Sams Teach Yourself MCSE Windows NT Server 4 in 14 Days
(Publisher: Macmillan Computer Publishing)
Author(s): David Schaer, et al
ISBN: 0672311283
Publication Date: 12/15/97

Chapter 7
Managing Users and Groups

by David Schaer and Theresa Hadden

7.1. Overview

This chapter provides you with the necessary knowledge to meet the MCSE exam objective of managing groups and users.

7.1.1. Objectives

The objective of this chapter is to ensure that you have a thorough understanding of NT user and group management. You will understand the following:

•  The function and features of User Manager for Domains

•  How to manage user and group accounts

•  The relationship of user and group accounts to permissions

•  How to manage user account policies and profiles

•  How to troubleshoot user access problems

7.1.2. Fast Facts

The following list of facts is a concise picture of the information presented in this chapter. It acts as both an overview for the chapter and as a study aid to help you do any last-minute cramming.

•  User Manager for Domains uses RPC calls to communicate with the PDC.

•  Each domain contains only one SAM database, which resides on the PDC; read-only copies are placed on all BDCs.

•  Every user and group account is associated with a unique security identifier, or SID.

•  The administrator account can be renamed but not disabled or deleted.

•  The guest account cannot be deleted but can be renamed or disabled.

•  Neither local nor global groups can be renamed.

•  A local group is local to the systems that share the SAM database information where it was created.

•  Changes made to the SAM database are replicated to all BDCs via the NetLogon service.

•  A local group cannot contain other local groups.

•  Global groups and users from a trusted domain can be placed into a local group in a trusting domain in order to gain access to resources in the trusting domain.

•  Global groups can contain only global users from the same domain.

•  You are either a member of the Network or Interactive group, depending on whether you are logging on to the resource locally or not.

•  All users by virtue of existence are members of the Everyone group.

•  AGLP is the acronym for Accounts go into Global groups which go into Local groups which get Permissions, the proper hierarchy for assigning permissions.

•  NTCONFIG.POL should be replicated to all of the domain controllers in a domain.

•  The Windows 95 policy file is named CONFIG.POL.

•  In the hierarchy of policies, user settings take precedence over group settings.

•  Group priorities can be established to resolve conflicting policy settings.

•  Never assign the same personal roaming profile to multiple users.

•  Mandatory profiles should be replicated to domain controllers using the directory replicator service.

7.2. User Manager for Domains

User Manager for Domains is the primary NT application for administering all aspects of user and group management. As the name implies, a user with sufficient privileges can centrally manage accounts in multiple domains from a central point of administration.

7.2.1. Features and Functions

User Manager for Domains goes beyond simple user account management. This application is also used for the administration of groups and user rights. In addition, User Manager for Domains provides the ability to apply Account Policies and administer Auditing. This section describes the details of these features and functions.

The first aspect is ensuring that you are administering the proper domain. The name of the domain or computer that is being administered appears in the title bar of the application. Figure 7.1 shows that this is the Knowledge domain.

Figure 7.1.  The active title bar shows that the Knowledge domain is being administered.

If the focus is not set on the domain you want to administer you may select a different domain from the list of trusting domains or enter a domain or computer name to administer manually.

7.2.2. Selecting a Different Domain to Administer

To select a different domain to administer, follow these steps:

1.  From the menu bar select User | Select Domain.

2.  Choose the name of the trusting domain on which to set the focus from the selection window.

3.  If no trust relationship exists, manually enter the name of the domain in the domain box.

You can also set the focus of User Manager for Domains to an NT Workstation or stand-alone server by entering \\computername in the Domain box.

In Figure 7.2 the focus is being set to the CHICAGO domain.

Figure 7.2.  Selecting the Chicago domain to administer.

When the focus is set to a domain, User Manager for Domains uses RPC calls to remotely manage the SAM database at the PDC for the selected domain. When the focus is set to an NT Workstation or stand-alone server the RPC calls are directed at the specific station. When the focus is set to a domain, regardless of where the application is run from, the modifications will be made to the SAM database of the PDC in the selected domain. This is true even when you are sitting at a BDC and making changes. The changes are applied to the SAM database at the PDC and then synchronized by the NetLogon service to the BDCs. This chapter demonstrates the features of User Manager for Domains.

7.3. Understanding User Accounts

Properly administering NT user and group accounts is greatly simplified by having a proper understanding of the basic structure of accounts and how they relate to other NT objects.

The security features of NT require that when a user or group account is created, a unique security identifier (SID) is created. When a user logs on, the security subsystem creates an access token, similar to an ID card, which specifies the SID of the user and the SID of each of the groups to which the user belongs.

Whenever the user attempts to gain access to any resource on the network the access token is checked against the Access Control List (ACL). The collective rights assigned to the user and groups to which the user has membership will determine the limits of the user’s access to the object. This is called discretionary access control. Simply because a user has performed the mandatory logon to gain access to the system does not mean that he has all rights to all objects in the system.