Figure 4...

2 The user account is the entry point to the network and the basis for security.
In Windows NT 4.0 Server, user accounts were administered from the User Manager for Domains and computer accounts were managed via Server Manager. In a Windows 2000 domain, both types of accounts are managed from a single point, the Active Directory Users and Computers MMC snap-in. To access this tool, follow this path: Start menu ½ Programs ½ Administrative Tools ½ Active Directory Users and Computers.
Figure 4.3 shows the separate folders for computers and users (showing the Users folder expanded).
Tip: Group names, as well as individual user accounts, are included in the Users folder.
Figure 4.3 Accounts can be managed with the Active Directory Users and Computers snap-in.
This one-stop account management setup makes it easier for the network administrator to address the issues that arise in connection with the security-oriented administration of users, computers, and resources.
Managing Security via Object Properties
In Active Directory, everything is an object, and every object has properties, also called attributes. The attributes of a user account include security-related information. In the case of a user account, this would include memberships in security groups and password and authentication requirements. Windows 2000
makes it easy for the administrator to access the attributes of an object (and allows for the recording of much more information than was possible with NT). Figure 4.4 shows the Account property sheet of a user account and some of the optional settings that can be applied.
http://corpitk.earthweb.com/reference/pro/1928994024/ch04/04-02.html (2 of 3) [8/3/2000 6:52:18 AM]
Configuring Windows 2000 Server Security:Secure Networking Using Windows 2000 Distributed Security Services
Figure 4.4 This is the user account properties sheet (Account tab).
It is possible to specify the use of DES encryption or no requirement for Kerberos preauthentication, along with other security criteria for this user account, simply by clicking on a check box. The same is true of trusting the account for delegation or prohibiting the account from being delegated. Other options that can be selected here (not shown in the figure, but available by scrolling up the list) include:
• Requirement that the user change the password at next logon
• Prohibition on the user’s changing the password
• Specification that the password is never to expire
• Specification that the password is to be stored using reversible encryption Some of the settings in the user account properties sheet (such as password expiration properties and logon hours) could be set in NT through the User Manager for Domains. Others are new to Windows 2000.
Managing Security via Group Memberships
In most cases, in a Windows domain, access to resources is assigned to groups, and then user accounts are placed into those groups. This makes access permissions much easier to handle, especially in a large and constantly changing network.
Assigning and maintaining group memberships is another important aspect of user account management, and Active Directory makes this easy as well. Group memberships are managed through another tab on the property sheet, the Member of tab (see Figure 4.5).
Figure 4.5 Security can be managed through group membership assignments.
As the figure shows, you can add or remove the groups associated with this user’s account with the click of a mouse.
Previous Table of Contents Next
Products | Contact Us | About Us | Privacy | Ad Info | Home
Use of this site is subject to certain Terms & Conditions, Copyright © 1996-2000 EarthWeb Inc. All rights
reserved. Reproduction whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Read EarthWeb's privacy statement.
http://corpitk.earthweb.com/reference/pro/1928994024/ch04/04-02.html (3 of 3) [8/3/2000 6:52:18 AM]
Configuring Windows 2000 Server Security:Secure Networking Using Windows 2000 Distributed Security Services




Configuring Windows 2000 Server Security
by Thomas W. Shinder, M.D., MCSE, MCP+I, MCT, Debra Littlejohn Shinder, MCSE, MCP+I, MCT, D. Lynn White, MCSE, MCPS, MCP+I, MCT
Syngress Publishing, Inc.


ISBN: 1928994024 Pub Date: 06/01/99

Search this book:
Search Tips
Advanced Search

Previous Table of Contents Next


Title

Active Directory Object Permissions
Permissions can be applied to any object in Active Directory, but the majority of permissions should be granted to groups, rather than to individual users. This eases the task of managing permissions on objects.
-----------