This page intentionally left blank
253
Chapter 17
Administering Windows
Server 2008: The Basics
254
Networking: A Beginner’s Guide
I
nstalling and setting up Windows Server 2008 is only the tip of the iceberg. Far
more important and time-consuming is the process of administering the server. This
process includes regular and common duties such as adding new users, deleting old
users, assigning permissions to users, performing backups, and so forth. These topics
are covered in this chapter. Good administration habits will ensure that the network
and the server remain productive and secure.
Thinking About Network Security
Before delving into the administrative activities discussed in this chapter, you should
spend some time thinking about network security and how it relates to your specific
company. Administering a server must be predicated on maintaining appropriate
security for your network.
The key here is to remember that every network has an appropriate level of security.
The security requirements for a Department of Defense (DoD) contractor that designs
military equipment will be different from the security requirements for a company that
operates restaurants.
Many beginning network administrators think they need to set up their networks
to follow the strongest security measures available. The problem with this approach
is that these measures almost always reduce the productivity of people using the
network. You need to strike a balance between productivity and security in accordance
with the needs of your company.
For example, Windows Server 2008 enables you to set various security policies that
apply to users. These include forcing password changes at specified intervals, requiring
that passwords be a certain minimum length, disallowing reuse of old passwords, and

so on. For example, you could set up policies to require passwords that are at least
20 characters long and that must be changed weekly. In theory, these settings should be
more secure than shorter, less-frequently changed passwords. A 20-character password
is virtually impossible to crack using standard methods, and weekly password changes
reduce the chance that someone else will discover a user’s password and be free to use
it for an extended period of time.
One problem with such strict policies is that users may resort to writing down
their passwords so they can remember them from week to week. A written password
is far less secure than one that is remembered, because someone else can find the
written password and bypass security easily after doing so. Another problem is that
users might frequently forget their passwords, which will lead to them being locked
out of the system for periods of time. This means they will require a lot of help from
the network administrator (you!) to clear up these problems each time they occur. For
a DoD contractor, these trade-offs might be worthwhile. For the restaurant operator,
however, they would be inappropriate and would end up hurting the company more
than they help.
255
Chapter 17: Administering Windows Server 2008: The Basics
The primary reason you should pay attention to this subject before learning about
administration is that you should determine the appropriate network security early,
so that you can allow for it as you administer the network on a daily basis. Network
security doesn’t need to take up much of your time, provided you set up your
administrative procedures so they presuppose the level of security you require. For
example, if you know what your password policies will be on the network, it takes
only a few seconds to ensure that new users have those policies set for their account.
If you know that you maintain a paper-based log of changes to security groups in the
network, then it takes only a second to follow this procedure as you change group
membership occasionally. Failing to determine these security practices and policies
early on will result in needing to undertake much larger projects as part of a security
review or audit. Security is an area where you’re much better off doing things right the

first time!
Working with User Accounts
For anyone—including the administrator—to gain access to a server running Windows
Server 2008, the user must have an account established on the server or in the domain.
(A domain is essentially a collection of security information shared among Windows
servers.) The account defines the user name (the name by which the user is known to
the system) and the user’s password, along with a host of other information specific
to each user. Creating, maintaining, and deleting user accounts is easy with Windows
Server 2008.
NOTE Every account created for a Windows Server 2008 domain is assigned a special number,
called a security ID (SID). The server actually recognizes the user by this number. SIDs are said
to be “unique across space and time.” This means that no two users will ever have the same SID,
even if they have the same user name and even the same password. This is because the SID is
made up of a unique number assigned to the domain and then a sequential number assigned to
each created account (with billions of unique user-specific numbers available). If you have a user
called Frank, delete that account, and then create another account called Frank, the accounts
will have different SIDs. This ensures that no user account will accidentally receive permissions
originally assigned to another user of the same name.
To maintain user accounts, you use the Active Directory Users and Computers
console. You can open this console by clicking the Start menu, choosing Programs, and
then selecting Administrative Tools. To accomplish activities in the console, you first
select either a container in the left pane or an object in the right pane, and then either
right-click the container or object or open the Action pull-down menu and choose
from the available options. Because the available options change based on the selected
container or object, first selecting an object with which to work is important.
256
Networking: A Beginner’s Guide
Adding a User
To add a user with the Active Directory Users and Computers console, start by
selecting the Users container in the left pane (with the tree open to the domain you

are administering), as shown in Figure 17-1. Then right-click the Users container,
choose New from the pop-up menu, and choose User from the submenu. You see the
New Object – User dialog box, as shown in Figure 17-2. Fill in the First Name, Last
Name, and User Logon Name fields. Then click the Next button to move to the next
dialog box.
TIP You should establish standards by which you assign logon names on your network. Small
networks (those with fewer than 50 users) often just use people’s first names, followed by the first
initial of their last names when conflicts arise. A more commonly used convention is to use the
user’s last name followed by the first initial of their first name. This latter standard allows far more
combinations before conflicts arise, and you can then resolve any conflicts that arise by adding the
person’s middle initial, a number, or some other change so that all user names at any given time on
the system are unique.
Figure 17-1. The Active Directory Users and Computers console allows you to manage user
accounts.