198 Chapter 4

Managing Users and Groups
Adding Active Directory Organization Information
The Organization tab, shown in Figure 4.20, allows you to provide informa-
tion about the user’s role in your organization. You can enter the user’s title,
department, company, and manager. You can also specify to whom the user
directly reports.
FIGURE 4.20 The Organization tab of the Active Directory user Properties dialog box
Managing Active Directory User Group Membership
The Member Of tab displays the groups that the user belongs to, as shown
in Figure 4.21. You can add the user to an existing group by clicking the Add
button. To remove the user from a group listed on this tab, highlight the
group and click the Remove button.
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com
Working with Active Directory User Accounts 199
FIGURE 4.21 The Member Of tab of the Active Directory user Properties dialog box
Configuring Dial-in Properties
Through the Dial-in tab, shown in Figure 4.22, you configure the user’s
remote-access permissions for dial-in or VPN connections. Remote-access
permissions are covered in Chapter 13.
FIGURE 4.22 The Dial-in tab of the Active Directory user Properties dialog box
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com
200 Chapter 4

Managing Users and Groups
Configuring Terminal Services Properties
Four of the tabs in the Active Directory user Properties dialog box contain
properties that relate to Terminal Services: Environment, Sessions, Remote

Control, and Terminal Services Profile. Terminal Services is covered in
Chapter 12, “Administering Terminal Services.”
Working with Local and Active Directory
Group Accounts
Groups are an important part of network management. Efficient
administrators are able to accomplish the majority of their management tasks
through the use of groups; they rarely assign permissions to individual users.
As explained earlier in the chapter, a Windows 2000 member server can
have local groups. A Windows 2000 domain controller in the Active Directory
can have security groups and distribution groups, and the groups can be
assigned a scope of domain local, global, or universal.
Managing Local Groups
To set up and manage local groups, you use the Local Users and Groups utility.
With Local Users and Groups, you can create, assign members to, rename, and
delete groups.
Creating New Local Groups
In order to create a group, you must be logged on as a member of the Admin-
istrators group or the Power Users group. The Administrators group has full
permissions to manage users and groups. The members of the Power Users
group can manage only the groups that they create.

Microsoft
Exam
Objective
Implement, configure, manage, and troubleshoot local
accounts.
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com
Working with Local and Active Directory Group Accounts 201
If possible, you should add users to the built-in local groups rather than creating

new groups from scratch. This makes your job easier, because the built-in groups
already have the appropriate permissions. All you need to do is add the users you
want to be members of the group.
When you create a local group, you should use the following guidelines:

The group name should be descriptive (for example, Accounting
Data Users).

The group name must be unique to the computer, different from all of
the other group names and usernames that exist on that computer.

Group names can be up to 256 characters. It is best to use alpha-
numeric characters for ease of administration. The backslash (\)
character is not allowed.
As when you choose usernames, you should consider your naming conventions
when assigning names to groups.
Creating groups is similar to creating users, and it is a fairly easy process.
After you’ve added the Local Users and Groups snap-in to the MMC, you
expand it to see the Users and Groups folders. Right-click the Groups folder
and select New Group from the pop-up menu. This brings up the New
Group dialog box, as shown in Figure 4.23.
FIGURE 4.23 The New Group dialog box
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com
202 Chapter 4

Managing Users and Groups
The only required entry in the New Group dialog box is the group name.
Optionally, you can enter a description for the group and add (or remove) group
members. When you’re ready to create the new group, click the Create button.

In Exercise 4.11, you will create two new local groups. This exercise
assumes that you have completed all of the exercises in the chapter. This
exercise should be completed from your member server.
Managing Local Group Properties
After you’ve created a group, you can add members to it. A user can belong
to multiple groups.
You can easily add and remove users through the group Properties dialog box,
shown in Figure 4.24. To access this dialog box, from the Groups folder in the
Local Users and Groups utility, double-click the group you want to manage.
FIGURE 4.24 The local group Properties dialog box
EXERCISE 4.11
Creating Local Groups
1. Open the MMC and expand the Local Users and Groups snap-in.
2. Right-click the Groups folder and select New Group.
3. In the New Group dialog box, type Data Users in the Group Name
text box. Click the Create button.
4. In the New Group dialog box, type Application Users in the Group
Name text box. Click the Create button. Click the Close button.
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com
Working with Local and Active Directory Group Accounts 203
From the group Properties dialog box, you can change the group’s description
and add or remove group members. When you click the Add button to add mem-
bers, the Select Users or Groups dialog box appears, as shown in Figure 4.25. In
this dialog box, you select the user accounts you wish to add and click the Add
button. Click the OK button to add the users to the group.
FIGURE 4.25 The Select Users or Groups dialog box
To remove a member from the group, select the member in the group
Properties dialog box Members list and click the Remove button.
You can select multiple contiguous users to add to or remove from a group by

Shift+clicking the first and last ones to add. To select multiple noncontiguous
users to a group, Ctrl+click each one.
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com
204 Chapter 4

Managing Users and Groups
In Exercise 4.12, you will create new user accounts and then add these
users to one of the groups you created in Exercise 4.11. This exercise should
be completed from your member server.
Renaming Groups
Windows 2000 provides an easy-to-use mechanism for changing a group’s
name (a capability that was never offered in any versions of Windows NT).
For example, you might want to rename a group because its current name
does not conform to existing naming conventions.
As when you rename a user account, a renamed group keeps of all its prop-
erties, including its members and permissions.
To rename a group, right-click the group and choose the Rename option
from the pop-up menu. Rename the group and press Enter.
EXERCISE 4.12
Adding Users to Local Groups
1. Open the MMC and expand the Local Users and Groups snap-in.
2. Create four new users: Bent, Claire, Patrick, and Trina. Deselect the
User Must Change Password at Next Logon option for each user.
3. Expand the Groups folder.
4. Double-click the Data Users group (created in Exercise 4.11).
5. In the group Properties dialog box, click the Add button.
6. In the Select Users or Groups dialog box, select Bent, Claire, Patrick,
and Trina (hold down the Ctrl key as you click each member).
7. Click the Add button. Then click the OK button.

8. In the group Properties dialog box, you will see that the users have
all been added to the group. Click OK to close the group Properties
dialog box.
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com
Working with Local and Active Directory Group Accounts 205
In Exercise 4.13, you will rename one of the groups you created in
Exercise 4.11. This exercise should be completed from your member
server.
Deleting Groups
If you are sure that you will never want to use a group again, you can delete
it. Once a group is deleted, you lose all permissions assignments that have
been specified for the group.
To delete a group, right-click the group and choose Delete from the pop-
up menu. You will see the dialog box shown in Figure 4.26, which warns you
that once a group is deleted, it cannot be restored. Click the Yes button to
delete the group.
If you delete a group and give another group the same name, it won’t be created
with the same properties as the deleted group.
FIGURE 4.26 Confirming group deletion
EXERCISE 4.13
Renaming a Local Group
1. Open the MMC and expand the Local Users and Groups snap-in.
2. Expand the Groups folder.
3. Right-click the Application Users group (created in Exercise 4.11)
and select Rename.
4. Rename the group to App Users and press Enter.
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com
206 Chapter 4


Managing Users and Groups
In Exercise 4.14, you will delete one of the groups that you created in
Exercise 4.11 and renamed in Exercise 4.13. This exercise should be com-
pleted from your member server.
Managing Active Directory Groups
You create and manage Active Directory groups through the Active Directory
Users and Computers utility. When you create a new Active Directory group,
you specify its scope and type, which were discussed in the “An Overview of
Groups” section earlier in this chapter.
Creating New Active Directory Groups
To create a group on a domain controller, take the following steps:
1. Select Start  Programs  Administrative Tools  Active Directory Users
and Computers to open the Active Directory Users and Computers utility.
2. Right-click the Users folder, select New from the pop-up menu, and
then select Group.
3. The New Object - Group dialog box appears, as shown in Figure 4.27.
Type in the group name for Windows 2000. The pre-Windows 2000 group
name will be filled in automatically, but you can change it if desired.
EXERCISE 4.14
Deleting a Local Group
1. Open the MMC and expand the Local Users and Groups snap-in.
2. Expand the Groups folder.
3. Right-click the App Users group and choose Delete.
4. In the dialog box that appears, click Yes to confirm that you want to
delete the group.
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com
Working with Local and Active Directory Group Accounts 207
FIGURE 4.27 The New Object - Group dialog box

4. In the Group Scope section, select the scope for the group:

Choose the Domain Local option if you want to use the group to
assign permissions to resources.

Choose the Global option if you want to use this group for users
who require similar network access.

Choose the Universal option if you want to assign permissions
related to resources in multiple domains.
5. In the Group Type section, select the type of group that you want to create:

Choose the Security option if this group is for users who need
access to specific resources.

Choose the Distribution option if this group is for users who have
common characteristics (for example, users who you may need to
receive the same e-mail messages).
6. Click OK to close the dialog box and create the new group.
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com
208 Chapter 4

Managing Users and Groups
Managing Active Directory Group Properties
You can manage an Active Directory group through the group Properties dialog
box, shown in Figure 4.28. To access this dialog box, right-click the group in the
Active Directory Users and Computers utility and select Properties from the
pop-up menu.
FIGURE 4.28 The Active Directory group Properties dialog box

This dialog box has four tabs with options for managing the group:

The General tab (see Figure 4.28) allows you to view and change the
pre–Windows 2000 group name, description, and e-mail address. You
can view the group scope and type but you can’t change these entries.
You can also add notes for the group.

The Members tab, shown in Figure 4.29, allows you view and change
group membership.
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com
Working with Local and Active Directory Group Accounts 209
FIGURE 4.29 The Members tab of the Active Directory group Properties dialog box

The Member Of tab, shown in Figure 4.30, allows you to view, add
groups to, or remove groups from other groups, if the group type
allows group nesting (one group contained within another group).
FIGURE 4.30 The Members Of tab of the Active Directory group Properties dialog box
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com
210 Chapter 4

Managing Users and Groups

The Managed By tab, shown in Figure 4.31, allows you to view and
change the user who manages the group.
FIGURE 4.31 The Managed By tab of the Active Directory group Properties dialog box
In Exercise 4.15, you will create and manage an Active Directory group.
This exercise assumes that you have completed the other exercises in this
chapter. This exercise should be completed from your domain controller.

EXERCISE 4.15
Creating and Managing an Active Directory Group
1. Select Start  Programs  Administrative Tools  Active Directory
Users and Computers.
2. In the Active Directory Users and Computers utility, right-click the
Users folder, select New, and then select Group.
3. In the New Object - Group dialog box, enter Test Group as the
group name. Choose the Domain Local option for the group scope
and the Security option for the group type. Click the OK button.
4. In the Active Directory and Computers utility, right-click Test Group
and select Properties.
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com
Summary 211
Summary
In this chapter, you learned about user and group management features
in Windows 2000 Server. We covered the following topics:

An overview of local and Active Directory user and group accounts,
including the built-in user and group accounts

How to use the Local Users and Groups utility to create and manage
local user accounts

How to use the Active Directory Users and Computers utility to create
and manage Active Directory user accounts

How to create and manage local group accounts with the Local Users
and Group utility and Active Directory group accounts with the
Active Directory Users and Computers utility

5. In the Test Group Properties dialog box, click the Members tab and
then click the Add button. Select user Ginnie B. Donald and click the
Add button. Click the OK button. In the Test Group Properties dia-
log box, click the OK button.
6. Close the Active Directory Users and Computers utility.
EXERCISE 4.15 (continued)
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com
212 Chapter 4

Managing Users and Groups
Key Terms
Before you take the exam, be sure you’re familiar with the following key terms:
Active Directory user
Active Directory Users and Computers
Administrator
distribution group
domain local group
global group
Guest
home folder
ILS_Anonymous_User
IUSR_computername
IWAM_computername
Krbtgt
local group
local user
Local Users and Groups
logon script
security group

TSInternetUser
universal group
user profile
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com
Review Questions 213
Review Questions
1. Which computers are able to store Windows 2000 local users in their
local accounts database? Choose two answers.
A. Windows NT 4 Workstation
B. Windows 2000 Professional
C. Windows 2000 member servers
D. Windows 2000 domain controllers
2. Which utility is used to create user accounts that are stored on
Window 2000 domain controllers?
A. Domain Users and Groups
B. Active Directory Users and Groups
C. Domain Users and Computers
D. Active Directory Users and Computers
3. Which of the following statements regarding local user accounts is not true?
A. User account names are case-sensitive.
B. User passwords are case-sensitive.
C. A user account name can be up to 20 characters in length.
D. A username cannot contain a = or : character.
4. You have just created a local user on a Windows 2000 member server.
You want to specify that the user account can only log on during spec-
ified hours. Which user Properties dialog box tab should you use to
configure logon hours?
A. The General tab
B. The Account tab

C. The Profile tab
D. You cannot restrict logon hours for a local user account
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com
214 Chapter 4

Managing Users and Groups
5. You have just created an Active Directory user on a Windows 2000
domain controller. You want to specify that the user account can only
log on during specified hours. Which user Properties dialog box tab
should you use to configure logon hours?
A. The General tab
B. The Account tab
C. The Profile tab
D. You cannot restrict logon hours for an Active Directory user account
6. Which folder is used to store user profiles by default?
A. Boot partition:\WINNT\User Profiles
B. Boot partition:\User Profiles
C. Boot partition:\WINNT\Documents and Settings
D. Boot partition:\Documents and Settings
7. Which one of the following options is not a valid group scope for
Windows 2000 domain controllers?
A. Domain local
B. Global
C. Distribution
D. Universal
8. Which Windows 2000 built-in account is used by the Key Distribution
Center service?
A. KDC_User
B. Key_User

C. Kdc_Anonymous_User
D. Krbtgt
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com
Review Questions 215
9. Which Windows 2000 built-in account is used by Terminal Services?
A. TSInternetUser
B. TS_User
C. TS_Anonymous_User
D. TSbtgt
10. Which of the following properties can be configured for an Active
Directory group?
A. Logon hours
B. Logon computers
C. Logon scripts
D. Whom the group is managed by
11. Which default user account is used by the ILS service?
A. ILS_Anonymous_User
B. ILS_computername
C. ILS_User
D. ILS_Default_User
12. Which default user account is used for IIS anonymous access?
A. IIS_Anonymous
B. IIS_Anonymous_User
C. IUSR_Anonymous
D. IUSR_computername
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com
216 Chapter 4


Managing Users and Groups
13. Which of the following options would be stored within a user profile?
Choose all that apply.
A. The mouse driver that the user will use
B. The mouse pointer that the user will use
C. The keyboard layout that the user will use
D. The screen saver that the user will use
14. You want to allow Scott to back up and restore the file system, but you
do not want him to be able to access the file system. To which of the
following groups should you assign Scott?
A. Server Operators
B. Backup Operators
C. Administrators
D. Replicator
15. Which of the following rights are not granted to members of the
Power Users group on Windows 2000 member servers?
A. Create any users and groups
B. Delete any users and groups
C. Create network shares
D. Create network printers
16. Which of the following groups has the highest level of permissions
within the Active Directory?
A. Administrators
B. Domain Admins
C. Enterprise Admins
D. Active Directory Admins
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com
Review Questions 217
17. Which of the following utilities can an administrator use on a

Windows 2000 member server to change a user’s password?
A. Password Manager
B. Password Administrator
C. The Setpass utility
D. Local Users and Groups
18. When you initially create a user with Local Users and Groups on a
Windows 2000 member server, what is the maximum password
length that can be assigned?
A. 12
B. 14
C. 16
D. 20
19. You do not want your domain users to be able to log on between
2:00 A.M. and 4:00 A.M., because this is when you perform backups.
What tab in the Active Directory Users and Computers utility should
you use to set logon hours?
A. General
B. Account
C. Logon Hours
D. Profile
20. Which default group is created on Windows 2000 domain controllers
to allow members to administer domain controllers, but does not
allow members to administer user and group accounts?
A. Domain Operators
B. Server Operators
C. Account Operators
D. Administrators
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com
218 Chapter 4


Managing Users and Groups
Answers to Review Questions
1. B, C. Windows 2000 Professional computers and Windows 2000
member servers are able to store local user accounts.
2. D. On Windows 2000 domain controllers, you use the Active Directory
Users and Computers utility to create Active Directory users and groups.
3. A. User account names are not case-sensitive. Passwords are case-sensitive.
4. D. There is no option to restrict logon hours for local user accounts.
5. B. If you create an Active Directory account, you can limit logon hours
by clicking the Logon Hours button in the Account tab of the user
Properties dialog box.
6. D. When a user logs on for the first time, a user profile folder is automati-
cally created in the boot partition:\Documents and Settings folder.
7. C. Group scope can be domain local, global, or universal. Group types
can be security or distribution.
8. D. The Krbtgt user is created by default on Windows 2000 domain
controllers to be used by the Key Distribution Center service.
9. A. The TSInternetUser user is created by default on Windows 2000
domain controllers to be used by Terminal Services.
10. D. Logon hours, logon computers, and logon scripts can be managed
only on a per-user basis. You can configure who a group is managed
by for an Active Directory group.
11. A. The ILS_Anonymous_User account is used to support the ILS service.
ILS supports telephony applications that use features such as caller ID,
video conferencing, conference calling, and faxing. In order to use ILS,
Internet Information Services (IIS) and Site Server must be installed.
12. D. The IUSR_computername account is used for anonymous access for
Internet Information Services (IIS) on a computer that has IIS installed.
Copyright ©2000 SYBEX , Inc., Alameda, CA

www.sybex.com
Answers to Review Questions 219
13. B, C, D. User profiles generally contain user preference items, which
include mouse pointers, keyboard layout, and screen saver settings.
User profiles do not contain computer configuration settings such as
mouse drivers.
14. B. The members of the Backup Operators group have rights to back
up and restore the file system, even if the file system is NTFS and they
have not been assigned permissions to the file system. However, the
members of Backup Operators can only access the file system through
the Backup utility. To be able to directly access the file system, they
must have explicit permissions assigned. By default, there are no mem-
bers of the Backup Operators local group.
15. B. Members of the Power Users group can create users and groups;
however, they can only manage or delete the users and groups that
they have created.
16. C. The Enterprise Admins group has complete administrative rights
over the enterprise. This group has the highest level of permissions of
all groups.
17. D. To set up and manage local users, you use the Local Users and
Groups utility. With Local Users and Groups, you can create, delete,
and rename user accounts, as well as change passwords.
18. B. Windows 2000 passwords can be a maximum of 14 characters and
are case-sensitive.
19. B. The Account tab of the user Properties dialog box in Active Direc-
tory Users and Computers allows you to configure options such as
logon hours, logon computers, and other account options.
20. B. Members of the Server Operators group have special permissions to
administer domain controllers.
Copyright ©2000 SYBEX , Inc., Alameda, CA

www.sybex.com

Chapter

5

Managing Security

MICROSOFT EXAM OBJECTIVES COVERED IN
THIS CHAPTER


Implement, configure, manage, and troubleshoot policies in a
Windows 2000 environment.


Implement, configure, manage, and troubleshoot Local
Policy in a Windows 2000 environment.


Implement, configure, manage, and troubleshoot System
Policy in a Windows 2000 environment.


Implement, configure, manage, and troubleshoot auditing.


Implement, configure, manage, and troubleshoot Account Policy.



Implement, configure, manage, and troubleshoot security by
using the Security Configuration Tool Set.
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com

W

ith Windows 2000 Server, you can manage security at the
local level or at the domain level. At the domain level, you manage domain
security policies. At the local level, you manage local security policies.
Security settings are configured through Group Policy. Account policies
are used to control the logon process, such as password and account lockout
configurations. Local policies are used to define security policies for the com-
puter, such as auditing, user rights, and security options.
In Windows NT 4, you were able to control users’ Desktops through system
policies. This functionality is included in Windows 2000 for backward compati-
bility, but it is recommended that you use group policies instead of system policies
to manage these options.
The Security and Analysis Configuration tool is a new Window 2000
Server utility that you can use to analyze your security configuration. Using
a security template, this utility compares your actual security configuration
to your desired configuration.
In this chapter, you will learn how to manage security in a Windows 2000
Server environment. You will first install an MMC console to manage security set-
tings, and then learn how to configure account policies, local policies, and security
policies. The final section of this chapter describes how to use the Security Analysis
and Configuration utility to analyze your security configuration.

Managing Security Settings


W

indows 2000 Server allows you to manage security settings at the
local level, for a particular computer, or on a domain-wide level. Any
domain security policies you define override the local policies of a computer.
You manage policies with Group Policy and the appropriate object:


To manage

local policies

, you use Group Policy with the Local Computer
Group Policy object.
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com

Managing Security Settings

223


To manage

domain policies

, you use Group Policy with the Domain
Controllers Group Policy object.
To facilitate your policy management tasks, you can add the Local Com-
puter Policy and Domain Controller Security Policy snap-ins to the Microsoft

Management Console (MMC). You can also access the account policies and
local policies by selecting Start 

Programs 

Administrative Tools 

Domain
Security Policy or Local Security Policy.
Exercise 5.1, you will add the Group Policy and Event Viewer snap-ins on
your member server.

All of the exercises in this chapter, except Exercise 5.7, should be completed

from the member server.

EXERCISE 5.1

Creating a Management Console for Security Settings

1.

Select Start 

Run, type

MMC

in the Run dialog box, and click the OK
button to open the MMC.


2.

From the main menu, select Console 

Add/Remove Snap-in.

3.

In the Add/Remove Snap-in dialog box, click the Add button.

4.

Highlight the Group Policy option and click the Add button.

5.

The Group Policy object specifies Local Computer by default. Click
the Finish button.

6.

In the Add/Remove Snap-in dialog box, click the OK button.

7.

From the main menu, select Console 

Add/Remove Snap-in.


8.

In the Add/Remove Snap-in dialog box, click the Add button.

9.

Highlight the Event Viewer option and click the Add button.

10.

The Select Computer dialog box appears with Local Computer selected
by default. Click the Finish button. Then click the Close button.

11.

In the Add/Remove Snap-in dialog box, click the OK button.
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com