator account from the Local Administrators group, so renaming the accounts is a recommended practice for hindering malicious access to a system.
To disable or enable a user account, you open its properties sheet and select or clear the Account Is Disabled check box. If an account is disabled, a user cannot log on to the system by using that account. The Administrator account cannot be disabled, and only administrators can enable the Guest account. You can delete a local user or group account but not built-in accounts such as Administrator, Guest, or Backup Operators by right-clicking the account and choosing Delete.
When you delete a group, you delete the group account only, not the accounts of its members. A group is a membership list, not a container. When you delete an account, you are deleting its SID. For that reason, and to facilitate auditing, it is recommended that you disable, not delete, any user who leaves an organization. A different tool for administering local user accounts is the Users and Passwords applet in the Control Panel.
This utility allows you to create and remove user accounts as well as specify group membership for those users. The Users and Passwords applet is wizard driven and is useful for novice administrators and home users. You double-click the Users and Passwords icon in the Control Panel to run this utility.
The Users and Passwords applet provides an opportunity to override the logon requirement for a system. This feature is discussed later in this chapter, in the "Authentication" section. Unfortunately, it is not possible to rename a domain.
Change the primary domain name of your account. For example, if the DNS domain name is contoso. If the DNS domain name is corp. Click on System and Security. Click on System. Click the Change settings option. Click the Computer Name tab. Click the Change button. Specify a new name for your computer. Click the OK button. Just open up System Preferences, go to Sharing, and change the computer name. You may need to change the name under your Network setting also.
It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network. Open network connection properties.
You can rename the domain, but some versions of exchange break when you do it. You can add UPN Suffixes so they can login with user contoso.
To continue this discussion, please ask a new question. Get answers from your peers along with millions of IT pros who visit Spiceworks. Best Answer. View this "Best Answer" in the replies below ». Which of the following retains the information it's storing when the system power is turned off?
Submit ». Pure Capsaicin. Davison May 31, at UTC.
0コメント