Logging On to Windows NT - Press CTRL+ALT+DELETE at the same time.

Then put in the Username, Password, and Domain.

 A user cannot log on to either the domain or the local computer from any computer running Windows NT Server, unless that user has been assigned the Log on locally user right by an administrator or has administrative privileges for the server.

Using CTRL+ALT+DELETE to prevent Trojan Horse Attacks

By requiring the user to press CTRL+ALT+DELETE to display the begin log in dialog box, Windows NT provides an important safeguard against Trojan horse programs, which are MS-DOS based programs that try to trick users into typing their user ID and password. The program then captures and saves the username and password, giving the Trojan horse programmer access to the network. Because most operating systems use CTRL+ALT+DELETE to restart a computer, it is difficult for programs to stay resident which assures that information is only given to the operating system itself.

Using Windows NT Server Client-based Tools - You can install the windows NT Server client-based tools on any computer running Microsoft Windows 95, 98, or NT Workstation. This gives an administrator the ability to perform domain administration from a client. This is useful in networks where the server is locked in a room and is not easily accessible.

Types of User Accounts

Accounts that you create - A user account enables the user to log on to the local computer or domain and, with the appropriate permissions, allows access to network resources.

Guest - The built-in Guest account is used to give occasional users the ability to log on and gain access to resources on the local computer. The Guest account is disabled by default.

Administrator - The built-in account used to manage the overall computer and domain configuration and resources. Used for administrative tasks, such as creating or modifying user and group accounts, managing security policies, creating printers, and assigning permissions and rights to user accounts to access resources.

Domain User Account

 A domain user account contains information that defines a user to the domain. With a domain user account, a user can log on to the domain and gain access to domain resources from any computer on the network using a single user account and password.

A domain user account is always created in User Manager for Domains. Although it can be created from any computer running User Manager for Domains, the account is always created in the master directory database on the primary domain controller (PDC).

A copy of the master directory database is stored on all backup domain controllers (BDCs). The copy is automatically synchronized every five minutes with the master directory database on the PDC.

Elements to Consider in Planning New User Accounts

  Unique user names should be given, up to 20 characters possible.

  Enforce Password change, number of characters, expire

  Logon hours - avoid 24/7 logon ability

  Workstation restrictions should be set for a high-security network

  Home Folder Location.

When creating a user, username is the only required option.

A user who is connected to a network resource on the domain is not disconnected when the user's logon hours run out. However, the user will be unable to make any new connections.

Dialin Information

No Call Back - When selected, the RAS server will not call back the user, and the user will incur the telephone charges for the session. This is the default.

Set By Caller - Lets the user specify a phone number so that the RAS server can call the user back. This means that the organization that owns the RAS server will incur the telephone charges for the session.

Preset To - Lets you specify a telephone number that the RAS server will use to call back the user. This reduces risk of an unauthorized person using the user's account, because the user must be at the specified phone number in order to connect to the RAS server. Recommended for high security networks.

Deleting and Renaming User Accounts

Every account is assigned a unique security identifier (SID) when the account is first created. Deleting an account permanently removes the account and the permissions and rights associated with it.

Rename an account when you want to retain all rights, permissions,and group memberships for the account for a different user.

Delete an account when the account is no longer needed. The Administrator and Guest accounts cannot be deleted.

Roaming User Profiles

Roaming personal user profile. Profile that a user can change (NTUSER.DAT)

Roaming mandatory user profile. Preconfigured user profile that users cannot change. One mandatory profile can be assigned to many users. (NTUSER.MAN)

Permission and User Rights

Permissions are rules that regulate which users can use a resource, such as a folder, file, or printer. Because maintaining permissions for a group is easier than maintaining permissions for many user accounts, you generally want to use groups to manage access to resources.

User rights are rules that regulate which users can perform certain tasks on the system, such as creating a user account, logging on to the local PC, or shutting down a server

Local and Global Groups

Local Groups - are used to provide users with permission to access a network resource on the local computer. You assign resource permissions to a local group and then add user accounts or global groups to the local group from one or more domains.

Global Groups - are used to organize domain user accounts, typically by function or geographical location. Global goups can contain only user accounts from the domain where the global group is created. They cannot contain local groups or other global groups.

  Windows NT includes several built-in global groups - for example, the Domain Users group. By default, all domain user accounts are added to the Domain Users group. Unlike built-in local groups, built-in global groups do not have any inherent user rights.

• Built-in groups cannot be deleted or renamed.
• If you add a user account to the Administrator group on a PDC, the user will have administrative privileges on all domain controllers in the domain.
• You can give members of an Administrators group in one domain the ability to administer resources in another domain. You can do this by using the built-in global goup domain Admins.

The account policy sets the requirements for:

• Password minimum and maximum ages
• Password minimum length
• Password uniqueness
• Account lockout options

* If the PDC goes offline, users can still log on with BDC, but you can no longer administer accounts.

Server Manager promotes BDC to PDC and demotes PDC to BDC.

Share Permissions

Full Control - Least restrictive. Modify file permissions.

Change - Create folders and add files. Change, delete data to files, Attributes.

Read - Display folder name and file names, run program files, access other folers within that folder.

No Access - Most restrictive. No Access permission overrides other permissions