THE UNIVERSITY OF SCIENCE, VNU-HCM

FACULTY OF ELECTRONICS AND TELECOMMUNICATIONS

DEPARTMENT OF TELECOMMUNICATIONS AND NETWORKS

COURSE
NETWORK TECHNOLOGY

Chapter 1 Local Users and Groups

ACCOUNT MANAGEMENT
02
September 20, 2022

Nguyen Viet Ha, Ph.D. Email: [email protected] 2

Local USERS Account Local USERS Account

❖To interact with the operating system, you first ❖Rights vs. Permissions:
must authenticate your identity which is user
name and password associated local user
➢Rights are assigned to a account to
account on the system. Rights
determine what it can do.

➢Permissions are specific capabilities

❖If successful, you will receive the rights assigned to that local user
granted to the account for the shared
account. Permissions
resource.
➢Ex: Change the system time or shut down the system.
o Determine who can access the
resource and the level of access
❖And you will have the permissions listed within an Access Control
List (ACL). Privileges
➢Ex: Access resources on the system (e.g., files, directories, and ➢Privileges are the union of
printers). permissions and rights
3/44
/50 4/44
/50
 Local USERS Account Local USERS Account
❖Default local user account: are built-in accounts that are created ❖Additional local user accounts that are used by applications on the
automatically when you install OS. system:
➢Don't provide access to network resources.
➢Used to manage access to the local server’s resources based on the ➢DefaultAccount: also known as the Default System Managed
rights and permissions that are assigned to the account. Account (DSMA), used by applications that provide a separate
authentication mechanism to users.
❖Administrator: assigned administrative rights as well as
permissions to most resources on the system. ➢WDAGUtilityAccount: used by the Application Guard feature of
Windows Defender.
❖Guest: assigned a minimal set of rights and permissions
to resources on the system (disabled by default). ➢HelpAssistant: enabled when a Remote Assistance session is run.

5/44
/50 6/44
/50

Local USERS Account Local USERS Account

❖Additional local user accounts that are used by applications on the ❖Symbols that cannot be used in an account name:
system: ➢[ ] ; : , . 5 , 1 / \ |
➢SYSTEM: used by the operating system and by services running
under Windows.

➢NETWORK SERVICE: a predefined local account used by the ❖Each account name must be unique so that there are no duplicates.
service control manager (SCM). A service that runs in the context of
the NETWORK SERVICE account presents the computer's credentials
to remote servers.
❖When you specify a password, it needs to meet the password policy
➢LOCAL SERVICE: a predefined local account used by the service requirements on the local computer.
control manager. It has minimum privileges on the local computer
and presents anonymous credentials on the network

➢And more …
7/44
/50 8/44
/50
 Local USERS Account Local GROUP Account
❖Computers that are part of a workgroup (peer-to- ❖Local group accounts can be used to simplify assigning rights and
peer networking) maintain their own database of permissions to multiple local user accounts.
local users and groups. ➢When you assign rights or permissions to a local group account,
each member of the group receives those rights and permissions.
❖When connecting to a shared resource on another computer, you
must prove your identity to that computer before it allows you access rights and
permissions 2
to the resources based on your permissions within the ACL.
➢Log into that computer using a local user account that has rights and
permissions to the resource. permissions 1 rights and
permissions 4

rights and
permissions 3
9/44
/50 10/44
/50

Local GROUP Account

❖Administrators: includes the local Administrator user account by
default.

❖Guests: includes the local Guest user account by default.

❖Users: all additional local user accounts are added in by default.

➢Allows you to log into the system and perform most non- 2 Domain OU, Users, and Groups
administrative tasks.

❖Additional local group accounts often used by applications or to provide

specific rights and permissions:
➢Print Operators: allows those users the ability to create and
manage printers on the system
11/44
/50 12
 Computer account Computer account
❖Every computer joined to Active Directory (AD) has an associated ❖Computer accounts can belong to security groups.
computer account in AD. ➢Certain group policies only apply to specific groups of computers.

❖The computer account password is initially set when the computer joins
❖A computer account in AD is a security principal (same as user accounts
the domain and is used for authentication in much the same way as a
and security groups)
user’s password is.
➢The difference is that a computer’s password doesn’t have to be
❖Has a number of attributes: changed on a regular basis in order for the computer to authenticate
o Security IDentifier (SID), to the domain.
o memberOf, o Ex: No need to change computer account password about every
o lastlogondate, 30 days.
o passwordlastset,
❖Computer accounts are members of the “Domain Computers” AD group
o etc.
by default.
13/44
/50 14/44
/50

Active directory users and Computers Active directory users and Computers
❖The most common utility used to create and manage OUs, Users, and ❖By default, a new domain only has one OU called Domain Controllers
Groups within an Active Directory domain that contains the computer accounts for the domain controllers within
the domain.

❖Other folders exist to organize the default objects within the domain:
➢Builtin contains domain local security groups that were previously
local groups within the SAM database on the computer that was
promoted to become the first domain controller in the domain (e.g.,
Administrators, Users, and Guests).

➢Computers contains computer accounts for computers that join the

Active Directory domain. Normally, these accounts are moved to the
appropriate OU afterward.
15/44
/50 16/44
/50
 Active directory users and Computers Domain User Accounts
➢ForeignSecurityPrincipals contains users, groups, and computers ❖Local user is one whose username and encrypted password are stored
from other domains that are members of groups within the local on the computer itself.
domain.
❖A domain user is one whose username and password are stored on a
➢Managed Service Accounts contains user accounts within Active domain controller.
Directory that represent one or more services on a computer.
➢When you log in as a domain user, the computer asks the domain
controller what privileges are assigned to you.
➢Users contains the default Administrator and Guest domain user ➢When the computer receives an appropriate response from the
accounts (Guest is disabled by default as a security measure), as domain controller, it logs you in with the proper rights and
well as the default security groups within the domain (e.g., Domain permissions.
Admins, Domain Users, and Domain Guests).
o For the forest root domain, this folder also contains the Schema
Admins and Enterprise Admins groups. ❖Must create a domain user account object for them in the appropriate
OU.
17/44
/50 18/44
/50

Domain User Accounts Domain User Accounts

❖User attributes: ❖User attributes:
➢General: personal information about the account holder that ➢Profile:
includes the first name, last name, and name as it is displayed in the o Provides options for legacy clients that do not support Group
console, description of the user or account, office location, telephone Policy.
number, email address, and webpage. ▪ allows to associate a particular legacy Windows Registry
➢Address: Account holder’s street address, post office box, city, state profile with a user or set of users, to provide options such as a
or province, postal code, and country or region. common desktop.

➢Account: logon name, domain name, and account options o Associate a logon script and a home folder (directory) with an
o Ex: requiring the user to change her or his password at next account.
logon, and account expiration date, if one applies. ▪ A logon script is a file of commands that are executed at
o Ex: Set up an account only signs in to the domain at designated logon, and a
times, such as only from 8:00am to 7:00pm Monday through ▪ home folder is disk space on a particular server given to a
Friday. user to store his or her files.
19/44
/50 20/44
/50
 Domain User Accounts Domain User Accounts
❖User attributes: ❖User attributes:
➢Telephones: telephone contact numbers for an account holder ➢Member Of: group belong to.
(home, pager, mobile, fax, and IP phones).
➢Dial-In: Allows to control remote access from dial-in modems or
➢Organization: account holder’s title, department, company name, from virtual private networks (VPNs).
and the name of the manager.
➢Environment: startup environment for clients who access one or
➢Remote Control: remote control parameters for a client who uses
more servers using Remote Desktop Services (for running programs
Remote Desktop Services.
on the server).
➢Remote Desktop Services Profile: User profile for a client who
uses Remote Desktop Services. ➢Sessions: session parameters for a client using Remote Desktop
Services (session time limit, a limit on how long a session can be
➢COM1: Specifies the COM1 partition set of which the user is a idle, what to do when a connection is broken, and how to
member reconnect).
21/44
/50 22/44
/50

Domain Group Accounts Domain Group Accounts

❖Groups are used to collect user accounts, computer accounts, and other ❖Distribution groups
groups into manageable units.
➢Helps simplify network maintenance and administration. ➢Can be used only with email applications (such as Exchange Server)
to send email to collections of users.

❖There are two types of groups in Active Directory: ➢Are not security enabled.
➢Distribution groups: Used to create email distribution lists. o Don’t have Security Identifier (SID).
➢Security groups: Used to assign permissions to shared resources. o Cannot be listed in Access control lists (ACLs).

23/44
/50 24/44
/50
 Domain Group Accounts Domain Group Accounts
❖Security groups ❖Security groups
➢Provide an efficient way to assign access to resources on your ➢Listed in ACLs that define permissions on resources and objects.
network.
o Each group has a unique SID. ➢When assigning permissions for resources (file shares, printers, and
o Assign user rights to security groups in Active Directory. so on), should assign them to a security group rather than to
▪ User rights are assigned to a security group to determine what individual users.
members of that group can do within the scope of a domain
or forest. ➢Security groups can also be used as an email entity.
o Assign permissions to security groups for resources.
▪ Permissions are assigned to the security group for the shared
resource. Permissions determine who can access the resource
and the level of access

➢Store their list of members within the global catalog.

25/44
/50 26/44
/50

Domain Group Accounts Group scope

❖Security groups ❖The scope of the group defines where the group can be granted
➢Recommends using group nesting. permissions.

o Adding a group to the membership list of another group. ➢Three group scopes are defined by Active Directory
o Universal
o Member group will be applied the right and permission of the o Global
container group. o Domain Local
o Local

27/44
/50 28/44
/50
 Group scope Group scope
❖Local (Machine Local) group ❖Universal group
➢Are specific to and available only on the computer they were created ➢Possible Members:
on. o Accounts from any domain in the same forest.
o Global groups from any domain in the same forest.
➢Stored on the local SAM (Local Computer) use for security settings o Other Universal groups from any domain in the same forest.
that apply just to this one machine.

➢Can grant permissions to resources on any

domain in the same forest or trusting forests.

29/44
/50 30/44
/50

Group scope Group scope

❖Global group ❖Domain Local group
➢Possible Members: ➢Possible Members:
o Accounts from the same domain. o Accounts from any domain or any trusted domain.
o Other Global groups from the same domain. o Global groups from any domain or any trusted domain.
o Universal groups from any domain in the same forest.
o Other Domain Local groups from the same domain.
➢Can grant permissions to resources on o Accounts, Global groups, and Universal groups from
any domain in the same forest, or trusting other forests and from external domains.
domains or forests.

➢Can grant permissions to resources within the same

domain.

31/44
/50 32/44
/50
 Group scope
❖Recommends using a combination of global, universal, and domain local
security groups within a forest to organize the assignment of
permissions in a way that is easy to modify and document.

3 Account creating
❖Default Active Directory security groups:
➢https://docs.microsoft.com/en-us/windows-server/identity/ad-
ds/manage/understand-security-groups#account-operators

33/44
/50 34

Account creating

4 Account policies

35/44
/50 36
 Account Policies Password Policy
❖Contains: Setting Description
➢Password Policy: allows to set password requirements Enforce password history Sets the number of passwords (between 0
➢Account Lockout Policy: defines when an account will be locked and 24) that have to be unique before a user
out and for how long it will be locked can reuse an old password.
➢Kerberos Policy: allows you to define the lifetime for the different Maximum password age Sets the maximum number of days that a
ticket types password can be used before the user is
required to change it. A value of 0 ensures
that passwords do not expire.
Minimum password age Sets the number of days that a password
must be used before a user is allowed to
change it.
Minimum password length Sets the minimum number of characters
required in a password (from 0 to 14)
37/44
/50 38/44
/50

Password Policy Account Lockout Policy

Setting Description Setting Description
Password must meet If enabled, requires that passwords be at Account lockout Determines the number of failed login
complexity requirements least six characters in length and have three threshold attempts that can occur before a user
different character types from the following account is locked.
list: uppercase letters, lowercase letters, Account lockout Determines the number of minutes that a
numbers, and special characters (e.g., *, %, duration locked account remains locked before it is
#). automatically unlocked.
Store password using Allows passwords to be stored as text in the Specifying a value of 0 ensures that a locked
reversible encryption Active Directory database and weakly account remains locked until an administrator
protected using a simple encryption algorithm manually unlocks it.
that can be decrypted by anyone. This setting Reset account lockout Determines the number of minutes after a
should only be enabled to support counter after failed login attempt before the bad logon
applications that use legacy authentication counter is reset to zero
protocols.
39/44
/50 40/44
/50
 Kerberos Policy Kerberos Policy
Setting Description Setting Description
Enforce user logon If this setting is enabled (the default), the Maximum lifetime for user Maximum amount of time in hours a TGT
restrictions KDC (Key Distribution Center) validates every ticket (Ticket-granting tickets) can be used before it
request for service tickets against the rights must be renewed or a new one must be
granted to the requesting account. requested.
Maximum lifetime for Specifies in minutes how long a service ticket The default value is 10 hours.
service ticket can be used before a new ticket must be Maximum lifetime for user Maximum period during which a TGT can be
requested to access the resource the ticket ticket renewal renewed.
was granted for. The default setting is 7 days.
The default is 600 minutes or 10 hours. The In this period, a TGT can be renewed without
minimum allowed value is 10 minutes, and having to go through the full authentication
the maximum value is equal to the “Maximum process. After this period has expired (or the
lifetime for user ticket” setting. account logs off), a new TGT must be
requested.
41/44
/50 42/44
/50

Kerberos Policy
THANK YOU FOR YOUR ATTENTION
Setting Description
Maximum Tolerance For Maximum time difference allowed between a
Computer Clock Kerberos message timestamp and the
Synchronization receiving computer’s current time.
If the time difference falls outside this limit,
the message is considered invalid. The
default is 5 minutes. Timestamp messages
are corrected for time zone, so it’s important
to have the correct time zone set on all
computers in the domain and have the
domain controller clocks synchronized with a
reliable source. Nguyen Viet Ha, Ph.D.
By default, member computers are Department of Telecommunications and Networks
synchronized with the DC’s clock. Faculty of Electronics and Communications
The University of Science, Vietnam National University, Ho Chi Minh City
Email: [email protected]
43/44
/50