WINDOWS NT NETWORK ADMINISTRATION

 

NT Workstation - is optimized for use as a high performance, secure network client and corporate desktop operating system. It can be used alone as a desktop, networked in a peer-to-peer workgroup environment, or used as a workstation in a Windows NT Server domain environment.

NT Server - is optimized for use as a file, print, and application server that can handle tasks for organizations ranging from small workgroups to enterprise networks.

Domain Model - has at least one computer running Windows NT Server configured as a domain controller. A domain is a logical grouping of computers that share common security and user account information. This information is stored in the domain controller's master directory database.
Workgroup doesn't require a domain controller. Only Domain requires a domain controller.

 

Logging On to Windows NT - Press CTRL+ALT+DELETE at the same time.

Then put in the Username, Password, and Domain.

  •  A user cannot log on to either the domain or the local computer from any computer running Windows NT Server, unless that user has been assigned the Log on locally user right by an administrator or has administrative privileges for the server.
  • Using CTRL+ALT+DELETE to prevent Trojan Horse Attacks

    By requiring the user to press CTRL+ALT+DELETE to display the begin log in dialog box, Windows NT provides an important safeguard against Trojan horse programs, which are MS-DOS based programs that try to trick users into typing their user ID and password. The program then captures and saves the username and password, giving the Trojan horse programmer access to the network. Because most operating systems use CTRL+ALT+DELETE to restart a computer, it is difficult for programs to stay resident which assures that information is only given to the operating system itself.

    Using Windows NT Server Client-based Tools - You can install the windows NT Server client-based tools on any computer running Microsoft Windows 95, 98, or NT Workstation. This gives an administrator the ability to perform domain administration from a client. This is useful in networks where the server is locked in a room and is not easily accessible.

     

    Types of User Accounts

    Accounts that you create - A user account enables the user to log on to the local computer or domain and, with the appropriate permissions, allows access to network resources.

    Guest - The built-in Guest account is used to give occasional users the ability to log on and gain access to resources on the local computer. The Guest account is disabled by default.

    Administrator - The built-in account used to manage the overall computer and domain configuration and resources. Used for administrative tasks, such as creating or modifying user and group accounts, managing security policies, creating printers, and assigning permissions and rights to user accounts to access resources.

     

    Domain User Account

     A domain user account contains information that defines a user to the domain. With a domain user account, a user can log on to the domain and gain access to domain resources from any computer on the network using a single user account and password.

    A domain user account is always created in User Manager for Domains. Although it can be created from any computer running User Manager for Domains, the account is always created in the master directory database on the primary domain controller (PDC).

    A copy of the master directory database is stored on all backup domain controllers (BDCs). The copy is automatically synchronized every five minutes with the master directory database on the PDC.

     

    Elements to Consider in Planning New User Accounts

  •   Unique user names should be given, up to 20 characters possible.

      Enforce Password change, number of characters, expire

      Logon hours - avoid 24/7 logon ability

      Workstation restrictions should be set for a high-security network

      Home Folder Location.

  • When creating a user, username is the only required option.

    A user who is connected to a network resource on the domain is not disconnected when the user's logon hours run out. However, the user will be unable to make any new connections.

     

    Dialin Information

    No Call Back - When selected, the RAS server will not call back the user, and the user will incur the telephone charges for the session. This is the default.

    Set By Caller - Lets the user specify a phone number so that the RAS server can call the user back. This means that the organization that owns the RAS server will incur the telephone charges for the session.

    Preset To - Lets you specify a telephone number that the RAS server will use to call back the user. This reduces risk of an unauthorized person using the user's account, because the user must be at the specified phone number in order to connect to the RAS server. Recommended for high security networks.

     

    Deleting and Renaming User Accounts

    Every account is assigned a unique security identifier (SID) when the account is first created. Deleting an account permanently removes the account and the permissions and rights associated with it.

    Rename an account when you want to retain all rights, permissions,and group memberships for the account for a different user.

    Delete an account when the account is no longer needed. The Administrator and Guest accounts cannot be deleted.

     

    Roaming User Profiles

    Roaming personal user profile. Profile that a user can change (NTUSER.DAT)

    Roaming mandatory user profile. Preconfigured user profile that users cannot change. One mandatory profile can be assigned to many users. (NTUSER.MAN)

    Permission and User Rights

    Permissions are rules that regulate which users can use a resource, such as a folder, file, or printer. Because maintaining permissions for a group is easier than maintaining permissions for many user accounts, you generally want to use groups to manage access to resources.

    User rights are rules that regulate which users can perform certain tasks on the system, such as creating a user account, logging on to the local PC, or shutting down a server

     

    Local and Global Groups

    Local Groups - are used to provide users with permission to access a network resource on the local computer. You assign resource permissions to a local group and then add user accounts or global groups to the local group from one or more domains.

    Global Groups - are used to organize domain user accounts, typically by function or geographical location. Global goups can contain only user accounts from the domain where the global group is created. They cannot contain local groups or other global groups.

  •   Windows NT includes several built-in global groups - for example, the Domain Users group. By default, all domain user accounts are added to the Domain Users group. Unlike built-in local groups, built-in global groups do not have any inherent user rights.
  •  

    Setting an Account Policy

    The account policy sets the requirements for:

     

    * If the PDC goes offline, users can still log on with BDC, but you can no longer administer accounts.

    Server Manager promotes BDC to PDC and demotes PDC to BDC.

    Share Permissions

    Full Control - Least restrictive. Modify file permissions.

    Change - Create folders and add files. Change, delete data to files, Attributes.

    Read - Display folder name and file names, run program files, access other folers within that folder.

    No Access - Most restrictive. No Access permission overrides other permissions

    1. Workgroup model must have at least one PDC.
    FALSE

    2. Which of the following is something that you can do if the PDC is not online?
    LOGIN with help of BDC (you cannot administer user accounts when PDC is down.)

    3. Which of the following is not a share level permission? Write
    (share permissions include, Full Control, Change, Read, and No Access)

    4. Which one would you assign to a local group to allow them to read a document and edit it if needed?
    CHANGE (it allows you to create folders and add files, change data in files, append data to files, change file attributes, and delete folders)

    5. Which of the following built in accounts is disabled by default?
    Guest

    6. Which one is a task that you can not perform from user manager(NT Workstation)?
    modify a domain user account

    7. ***

    8. Which of the following cannot be done by server manager?
    promote a member server (with server manager, you can promote BDC to PDC, demote PDC to BDC, and join a new machine into the domain)

    9. You can install the Windows NT Server client-based tools on all of the following machines except a machine running which of the following OS?
    Windows for Workgroups(you can install it on Windows NT, Workstation, 95, and 98)

    10. Which of the following would you use to ensure that a user will get their profile regardless of the machine they login to?
    roaming personal user profile

    11. The account policy sets the requirements for all of the following except:
    username uniqueness requirements (account policy sets