A system administrator has to make sure that people who are authorized to have access to a network resource get it quickly and easily, but make sure that people who aren’t authorized cannot gain access, no matter how hard they try. This balancing act is made a little easier with the new Active Directory structure of Windows 2000.
The Microsoft Management Console (MMC), also discussed in Part I, is the primary way to manage accounts and resources in Windows 2000. The MMC itself is only a framework, but there are several components, called snap-ins, that provide the functionality needed to perform almost any administration task. The MMC is customized to include all the snap-ins that have been added to it.
There are three types of user profiles supported in Windows 2000: local, roaming, and mandatory. A local user profile is established automatically the first time a user logs in to a Windows 2000 computer. Whatever changes the user makes are stored in the local profile, so the next time they log in to that computer, the configuration will be the same as when they last logged out.
Roaming user profiles (RUP) allow a user to log in to any computer in the domain and be presented their personal settings. An administrator can store profile information on a server, rather than on a local machine, so when a user logs in, the configuration information is transferred to that computer. If the user makes changes to their profile, those changes are sent back to the server so that the profile remains synchronized.
There may be cases when you don’t want a user to be able to change their profile. Because a profile can be used to grant and restrict access to certain applications, this is a useful administrative tool. A mandatory profile is a roaming user profile that cannot be modified by the user. You can designate a roaming user profile as a mandatory user profile by renaming the user’s Ntuser.dat file to Ntuser.man.
Although you can manage individual users with user profiles, sometimes it’s easier to take a wider view and put users who have similar requirements in groups. Groups allow you to make changes (especially those having to do with security) apply to all the members of the group at once.
The two main types of groups in Windows 2000 are distribution groups and security groups. Distribution groups cannot be assigned permissions and are only used by standalone applications that support Active Directory, not by Windows 2000 itself. These applications will be able to use these informal distribution groups as an easy way to deliver information, such as email messages or memos, to a group of users.
A security group includes all the functionality of a distribution group and allows permissions to be assigned. The three main types of security groups, domain local, global, and universal, are described in Table 8-7.
Table 8-7. Windows 2000 Security Groups
|
Type |
Function |
Members |
|---|---|---|
|
Domain Local |
Provides access to only those resources located in the domain that the group was created in |
Any members of any trusted domains, including global groups |
|
Global |
Provides access to any resources in any trusted domain |
Only members of the domain that the global group was created in |
|
Universal |
Provides access to any resources in any trusted domain |
Any members of any trusted domains |
In some cases it is possible to make one group a member of another group. This is referred to as group nesting . However, doing this reduces your flexibility in assigning permissions, because permissions of the parent group apply to the child groups. This can quickly become an administration nightmare, because users who previously had access to a resource can no longer connect and you have to untangle the nested permissions.
Active Directory provides a hierarchical structure to manage all aspects of the network. This structure also applies to policies. Windows NT system policies, which included local and computer policies, have been superceded by a new approach called Group Policy Objects (GPO).
Group Policies can be used to manage settings for users in a particular OU, a group, or a domain. These settings include providing shortcuts, adding programs to the start menu, redirecting a folder’s path, and running login scripts. Because GPOs can be nested, a single user may be affected by multiple GPOs. There are a few group policy terms you should be familiar with:
- Group Policy Object (GPO)
The actual settings that apply to the OU, group, or domain.
- Group Policy Container (GPC)
The Active Directory object that contains a GPO itself, the GPO’s state (enabled/disabled), a version number for tracking, and additional user and Group Policy information.
- Group Policy Template (GPT)
A GPT is created whenever a GPO is created. The GPT contains application settings information, security, and script files.
Although more and more information is being passed electronically through web sites and email, managing printed material is still a priority for network administrators. There are a couple of Windows 2000 printing terms that you’ll have to be familiar with:
If a print device is attached to a computer directly and that computer stores the print jobs locally, the print device is called a local printer . If a print device can accept print jobs that were sent over a network, the print device is called a network printer . You can add both a local and a network printer using the Add Printer wizard in the Control Panel.
When you plan how to set up printing on your network, you’ll have to figure out how many print devices you’ll need to meet the printing demand. You can then create logical printers and configure them to use one or more print devices. If several print devices have very similar capabilities or, better yet, are the exact same model, you can distribute jobs among them in a structure called a print pool. The user only sees one printer, but the actual print device that performs the print job may vary.
You can also make one print device represent multiple printers. You can then assign a higher priority to a certain printer and give a group access to that printer. This will allow prioritization with only one print device available.
Printers can be managed through permissions and can be configured remotely through a web browser. An administrator can prioritize, cancel, pause, or resume print jobs.
Device drivers are a kind of software that helps Windows communicate with a particular piece of hardware, like a video card or a modem. You can check which drivers are being used for a particular device using the Device Manager snap-in. If a device driver is not functioning properly, Windows may not be able to use the device. In the worst cases, the faulty driver could cause a system crash. The odds of having a faulty driver make its way into a Windows 2000 system have been greatly reduced with the addition of a driver certification process called driver signing.
Microsoft has thoroughly tested many drivers in various hardware configurations running under Windows 2000. If the driver passes all of Microsoft’s tests, an encrypted digital signature is added to the device driver. Windows 2000 is set up to warn you if you are installing an unsigned device driver. You can also configure Windows 2000 to stop warning you or to prevent all unsigned device drivers from being installed.
If you need to maintain a secure network, you should keep track of attempted accesses to network resources. Auditing is the process of keeping a record of events that happened on your network. Suppose you need to make sure a certain file isn’t being viewed by any unauthorized users. You can audit file access by monitoring who tried to access a file, when the attempt was made, and whether it was successful or not.
You can set up auditing as part of an audit policy . If the computer you want to monitor is a domain controller, the audit policy will apply to all the domain controllers. Otherwise, the audit policy applies only to the local computer. You can configure audit policies using the Group Policy snap-in.
There are three security snap-ins available for the MMC. The Group Policy snap-in, covered earlier in this chapter; the Security Configuration and Analysis snap-in; and the Security Templates snap-in. Each snap-in provides tools that handle specific security needs.
The Security Configuration and Analysis snap-in allows you to set up security policies by importing security templates and applying these to Group Policy Objects. It also allows you to view the current security status in great detail. In addition to allowing you to view the security settings, this snap-in will also suggest changes that it thinks you should make to the current security policy.
Windows 2000 has upgraded its logon security by using a security protocol called Kerberos . In Windows NT, only the user was authenticated. In Windows 2000, both the user and the server that the user is logging in to are authenticated by the Kerberos service that is running on a Windows 2000 domain controller. Kerberos has a lot of new terminology associated with it:
- Authenticator
Used to verify that the user making the login request is who she says she is.
- Principals
The user that is trying to log in and the server that may allow the connection.
- Secret key
The encrypted password that is passed between principals and the Kerberos server.
- Session key
An encrypted password valid only for the current login session between the principals.
- Kerberos realm
The complete group of computers that the Kerberos server provides authentication for. In Windows 2000, it is the whole domain.