Microsoft Press Windows Vista Administrator's Pocket Consultant ebook
Page 22
You can turn on or off Windows features by following these steps:
Click Start, Control Panel. In Control Panel, click Programs.
Click Turn Windows Features On Or Off under Programs And Features. This displays the Windows Features dialog box.
As shown in Figure 5-10, select features to turn them on; clear features to turn them off.
Figure 5-10: Add or remove operating system components.
When you click OK, Windows Vista reconfigures components as appropriate for any changes you've made.
Chapter 6: Managing User Access and Security
Microsoft Windows Vista workstations can be configured as members of a workgroup or members of a domain. When a workstation is configured as a member of a workgroup, user access and security are configured on the workstation itself. When a workstation is configured as a member of a domain, user access and security are configured at two levels: the local system level and the domain level. User access can be configured at the local system level for a specific machine and at the domain level for multiple systems or resources throughout the current Microsoft Active Directory directory service forest. In this chapter, you'll learn how to manage local system access and local accounts. For further discussion of configuring domain access and permissions, see Microsoft Windows Server 2003 Administrator's Pocket Consultant. Keep in mind that every task examined in this chapter can be performed through a local logon or a remote desktop connection.
Understanding User and Group Accounts
Windows Vista provides user accounts and group accounts (of which users can be members). User accounts are designed for individuals. Group accounts, usually referred to as groups, are designed to simplify the administration of multiple users. You can log on to user accounts, but you can't log on to a group account.
Local User Account Essentials
Two general types of user accounts are defined in Windows Vista:
Local user accounts User accounts defined on a local computer are called local user accounts. These accounts have access to the local computer only. You add or remove local user accounts with Control Panel's User Accounts options or the Local Users And Groups utility. Local Users And Groups is accessible through Computer Management, a Microsoft Management Console (MMC) tool.
Domain user accounts User accounts defined in the Active Directory are called domain user accounts. Through Single Sign-On, these accounts can access resources throughout a forest. When a computer is a member of an Active Directory domain, you can create domain user accounts using Active Directory Users And Computers. This MMC tool is available on the Administrative Tools menu when you install the Windows Server Administrator Tools (Adminpak.msi) on your Windows Vista computer.
Both local user accounts and domain user accounts can be configured as standard user accounts or administrator accounts. As discussed in the "Redefining Standard User and Administrator User Accounts" section in Chapter 2, "Managing Windows Vista Systems," a standard user account on a local computer has limited privileges, and an administrator account on a local computer has extended privileges.
All user accounts are identified with a logon name. In Windows Vista, this logon name has two parts:
User name The text label for the account
User computer or domain The computer or domain in which the user account exists
For the user WILLIAMS, whose account is created for the computer ENGPC85, the full logon name for Windows Vista is ENGPC85williams. With a local computer account, WILLIAMS could log on to his local workstation and access local resources but would not be able to access domain resources.
When working with domains, the full logon name can be expressed in two different ways:
The user account name and the full domain name separated by the at sign (@). For example, the full logon name for WILLIAMS in the http://www.technology.microsoft.com domain would be WILLIAMS@technology.microsoft.com.
The user account name and the domain separated by the backslash symbol (). For example, the full logon name for WILLIAMS in the technology domain would be technologyWILLIAMS.
Although Windows Vista displays user names to describe privileges and permissions, the key identifiers for accounts are security identifiers (SIDs). SIDs are unique identifiers generated when security principals are created. Each consists of a computer or domain security ID prefix combined with a unique relative ID for the user. Windows Vista uses these identifiers to track accounts independently from user names. SIDs serve many purposes, but the two most important ones are to enable you to easily change user names and delete accounts without worrying that someone might gain access to resources simply by recreating an account.
When you change a user name, you tell Windows Vista to map a particular SID to a new name. When you delete an account, you tell Windows Vista that a particular SID is no longer valid. Even if you create an account with the same user name later, the new account won't have the same privileges and permissions as the previous one because the new account will have a new SID.
User accounts can also have passwords and certificates associated with them. Passwords are authentication strings for an account. Certificates combine a public and private key to identify a user. You log on with a password interactively, whereas you log on with a certificate leveraging its private key stored on a smart card and using a smart card reader.
When you install Windows Vista, the operating system installs default user accounts. You'll find several built-in accounts, which have purposes similar to those of accounts created in Windows domains. The key accounts you'll see are the following:
Administrator Administrator is a predefined account that provides complete access to files, directories, services, and other facilities. You can't delete or disable this account. In Active Directory, the Administrator account has domain-wide access and privileges. On a local workstation, the Administrator account has access only to the local system.
Guest Guest is designed for users who need one-time or occasional access. Although guests have only limited system privileges, you should be very careful about using this account because it opens the system up to potential security problems. The risk is so great that the account is initially disabled when you install Windows Vista.
Before you modify any of the built-in accounts, you should note the property settings and group membership. By default, these accounts are members of various groups. This membership grants or limits the user access to specific system resources. For example, Administrator is a member of the Administrators group and Guest is a member of the Guests group. Being a member of a group makes it possible for the account to use the privileges and rights of the group.
In addition to the built-in accounts, Windows Vista has several pseudo-accounts that are used to perform specific types of system actions. The pseudo-accounts are available only on the local system. You can't change the settings for these accounts with the user administration tools. Users can't log on to a computer with these accounts. The pseudo-accounts available include the following:
LocalSystem LocalSystem is a pseudo-account for running system processes and handling system-level tasks. This account grants the logon right Log On As A Service. Most services run under the LocalSystem account. In some cases, these services have privileges to interact with the desktop. Services that need fewer privileges or logon rights run under the LocalService or NetworkService accounts. Services that run as LocalSystem include Background Intelligent Transfer Service, Computer Browser, Group Policy Client, Netlogon, Network Connections, Print Spooler, and User Profile Service.
LocalService LocalService is a pseudo-account for running services that need fewer privileges and logon rights on a local system. By default, services that run under this account are granted the right to Log On As A Service and the privileges Adjust Memory Quotas For A Process, Change The System Time, Change The Time Zone, Generate Security Audits, and Replace A Process Level Token. Services that run as LocalService include Alerter, Remote Registry, Smart Card,
Smart Card Helper, SSDP Discovery Service, TCP/IP NetBIOS Helper, and WebClient.
NetworkService NetworkService is a pseudo-account for running services that need fewer privileges and logon rights on a local system but also must access network resources. As with LocalService, services that run by default under the NetworkService account are granted the right to Log On As A Service and the privileges Adjust Memory Quotas For A Process, Generate Security Audits, and Replace A Process Level Token. Services that run as NetworkService include Distributed Transaction Coordinator, DNS Client, Performance Logs And Alerts, and Remote Procedure Call (RPC) Locator. NetworkService can also authenticate to remote systems as the computer account.
Group Account Essentials
Windows Vista also provides groups, which you use to grant permissions to similar types of users and to simplify account administration. If a user is a member of a group that can access a resource, that particular user can access the same resource. Thus, you can give a user access to various work-related resources just by making the user a member of the correct group. Note that although you can log on to a computer with a user account, you can't log on to a computer with a group. Because different Active Directory domains or local computers might have groups with the same name, groups are often referred to by DomainGroupName or ComputerGroupName (for example, TechnologyGMarketing for the GMarketing group in the Technology domain or computer).
Windows Vista uses the following three types of groups:
Local groups Defined on a local computer and used on the local computer only. You create local groups with the Local Users And Groups utility.
Security groups Can have security descriptors associated with them. You use a Windows server to define security groups in domains, using Active Directory Users And Computers.
Distribution groups Used as e-mail distribution lists. They can't have security descriptors associated with them. You define distribution groups in domains using Active Directory Users And Computers.
As with user accounts, group accounts are tracked using unique SIDs. This means that you can't delete a group account and re-create it, and then expect all the permissions and privileges to remain the same. The new group will have a new SID, and all the permissions and privileges of the old group will be lost.
When you assign user access levels, you have the opportunity to make the user a member of the following built-in or predefined groups:
Administrators Members of this group are local administrators and have complete access to the workstation. They can create accounts, modify group membership, install printers, manage shared resources, and more. Because this account has complete access, you should be very careful about adding users to this group.
Backup Operators Members of this group can back up and restore files and directories on the workstation. They can log on to the local computer, back up or restore files, and shut down the computer. Because of how the account is set up, they can back up files regardless of whether they have read/write access to the files. However, they can't change access permissions of the files or perform other administrative tasks.
Operators have privileges to perform very specific administrative tasks, such as backing up file systems. By default, no other group or user accounts are members of the operator groups. This is to make sure that you must grant explicit access to the operator groups.
Cryptographic Operators Members of this group can manage the configuration of encryption, IP security (IPSec), digital IDs, and certificates.
Guests Guests are users with very limited privileges. Members of this group can access the system and its resources remotely, but they can't perform most other tasks.
Network Configuration Operators Members of this group can manage network settings on the workstation. They can also configure Transmission Control Protocol/Internet Protocol (TCP/IP) settings and perform other general network configuration tasks.
Performance Log Users Members of this group can view and manage performance counters. They can also manage performance logging.
Performance Monitor Users Members of this group can view performance counters and performance logs.
Power Users In earlier versions of Windows, this group is used to grant additional privileges, such as the capability to modify computer settings and install programs. In Windows Vista, this group is maintained only for compatibility with legacy applications.
Remote Desktop Users Members of this group can log on to the workstation remotely using Terminal Services And Remote Desktop. Once members are logged on, the additional groups of which they are members determine their permissions on the workstation. A user that is a member of the administrators group is granted this privilege automatically. (However, remote logons must be enabled before an administrator can remotely log on to a workstation.)
Replicator Members of this group can manage the replication of files for the local machine. File replication is primarily used with Active Directory domains and Windows servers.
Users Users are people who do most of their work on a single Windows Vista workstation. Because of this, members of the Users group have more restrictions than privileges. Members of this group can log on to a Windows Vista workstation locally, keep a local profile, lock the workstation, and shut down the workstation.
In most cases, you'll configure user access using the users or administrators groups. You can configure user and administrator access levels by setting the account type to Standard User or Administrator, respectively. To make a user a member of a group, you need to create or modify the account using the Local Users And Groups node of Computer Management.
Domain vs. Local Logon
When computers are members of a domain, you'll typically use domain accounts to log on to computers and the domain. All administrators in a domain have access to resources on the local workstations that are members of the domain. Users, on the other hand, can only access resources on the local workstations to which they are permitted to log on. By default, in a domain, any user with a valid domain account can log on to any computer that is a member of the domain. Once logged on to a computer, the user will have access to any resources that his or her account, or groups to which this account belongs, are granted access. This includes resources on the local machine as well as resources in the domain.
You can restrict logon to specific domain workstations on a per user basis using Active Directory Users And Computers. In Active Directory Users And Computers, right-click the user account and then select Properties. On the Account tab of the user's Properties dialog box, click Log On To and then use the options of the Logon Workstations dialog box to designate the workstations to which the user is permitted to log on.
When you work with Windows Vista, however, you aren't always logging on to a domain. Computers configured in workgroups only have local accounts. You might also need to log on locally to a domain computer to perform administration. Only users with a local user account can log on locally. When you log on locally to a computer, you have access to any resources on the computer that your account, or groups to which your account belongs, are granted access.
Managing Local Logon
All local computer accounts should have passwords. If an account is created without a password, anyone can log on to the account from the console, and there is no protection for the account. However, a local account without a password cannot be used to remotely access a computer.
The sections that follow discuss how to create and work with local user accounts. Every workstation computer has local computer accounts, regardless of whether the computer is a member of a workgroup or a domain.
Creating Local User Accounts in a Workgroup
For a computer that is a member of a workgroup, you can create a local user account on a computer by following these steps:
In Control Panel, click Add Or Remove User Accounts under the User Accounts heading. This displays the Manage Accounts page. As Figure 6-1 shows, the Manage Accounts page lists all configurable user account
s on the local computer by account type with configuration details. If an account has a password, it is listed as being password protected. If an account is disabled, it is listed as being off.
Figure 6-1: In a workgroup, use the Manage Accounts page in Control Panel to add or remove local user accounts.
Click Create A New Account. This displays the Create New Account page.
Type the name of the local account. This name is displayed on the Welcome screen and Start menu.
Set the type of account as either Standard User or Administrator. To give the user full permissions on the local computer, select Administrator.
Granting Access to an Existing Domain Account to Allow Local Logon
If a user needs to be able to log on locally to a computer and has an existing domain account, you can grant the user permission to log on locally by completing the following steps:
In Control Panel, click User Accounts. On the User Accounts page, click the Give Other Users Access To This Computer link. This displays the User Accounts dialog box. As Figure 6-2 shows, the User Accounts dialog box lists all configurable user accounts on the local computer by account type with group membership details.
Figure 6-2: Use the User Accounts dialog box to manage local user accounts.
Click Add. This starts the Add New User wizard.
You are creating a local computer account for a user with an existing domain account. Type the user's domain account name and domain in the fields provided.
Using the options provided, select the type of user account.
A Standard User account is created as a member of the local User's group. To give the user the permissions of a normal user, select Standard User.
An Administrator account is created as a member of the local Administrator's group. To give the user full permissions on the local computer, select Administrator.