198 Chapter 4  Managing Users and Groups Adding Active Directory Organization Information The Organization tab, shown in Figure 4.20, allows you to provide informa- tion about the user’s role in your organization. You can enter the user’s title, department, company, and manager. You can also specify to whom the user directly reports. FIGURE 4.20 The Organization tab of the Active Directory user Properties dialog box Managing Active Directory User Group Membership The Member Of tab displays the groups that the user belongs to, as shown in Figure 4.21. You can add the user to an existing group by clicking the Add button. To remove the user from a group listed on this tab, highlight the group and click the Remove button. Copyright ©2000 SYBEX , Inc., Alameda, CA www.sybex.com Working with Active Directory User Accounts 199 FIGURE 4.21 The Member Of tab of the Active Directory user Properties dialog box Configuring Dial-in Properties Through the Dial-in tab, shown in Figure 4.22, you configure the user’s remote-access permissions for dial-in or VPN connections. Remote-access permissions are covered in Chapter 13. FIGURE 4.22 The Dial-in tab of the Active Directory user Properties dialog box Copyright ©2000 SYBEX , Inc., Alameda, CA www.sybex.com 200 Chapter 4  Managing Users and Groups Configuring Terminal Services Properties Four of the tabs in the Active Directory user Properties dialog box contain properties that relate to Terminal Services: Environment, Sessions, Remote Control, and Terminal Services Profile. Terminal Services is covered in Chapter 12, “Administering Terminal Services.” Working with Local and Active Directory Group Accounts Groups are an important part of network management. Efficient administrators are able to accomplish the majority of their management tasks through the use of groups; they rarely assign permissions to individual users. As explained earlier in the chapter, a Windows 2000 member server can have local groups. A Windows 2000 domain controller in the Active Directory can have security groups and distribution groups, and the groups can be assigned a scope of domain local, global, or universal. Managing Local Groups To set up and manage local groups, you use the Local Users and Groups utility. With Local Users and Groups, you can create, assign members to, rename, and delete groups. Creating New Local Groups In order to create a group, you must be logged on as a member of the Admin- istrators group or the Power Users group. The Administrators group has full permissions to manage users and groups. The members of the Power Users group can manage only the groups that they create.  Microsoft Exam Objective Implement, configure, manage, and troubleshoot local accounts. Copyright ©2000 SYBEX , Inc., Alameda, CA www.sybex.com Working with Local and Active Directory Group Accounts 201 If possible, you should add users to the built-in local groups rather than creating new groups from scratch. This makes your job easier, because the built-in groups already have the appropriate permissions. All you need to do is add the users you want to be members of the group. When you create a local group, you should use the following guidelines:  The group name should be descriptive (for example, Accounting Data Users).  The group name must be unique to the computer, different from all of the other group names and usernames that exist on that computer.  Group names can be up to 256 characters. It is best to use alpha- numeric characters for ease of administration. The backslash (\) character is not allowed. As when you choose usernames, you should consider your naming conventions when assigning names to groups. Creating groups is similar to creating users, and it is a fairly easy process. After you’ve added the Local Users and Groups snap-in to the MMC, you expand it to see the Users and Groups folders. Right-click the Groups folder and select New Group from the pop-up menu. This brings up the New Group dialog box, as shown in Figure 4.23. FIGURE 4.23 The New Group dialog box Copyright ©2000 SYBEX , Inc., Alameda, CA www.sybex.com 202 Chapter 4  Managing Users and Groups The only required entry in the New Group dialog box is the group name. Optionally, you can enter a description for the group and add (or remove) group members. When you’re ready to create the new group, click the Create button. In Exercise 4.11, you will create two new local groups. This exercise assumes that you have completed all of the exercises in the chapter. This exercise should be completed from your member server. Managing Local Group Properties After you’ve created a group, you can add members to it. A user can belong to multiple groups. You can easily add and remove users through the group Properties dialog box, shown in Figure 4.24. To access this dialog box, from the Groups folder in the Local Users and Groups utility, double-click the group you want to manage. FIGURE 4.24 The local group Properties dialog box EXERCISE 4.11 Creating Local Groups 1. Open the MMC and expand the Local Users and Groups snap-in. 2. Right-click the Groups folder and select New Group. 3. In the New Group dialog box, type Data Users in the Group Name text box. Click the Create button. 4. In the New Group dialog box, type Application Users in the Group Name text box. Click the Create button. Click the Close button. Copyright ©2000 SYBEX , Inc., Alameda, CA www.sybex.com Working with Local and Active Directory Group Accounts 203 From the group Properties dialog box, you can change the group’s description and add or remove group members. When you click the Add button to add mem- bers, the Select Users or Groups dialog box appears, as shown in Figure 4.25. In this dialog box, you select the user accounts you wish to add and click the Add button. Click the OK button to add the users to the group. FIGURE 4.25 The Select Users or Groups dialog box To remove a member from the group, select the member in the group Properties dialog box Members list and click the Remove button. You can select multiple contiguous users to add to or remove from a group by Shift+clicking the first and last ones to add. To select multiple noncontiguous users to a group, Ctrl+click each one. Copyright ©2000 SYBEX , Inc., Alameda, CA www.sybex.com 204 Chapter 4  Managing Users and Groups In Exercise 4.12, you will create new user accounts and then add these users to one of the groups you created in Exercise 4.11. This exercise should be completed from your member server. Renaming Groups Windows 2000 provides an easy-to-use mechanism for changing a group’s name (a capability that was never offered in any versions of Windows NT). For example, you might want to rename a group because its current name does not conform to existing naming conventions. As when you rename a user account, a renamed group keeps of all its prop- erties, including its members and permissions. To rename a group, right-click the group and choose the Rename option from the pop-up menu. Rename the group and press Enter. EXERCISE 4.12 Adding Users to Local Groups 1. Open the MMC and expand the Local Users and Groups snap-in. 2. Create four new users: Bent, Claire, Patrick, and Trina. Deselect the User Must Change Password at Next Logon option for each user. 3. Expand the Groups folder. 4. Double-click the Data Users group (created in Exercise 4.11). 5. In the group Properties dialog box, click the Add button. 6. In the Select Users or Groups dialog box, select Bent, Claire, Patrick, and Trina (hold down the Ctrl key as you click each member). 7. Click the Add button. Then click the OK button. 8. In the group Properties dialog box, you will see that the users have all been added to the group. Click OK to close the group Properties dialog box. Copyright ©2000 SYBEX , Inc., Alameda, CA www.sybex.com Working with Local and Active Directory Group Accounts 205 In Exercise 4.13, you will rename one of the groups you created in Exercise 4.11. This exercise should be completed from your member server. Deleting Groups If you are sure that you will never want to use a group again, you can delete it. Once a group is deleted, you lose all permissions assignments that have been specified for the group. To delete a group, right-click the group and choose Delete from the pop- up menu. You will see the dialog box shown in Figure 4.26, which warns you that once a group is deleted, it cannot be restored. Click the Yes button to delete the group. If you delete a group and give another group the same name, it won’t be created with the same properties as the deleted group. FIGURE 4.26 Confirming group deletion EXERCISE 4.13 Renaming a Local Group 1. Open the MMC and expand the Local Users and Groups snap-in. 2. Expand the Groups folder. 3. Right-click the Application Users group (created in Exercise 4.11) and select Rename. 4. Rename the group to App Users and press Enter. Copyright ©2000 SYBEX , Inc., Alameda, CA www.sybex.com 206 Chapter 4  Managing Users and Groups In Exercise 4.14, you will delete one of the groups that you created in Exercise 4.11 and renamed in Exercise 4.13. This exercise should be com- pleted from your member server. Managing Active Directory Groups You create and manage Active Directory groups through the Active Directory Users and Computers utility. When you create a new Active Directory group, you specify its scope and type, which were discussed in the “An Overview of Groups” section earlier in this chapter. Creating New Active Directory Groups To create a group on a domain controller, take the following steps: 1. Select Start  Programs  Administrative Tools  Active Directory Users and Computers to open the Active Directory Users and Computers utility. 2. Right-click the Users folder, select New from the pop-up menu, and then select Group. 3. The New Object - Group dialog box appears, as shown in Figure 4.27. Type in the group name for Windows 2000. The pre-Windows 2000 group name will be filled in automatically, but you can change it if desired. EXERCISE 4.14 Deleting a Local Group 1. Open the MMC and expand the Local Users and Groups snap-in. 2. Expand the Groups folder. 3. Right-click the App Users group and choose Delete. 4. In the dialog box that appears, click Yes to confirm that you want to delete the group. Copyright ©2000 SYBEX , Inc., Alameda, CA www.sybex.com Working with Local and Active Directory Group Accounts 207 FIGURE 4.27 The New Object - Group dialog box 4. In the Group Scope section, select the scope for the group:  Choose the Domain Local option if you want to use the group to assign permissions to resources.  Choose the Global option if you want to use this group for users who require similar network access.  Choose the Universal option if you want to assign permissions related to resources in multiple domains. 5. In the Group Type section, select the type of group that you want to create:  Choose the Security option if this group is for users who need access to specific resources.  Choose the Distribution option if this group is for users who have common characteristics (for example, users who you may need to receive the same e-mail messages). 6. Click OK to close the dialog box and create the new group. Copyright ©2000 SYBEX , Inc., Alameda, CA www.sybex.com [...]... Copyright 2000 SYBEX , Inc., Alameda, CA www.sybex.com Review Questions 213 Review Questions 1 Which computers are able to store Windows 2000 local users in their local accounts database? Choose two answers A Windows NT 4 Workstation B Windows 2000 Professional C Windows 2000 member servers D Windows 2000 domain controllers 2 Which utility is used to create user accounts that are stored on Window 2000 domain... administer user and group accounts? A Domain Operators B Server Operators C Account Operators D Administrators Copyright 2000 SYBEX , Inc., Alameda, CA www.sybex.com 218 Chapter 4 Managing Users and Groups Answers to Review Questions 1 B, C Windows 2000 Professional computers and Windows 2000 member servers are able to store local user accounts 2 D On Windows 2000 domain controllers, you use the Active Directory... in Windows 2000 Server to authenticate users and network services This is called dual verification, or mutual authentication When a Windows 2000 Server is installed as a domain controller, it automatically becomes a key distribution center (KDC) The KDC is responsible for holding all of the client passwords and account information Kerberos services are also installed on each Windows 2000 client and server. .. Configuration, Windows Settings, Security Settings, and Account Policies Figure 5.1 shows the Account Policies folders Copyright 2000 SYBEX , Inc., Alameda, CA www.sybex.com Using Account Policies FIGURE 5.1 225 Accessing the Account Policies folders If you are on a Windows 2000 member server, you will see two folders: Password Policy and Account Lockout Policy If you are on a Windows 2000 Server computer... Admins Copyright 2000 SYBEX , Inc., Alameda, CA www.sybex.com Review Questions 217 17 Which of the following utilities can an administrator use on a Windows 2000 member server to change a user’s password? A Password Manager B Password Administrator C The Setpass utility D Local Users and Groups 18 When you initially create a user with Local Users and Groups on a Windows 2000 member server, what is the... following options is not a valid group scope for Windows 2000 domain controllers? A Domain local B Global C Distribution D Universal 8 Which Windows 2000 built-in account is used by the Key Distribution Center service? A KDC_User B Key_User C Kdc_Anonymous_User D Krbtgt Copyright 2000 SYBEX , Inc., Alameda, CA www.sybex.com Review Questions 215 9 Which Windows 2000 built-in account is used by Terminal Services?... auditing, user rights, and security options In Windows NT 4, you were able to control users’ Desktops through system policies This functionality is included in Windows 2000 for backward compatibility, but it is recommended that you use group policies instead of system policies to manage these options The Security and Analysis Configuration tool is a new Window 2000 Server utility that you can use to analyze... character 4 You have just created a local user on a Windows 2000 member server You want to specify that the user account can only log on during specified hours Which user Properties dialog box tab should you use to configure logon hours? A The General tab B The Account tab C The Profile tab D You cannot restrict logon hours for a local user account Copyright 2000 SYBEX , Inc., Alameda, CA www.sybex.com 2 14. .. MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER Implement, configure, manage, and troubleshoot policies in a Windows 2000 environment Implement, configure, manage, and troubleshoot Local Policy in a Windows 2000 environment Implement, configure, manage, and troubleshoot System Policy in a Windows 2000 environment Implement, configure, manage, and troubleshoot auditing Implement, configure, manage, and... Copyright 2000 SYBEX , Inc., Alameda, CA www.sybex.com 2 34 Chapter 5 Managing Security after logging on, you use local policies With local policies, you can implement auditing, specify user rights, and set security options Microsoft Exam Objective Implement, configure, manage, and troubleshoot policies in a Windows 2000 environment Implement, configure, manage, and troubleshoot Local Policy in a Windows 2000 . local accounts database? Choose two answers. A. Windows NT 4 Workstation B. Windows 2000 Professional C. Windows 2000 member servers D. Windows 2000 domain controllers 2. Which utility is used. shown in Figure 4. 27. Type in the group name for Windows 2000. The pre -Windows 2000 group name will be filled in automatically, but you can change it if desired. EXERCISE 4. 14 Deleting a Local. 4. 11) and select Rename. 4. Rename the group to App Users and press Enter. Copyright 2000 SYBEX , Inc., Alameda, CA www.sybex.com 206 Chapter 4  Managing Users and Groups In Exercise 4. 14,