Beruflich Dokumente
Kultur Dokumente
Administering Windows NT Accounts In the following sections, youll see how to create and manage user and group accounts. Accounts dont just provide basic security by requiring users to identify themselves before logging on with a user name and password. They also provide the basis for securing access to just everything on the network, including files, printers, and other shared resources. The central tool for performing account management tasks is the ser manager for !omains utility. Introducing User Manager for Domains ser "anager for !omains is a graphical utility used to view, create, modify, and delete user accounts, local groups, and global groups. In addition, you can administer system#wide policies dealing with how accounts behave, what events are audited, and what rights each user and group has. Think of ser "anager for !omains as your interface to the $ecurity Account manager database of your domain and other domains on your network. %indows &T workstation includes a similar utility called ser manager. It enables you to manage user and group accounts on a single workstation. ser "anager for !omains has some significant differences, but if youre already familiar with ser "anager, you should be comfortable with much of the &T $erver version.
-igure . 0 ser "anager for !omains provides you with a window on the $A" database in your doamin and in other domains.
The /uest account, automatically created by &T during installation, allow users with no formal account or password to access resources on the network. sers in untrusted domains can gain access to your domain. This can be a big security hole. The good news is that by default, the /uest account is disabled. It is recommend leaving it that way. nfortunately, you cant delete the /uest account. 1y default, youre looking at the accounts in your own domain. ser "anager for !omains can administer accounts in other domains as well. To attach this utility to another domain, click $elect !omain on the ser menu. In the $elect !omain dialog bo2, type or click the domain that you want administer and click *3.
-igure 80 ,ou can manage account policies that define the behavior of all user accounts.
Password Uni&ueness$ $ome users swap between two standard passwords whenever their password e2pires. Although this is easy for them, it provides little password security. ,ou can direct &T to save a history of previous passwords, then use this information to force a user into changing his or her password to something brand new. The default keeps no history. Password Aging$ ,ou can allow passwords to change any time, or prevent changes for a certain number of days. The default allows changes immediately, with no minimum waiting period.
,ou need to consider how password uniqueness and password aging interact with each other. -or password uniqueness to be effective, you must not allow immediate changes to passwords. If you allow immediate changes, users who like to cycle between two standard passwords can immediately change passwords several times to get back to their old standard ones. 1y default. &T allows a user to log on once after his or her password has e2pired. It then forces the user to change the password. If you click to select the sers must log on in order to change password check bo2 at the bottom of the dialog bo2, &T wont e2tend this courtesy. If a users password e2pires, an administrator will have to intervene.
-igure : 0 In the &ew ser dialog bo2, you can add a new user account by specifying its name, password, and other information.
8. ?lick to select the ser "ust ?hange (assword at &e2t >ogon check bo2. This check bo2 is selected by default. -orcing your users to change their passwords to something unknown to administrators provides ma2imum security. :. If you dont want the user to be able to change the account password, click to select the ser cannot ?hange password check bo2. If more than one user will share this account, you may want to prevent the users from changing passwords on each other. 4owever, it is recommend that not to let users share accounts.
-igure 9 0 In the /roup "emberships dialog bo2, you can make this account a member of e2isting groups.