Managing Users and Groups I f you are passionate about being a network or domain administrator, then managing users and groups will give you a lot of satisfaction . . . it can be a very powerful position in a company. On the other hand, unless you understand the fundamentals, manage the processes sensibly, and learn the tools and resources, it can become an extremely frustrating responsibility. Our administration mantra is: Use your common sense and learn to do it right before you take up the task. This chapter helps you to get the best out of the Windows 2000 user and group management philosophy and tools. Despite Microsoft’s Zero Administration Windows (ZAW) initiative, user and group management has become a lot more complex in Windows 2000. The complexity has a lot to do with the improved User and Group objects and the new support in Active Directory, such as Group Policy. Combined with the burden of integrating Windows NT 4.0 and earlier networks, the administrative task will not be easy in the short-term. This might improve over the years because many companies and, especially, administrators are certain to develop tools for the Active Directory that automate the repetitive stuff and enhance the experience of working with Active Directory (and we touch on that in here). In that the directory is open and supports a widely available API (ADSI) and access proto- col (LDAP), we have to give credit where credit is due. For example, you can extend the User and Group objects to suit your enterprise requirements or custom applications. What you will learn in this chapter will put you on the road to such advanced administration. In this chapter, we will study User and Group objects and understand their function. We will entertain user management practice and policy with respect to user, groups, and computers. We will also discuss the process of integrating legacy Windows NT accounts with Windows 2000 domains and how to sensibly manage users and groups on Windows 2000 mixed and native mode networks. 10 10 CHAPTER ✦✦✦✦ In This Chapter Understanding Groups Creating User Accounts Creating Groups Managing Users and Groups ✦✦✦✦ 4667-8 ch10.f.qc 5/15/00 2:01 PM Page 319 320 Part III ✦ Active Directory Services This chapter does not discuss management of the user workspace. Advanced items such as Group Policy, user profiles and logon scripts, workspace management, and so on, are discussed in Chapter 11. The Windows 2000 Account: A User’s Resource No one can work in a company, use any computer, or attach to any network without access to a user account. A user account is like the key to your car. Without the key, you cannot drive anywhere. What Is a User? This question may seem patronizing at first, but in a Windows network domain (and also the local computer), the definition of user relates to autonomous processes, network objects (devices and computers), and humans. Human users exploit the networks or machines to get work done, meet deadlines, and get paid. But any process, machine, or technology that needs to exploit another object on the network or machine is treated as a user by the Windows operating systems. In a nutshell, the Windows 2000 security subsystem does not differentiate between a human and a device using its resources. All users are viewed as “security principals,” which at first are trusted. When you install Windows 2000 (not upgrade) or create a new Active Directory domain, the operating system and its elements are completely exposed. The governing policy on a new domain is that everyone can access everything. This makes sense: Keep the doors open until the jewels have been delivered. As soon as you begin adding users to the system, and they begin adding resources that need protection, you should begin using the tools described in this chapter and in several others to lock down the elements and secure the network. User objects are derived from a single user class in Active Directory, which in turn derives from several parents. Machine accounts are thus derived from the User object. To obtain access to the User object, you need to reference its distinguished name (DN) in program or script code. This is handled automatically by the various GUI objects, but if you plan to write scripts that access the object, you should be referencing the object’s GUID. What Are Contacts? Contacts are new objects in Windows 2000 networks. They are derived from the same class hierarchy as the User object; however, the Contact object does not inherit security attributes from its parent. A contact is thus only used for communication purposes: for e-mail, faxing, phoning, and so on. Windows 2000 distribution lists are made up of contacts. Note 4667-8 ch10.f.qc 5/15/00 2:01 PM Page 320 321 Chapter 10 ✦ Managing Users and Groups You can access active directory contacts from the likes of Outlook and Outlook Express and any other LDAP-compliant client software. The Contact object is almost identical to the object in the Windows Address Book (WAB). Later, we show you how to force Outlook and Outlook Express to default to Active Directory as its contact repository. Local Users and “Local Users” The term local user is often used to describe two types of users: users local to machines that log on locally to the workstation service, and users that are local to a network or domain. Using the term interchangeably can cause confusion among your technical staff . . . and you have enough confusing things to deal with. We believe it makes sense to refer to local users as users who log on locally to a workstation or PC or a server. In other words, the local user can log on to the machine he or she is actually sitting at, where accounts have been created, or into a remote machine that has granted the user the “right” to log on locally, such as an application server that is accessed by a terminal session on a remote client. When referring to generic users on the domain or users collectively, it makes more sense to refer to these users as domain users or domain members. However, as we will discuss later, a user can also be a member of a local domain, and such an account is often referred to as a local user. On legacy NT domains, this was further confused by the ability to create a “local account,” which was meant for users from non-trusted domains. This is no longer the case with Windows 2000 domains. Whether you agree or not, we suggest you decide what the term local user means to your environment and then stick to that definition. Domain controllers (DCs) are not supposed to provide local logon services other than to administrators, and it is documented that there is no way to log on locally (also known as interactive logon) to a DC from another machine. However, we have found that not to be true because Group Policy can be changed to allow local logon. See Chapter 25 for information on how to log on locally to a domain controller. What Is a Group? Groups are collections of users, contacts, computers, and other groups (a process known as nesting). Groups are supported in Active Directory (much to the horror of directory purists) and in the local computer’s security subsystem. How Windows 2000 works with groups is discussed later in this chapter. Figure 10-1 illustrates the group container philosophy. You would be right to wonder why Microsoft gives us both groups and organizational units (OUs) to manage. Groups, however, are a throwback to the Windows NT era. Remember, Windows 2000 is built on NT, and groups were thus inherited from the earlier technology and enhanced for Windows 2000. Although groups may appear to be a redundant object next to OUs, they are a fact of Windows 2000 and are here to stay. They are also extremely powerful management objects. Note 4667-8 ch10.f.qc 5/15/00 2:01 PM Page 321 322 Part III ✦ Active Directory Services Figure 10-1: Groups are collections or concentrations of users, computers, and other groups. The difference between groups and OUs is explained in Chapters 2 and 7, and later in this chapter. Specifically, we create and use groups to contain the access rights of User objects and other groups within a security boundary. We also use groups to contain User objects that share the same access rights to network objects, such as shares, folders, files, printers, and so on. Groups thus provide a security filter against which users and other groups are given access to resources. This critical role of the groups is illustrated in Figure 10-2. It is not good practice to stick user accounts into every nook and cranny of a Windows domain. If you start that practice, you will soon have a domain that resembles a bowl of rice noodles at your local dim sum. It is a wonder that Microsoft engineers still allow us to stick a user account anywhere, because that practice is very rare on a well-run network. We believe the only place you should put a user is into a group . . . even if the group never sees more than one member. Make this your number one user management rule: “Users live in groups. Period.” Note Cross- Reference 4667-8 ch10.f.qc 5/15/00 2:01 PM Page 322 323 Chapter 10 ✦ Managing Users and Groups Figure 10-2: Groups provide a security “filter” against which users and other groups are given access to resources. We can also use groups to create distribution lists (a new type of group). For example, we can create a group, and every user in the group will receive any e-mail sent to it. This is a boon for e-mail administrators. Groups versus organizational units Many now feel that the Group object has been rendered redundant by the OU. That might be the case if OUs were recognized by the security subsystem and the access control mechanisms; that is, if they were security principals. But the Group object is a sophisticated management container that is able to bestow all manner of control over the user accounts and other groups it contains. What we believe is good about the group is that it can be used to contain a mem- bership across organizational and multiple domain boundaries. An organizational unit, on the other hand, belongs to a domain. Complex mergers and acquisitions, and companies that are so dispersed that their only “geographical” boundary is between the earth and the moon, are excellent candidates that could use groups to contain memberships from the organizational units of their acquisitions or member companies and departments. Figure 10-3 illustrates how one group called Accounting can contain the department heads and key people from several Accounting departments throughout the enterprise. object(objectname) 1. Read 2. Execute 3. Write 4667-8 ch10.f.qc 5/15/00 2:01 PM Page 323 324 Part III ✦ Active Directory Services Figure 10-3: The Accounting group is a universal container that allows its members to access resources in the departments of several corporate domains in a forest. Microsoft could have given the same power to the OU, but it did not, at least in the first version of Windows 2000. Instead, it is hoping we will see how groups and OUs fit into the overall management philosophy. Our guess is that it would have caused a serious delay in the release of Windows 2000 had Microsoft made OU security principals behave like groups. We look at the differences a little later; suffice it to say now that the Group object is certainly not redundant; it is a very powerful management tool. What is a network from the viewpoint of users and groups? There are several definitions of a network. From the perspective of users and containers of users, a network is a collection of resources (collection of network objects as opposed to device) that can be accessed for services. Users exploit network objects to assist them with their work. Network resources include messaging, printers, telecommunications, information retrieval, collaboration services, and more. Administrators new to Windows 2000 should get familiar with the meaning of network object, for it is used to reference or “obtain a handle” on any network component, both hard and soft. Exploring the Users and Computers Management Tools Windows 2000 ships with tools to manage local logon accounts and Active Directory accounts. These tools are Users and Passwords, Local Users and Groups on standalone machines (including workstations running Windows 2000 Professional) and member servers, and Active Directory Users and Computers on domain controllers. 4667-8 ch10.f.qc 5/15/00 2:01 PM Page 324 325 Chapter 10 ✦ Managing Users and Groups The Active Directory Users and Computers MMC snap-in is the primary tool used to create and manage users in network domains. It is launched from the Administrative Tools menu. Figure 10-4 illustrates the Users and Computers snap-in. This snap-in will almost certainly become more sophisticated as the use of Active Directory increases. Figure 10-4: The Active Directory Users and Computers snap-in Run the snap-in. First, let’s put the snap-in into advanced mode so that we can see all the menu options in the Users and Computers MMC library. Select any node in the tree and right-click. Select View ➪ Advanced Features from the pop-up list that appears. A check mark will appear, meaning the entire snap-in is in advanced mode and you can access all menu options. You will notice that you can also check the item above Advanced Features, the “Users, Groups, and Computers as Containers” menu item. But this may give you too much information to deal with in the learning phase. Select this feature when you know your way around this snap-in. In the left pane, the snap-in loads the tree that represents the domain you are managing. Note that you can select a number of built-in folders: ✦ The Built-in folder contains the built-in or default groups created when you install the Active Directory and promote the server to a domain controller. ✦ The Computer folder contains any computers that are added to the domain you are managing. It will be empty if you have not added any computers to the domain at this stage. ✦ The Domain Controllers folder will always contain at least one computer . . . the domain controller you are currently working on. 4667-8 ch10.f.qc 5/15/00 2:01 PM Page 325 326 Part III ✦ Active Directory Services ✦ The ForeignSecurityPrincipals folder is the default container for security identifiers (SIDs) associated with objects from other trusted domains. ✦ The Users folder contains built-in user and group accounts. When you upgrade Windows NT to Windows 2000, all the user accounts from the old NT domain are placed into this folder. This folder is not an OU, and no OU group policy can be linked to it. For all intents and purposes, this folder should be blank or at least should not contain any accounts when you first do a clean install of Windows 2000 and promote it to Active Directory. Instead, the built-in accounts should have been placed in the built-in folder, period. We guess it is one of those things that Microsoft did without very much forethought. But they did give us the ability to move items from folder to folder, and it may make more sense for you to move all the built-in objects to the built-in folder . . . especially since you cannot delete them. ✦ The LostAndFound folder contains objects that have been orphaned. ✦ The System folder contains built-in system settings. Now, before we proceed, know that there are two levels to understanding how user accounts work. You can cover the basics of user accounts by poking around in the Active Directory User and Computers snap-in MMC panels, or you can make an effort to learn about the most important attributes (compulsory and optional) of user accounts at a lower level. If you are a serious network and Windows administrator, then we suggest the latter. Why? Firstly, as an administrator, knowing the stuff of which user accounts are made will take your management knowledge and skills to a higher level. You will be able to contribute much more to the overall management of your enterprise network if you know how to perform advanced searches for users, scientifically manage passwords, better protect resources, troubleshoot, and so forth. If you think administrators do not need to know how to program, then think again; it could make a $20K difference, positively, on your salary package. Secondly, senior administrators and corporate developers may need to circumvent the basic MMC panels and code directly to the Active Directory Service Interfaces (ADSI). On Windows NT 4.0, senior administrators often created scripts that would block manipulate the accounts in the SAM, or security accounts database. User Manager for Domains was often too dumb to be of use in major domain operations. Top Windows 2000 administrators will need to know how to code to the Active Directory, and write scripts (which will require basic programming knowledge) that make life easier and lessen the administrative burden. Knowing everything about User objects will make your services that much more in demand. We suggest you first read Chapters 2 and 7 before you tackle the following text. 4667-8 ch10.f.qc 5/15/00 2:01 PM Page 326 327 Chapter 10 ✦ Managing Users and Groups Windows 2000 User Accounts A Windows 2000 user account can be a domain account or a local account. When you first install any version of Windows 2000 or promote a server to a domain controller, a number of domain and local accounts are automatically created. When you install Active Directory on a server, that is, when you promote it to a domain controller, the local accounts are disabled. Domain accounts Domain accounts or network accounts are User account objects that are stored in Active Directory and that are exposed to the distributed Windows networking and security environment. Domain accounts are enterprise-wide. Humans, machines, and processes use domain accounts to log on to a network and gain access to its resources. Each logon attempt goes through a “security clearance” whereby the system compares the password provided by the user against the password stored in the password attribute field in the Active Directory. (Refer to Chapters 2 and 7 for conceptual discussions on attributes.) If the password matches the record, then the user is cleared to proceed and use network resources, perform activities on computers, and communicate. Remember, Active Directory is a “multi-master” directory service. This means that changes to users and groups are replicated to other member DCs (but not to a local account database). You can manage users on any DC on the network and not worry about locating a primary DC, as was the case with Windows NT 4.0 and earlier. User objects also contain certain attributes that are not replicated to other DCs. These attributes can be considered of interest only to the local domain controller. For example, the attribute LastLogon is of interest only to the local network’s domain controller; it is of no importance to the other domain controllers in the domain or the forest. You can also create a user account in any part of the AD . . . as long as you have rights to create or manage that User object. While container objects such as OUs and groups serve to assist in the management of collections of users, there is no mechanism other than having admin rights to prevent a user account from being created anywhere in a forest. Local accounts Local accounts (users) are identical to network accounts in every way, but they are not stored in Active Directory. Local accounts are machine-specific objects. In other words, a local user account can only be validated against a local security database — the SAM or Security Account Manager. Secondly, local accounts only provide access to resources within the “boundaries” of the machine “domain” and no further. An analogy might be that the key to your house only lets you enter your house. All other houses in your neighborhood are off limits. Note 4667-8 ch10.f.qc 5/15/00 2:01 PM Page 327 328 Part III ✦ Active Directory Services If you are new to Windows networking, you may be wondering why machines on a Windows 2000 network would have local accounts. As you know, you can create a network of machines and not manage it with Active Directory at all, which would certainly send your cost of ownership soaring. But there are also good reasons why these accounts are better off on the local machine rather than sitting in Active Directory; you will discover these reasons in this chapter. Active Directory users can “connect” to local machines from remote services (such as to the local FTP account), which is achieved by virtue of having the “right” to log on locally at the target machine. Local user accounts can also exist on machines that are part of Active Directory domains, and which are not the domain controllers. You can also make a domain controller an application server for a small business, and allow a number or users to log on locally to the DC by way of terminal sessions. This is discussed in detail in Chapter 25. Local user accounts are restricted to the Access Control List of the local computer. The local domain itself does not replicate this information off the local machine because it only matters to the local account system, which is not distributed. The tools to manage the local, machine native domains can be accessed through the Users and Passwords and Administrative Tools applications in Control Panel. Predefined accounts When you install Windows 2000, either as a standalone or member server, or as a domain controller supporting Active Directory, the operating system establishes default accounts. On a standalone machine (server or workstation), the default accounts are local to the machine native domain and established in the SAM. On a domain controller—in Active Directory — the default accounts are network accounts. Built-in accounts cannot be deleted, but they can be renamed or moved from one container to another. The default accounts include administration accounts that enable you to log on and manage the network or the local machine. Windows 2000 also installs built-in machine or Guest accounts and anonymous Internet user accounts. You will notice that these so-called accounts are disabled by default and must be implicitly enabled. It is a good idea as soon as feasible to rename the Administrator account to hide its purpose and thus its access and security level (hiding was not possible on Windows NT). If you have security fears, you can audit the activity of the Administrator to determine who or what is using the account and when. When you demote a domain controller (DC) to a standalone server, and especially if it is the last DC on the network, the OS prompts you for the password you will use for the local Administrator account. In the process of stripping away AD and its administrator accounts, the OS ensures that you will be able to log on locally and gain access to the machine after the conversion. When AD departs from the server, it hands control of the machine back to the machine-specific domain and Security Account Manager (SAM). Note 4667-8 ch10.f.qc 5/15/00 2:01 PM Page 328 [...]... Group Policy (which we will discuss in Chapter 10) Groups are used for granting and denying users access to computer and network resources Global groups also 4667-8 ch10.f.qc 5/15/00 2:01 PM Page 351 Chapter 10 ✦ Managing Users and Groups traverse domain boundaries A group can contain users and global groups from other domains, both on a single domain tree and across a forest of domains OUs are only valid... has rights and access to resources no one else has Even the Administrator account, of which there is only one, is placed into several groups to gain access to sensitive resources and information 4667-8 ch10.f.qc 5/15/00 2:01 PM Page 349 Chapter 10 ✦ Managing Users and Groups Windows 2000 groups come in two flavors: security groups and distribution groups ✦ Security group: This is the standard Windows... 2000 Do not confuse this with the Users folder into which the Anonymous and Guest accounts are placed ✦ Account Operators: This group gives wide administrative power to its members Operators can create users and groups and can edit and delete most users and groups from the domain (permissions permitting) Account operators can also log on to servers, shut down servers, and add computers to the domain... resources Members of universal groups can be given access and permissions for any resource in any domain in the forest ✦ Global groups: These groups can include members only from the originating domain These members can be other global groups and contact groups Global groups can be given access to resources in any domain in the forest, and the members can be members of any of the groups in the forest You... serve to help you understand Windows 2000 groups On legacy NT domains, we create and work with two types of groups, domain local and global groups Domain local, or just local, groups are restricted to the domains in which they are created; they cannot be given entry into other legacy NT domains Global groups, on the other hand, can be given entry into other legacy domains, and even Windows 2000 domains... you add the user to a group on this domain or in groups in other domains in the forest ✦ Member of: Enter the names of groups the user is required to be a member of This is done by clicking the Add button and selecting the groups from a domain that appears in the Select Groups list 4667-8 ch10.f.qc 5/15/00 2:01 PM Page 347 Chapter 10 ✦ Managing Users and Groups Dial-in tab properties This tab lets you... come from the owner domain Can host other global groups and users from the owner domain Cannot host universal groups Can be granted on any domain in the forest Can be a member of any group in the forest Local Group Can come from any domain in the forest Can host global groups and users and contacts from any domain in the forest Can also host other local groups from the owner domain Can only be granted... to contain members and nest groups from other domains and forests across the enterprise and even on an intra-enterprise relationship basis The three scope types are: Universal, Global, and Domain Local Windows NT supported only Global and Local group types ✦ Universal groups: These groups can include members from any Windows NT or Windows 2000 domain in a forest The members can be groups of any of the... policy, focused management, and delegated responsibility Here’s how to move the Administrator account: 1 Open Active Directory Users and Computers Double-click the Users folder 2 Select the Administrator account in the right-hand pane and right-click your mouse Now select the move option The list of folders and OUs appears 3 Drill down to a different OU of your choice Select that OU and click OK The Administrator... e-mail, access to printers and devices, and so on You can also create several Visitor accounts for accounting and auditing purposes and to keep track of the objects each visitor accesses Using logon scripts and profiles, you can track activity between each logon and logoff period and use that to generate reports From these reports, you can run invoices, statements, bills, and so on If you run a service . Managing Users and Groups I f you are passionate about being a network or domain administrator, then managing users and groups will give. are Users and Passwords, Local Users and Groups on standalone machines (including workstations running Windows 2000 Professional) and member servers, and