Managing Local Users & Groups
Managing Local Users & Groups
OVERVIEW
• Configure and manage user accounts
• Manage user account properties
• Manage user and group rights
• Configure user account policy
Managing Local Users & Groups
USER ACCOUNTS
• Identify users to the system and to each other
• All processes in Windows run under the guise of
a user account
• System and service processes even run as users
• Used to grant access to resources
• Associate SID with DACLs belonging to objects
• Collect information about users
• Active Directory user properties – phone/fax
numbers, etc…
Managing Local Users & Groups
Local user account
•Exists on a single computer
•Cannot be used to gain domain access of any
kind
•Stores details about Security & Preferences
Domain user account
•Exists in a domain or in any trusting domain by
virtue of being created on a domain controller
Managing Local Users & Groups
GROUPS
• Collections of user accounts
• Simplify access to resources
• Can be used for security and messaging (Active
Directory)
• Local Groups exist only on the computer on
which they were created
Managing Local Users & Groups
BUILT-IN USER ACCOUNTS
• Configured during setup
• Administrator
• Guest
• Used for administration or guest access
• Can be renamed but not deleted
Managing Local Users & Groups
BUILT-IN USER ACCOUNTS
• Administrator account (most powerful in XP)
• Retains its distinctive SID even if renamed
• Cannot be locked out
• Can have a blank password
• Can be disabled
Managing Local Users & Groups
BUILT-IN USER ACCOUNTS
• Guest (least privileged user)
• Disabled by default - should be left disabled
• Cannot be deleted
• Can be disabled
• Can be locked out
• Can have a blank password
• Cannot be identified in security audit
Managing Local Users & Groups
BUILT-IN GROUPS
• Created during setup
• Administrators
• Backup Operators
• Power Users
• Remote Desktop Users
• Users
• Guests
Managing Local Users & Groups
BUILT-IN GROUPS
• Designed for specific use or administrative roles
• User accounts can be added as members
• Built-in groups cannot be removed
• Local user can be a member of multiple groups
Managing Local Users & Groups
DEFAULT GROUPS
• Administrators
• Backup Operators
• Guests
• Network Configuration Operators
• Power Users
• Remote Desktop Users
Managing Local Users & Groups
DOMAIN ACCOUNTS AND GROUPS
• Give domain users rights and permissions on
local system
• Include built-in and user-defined accounts and
groups
• Provide logon and resource access to local
system
• Can be placed into local groups
Managing Local Users & Groups
LOCAL USERS AND GROUPS
Managing Local Users & Groups
CONTROL PANEL USER ACCOUNTS
Managing Local Users & Groups
ACTIVE DIRECTORY USER ACCOUNTS
Managing Local Users & Groups
Managing Local Users & Groups
TROUBLESHOOTING USER ACCOUNTS
• Most common problem associated with user
accounts is password issues
• Another issue might be mis-configuration of user
account details or group membership
• Provide logon and resource access to local
system
• Can be placed into local groups