If you are using Windows Server , set local access permissions as follows. Next, enable the guest account. Proceed to Step Use single-byte alphanumeric characters for the folder name.
Display the [Sharing] page. Select [Share this folder]. Click [Permissions]. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, see How to back up and restore the registry in Windows XP. In the right pane, double-click enablesecuritysignature , type 1 in the Value data box, and then click OK. Double-click requiresecuritysignature , type 1 in the Value data box, and then click OK. Double-click requiresecuritysignature , type 0 in the Value data box, and then click OK.
Step 2 - Restart the Server service and the Workstation service After you change the registry values, restart the Server service and the Workstation service. Do not restart the domain controller, because this action may cause Group Policy to change the registry values back to the earlier values. Click Start , point to Administrative Tools , and then click Services. After you connect to the Sysvol share on each domain controller, open the Domain Controller Security Policy snap-in, and then set up the SMB signing policy settings.
To do this, follow these steps:. In the left pane, expand Local Policies , and then click Security Options. In the right pane, double-click Microsoft network server: Digitally sign communications always. In Windows Server, the equivalent policy setting is Digitally sign server communication always. If you have client computers on the network that do not support SMB signing, you must not enable the Microsoft network server: Digitally sign communications always policy setting.
If you enable this setting, you must have SMB signing for all client communication, and client computers that do not support SMB signing will not be able to connect to other computers. If your network includes clients that do not support SMB signing, set this policy to disabled. Click to select the Define this policy setting check box, click Enabled , and then click OK. Double-click Microsoft network server: Digitally sign communications if client agrees.
In any case, it is very informative to review the default security templates. The security templates incrementally modify default Windows security settings that exist on a clean install.
The security templates are:. The procedure to retro-fit Windows security when upgrading from Windows NT:. The basic templates can be considered as back outs for changes made by applying one of the more stringent templates. You can reapply the basic template to return to default security settings. User rights and group membership are unaffected by templates. If you upgrade from NT to W2K, one should apply to get the built-in Users group appropriately restricted.
The upgraded PC after the basic template is applied, would have Windows default security settings. The Compatible configuration liberalizes the default permissions for the Users group so that older apps such as Office 97 are more likely to run.
If you do not want to change the default permissions for Users, you will have to use the default Power Users group to achieve equivalent ability to run old apps. Needed to allow older programs to run under Terminal Services on a W2K server. The template grants additional permissions to Terminal Services users. The user or group name is just a user-friendly "face" on that process. Therefore, when you rename an account, the account's SID remains the same, so the account retains all its group memberships, permissions, and privileges.
Two situations mandate renaming an account. The first occurs when one user stops using a system and a new user requires the same access as the first. Rather than create a new local user account for the new user, you can simply rename the old user account. The account's SID remains the same, so its group memberships, privileges, and permissions are retained. You should also specify a new password in the account's properties sheet and select the User Must Change Password at Next Logon option.
The easiest way to "replace" a user is to rename the account. Therefore, when one user leaves and another requires the same group memberships, rights, and resource access permissions as the first, you can simply rename the former user's account. You should not forget to reset the account's password because the new user won't otherwise know the old user's password. The second situation that warrants renaming a user account is the security practice of renaming the built-in Administrator and Guest accounts.
You cannot delete these accounts, nor can you disable or remove the Administrator account from the Local Administrators group, so renaming the accounts is a recommended practice for hindering malicious access to a system. To disable or enable a user account, you open its properties sheet and select or clear the Account Is Disabled check box.
If an account is disabled, a user cannot log on to the system by using that account. The Administrator account cannot be disabled, and only administrators can enable the Guest account. You can delete a local user or group account but not built-in accounts such as Administrator, Guest, or Backup Operators by right-clicking the account and choosing Delete. When you delete a group, you delete the group account only, not the accounts of its members. A group is a membership list, not a container.
When you delete an account, you are deleting its SID. For that reason, and to facilitate auditing, it is recommended that you disable, not delete, any user who leaves an organization. A different tool for administering local user accounts is the Users and Passwords applet in the Control Panel. This utility allows you to create and remove user accounts as well as specify group membership for those users.
The Users and Passwords applet is wizard driven and is useful for novice administrators and home users. You double-click the Users and Passwords icon in the Control Panel to run this utility. The Users and Passwords applet provides an opportunity to override the logon requirement for a system.
This feature is discussed later in this chapter, in the "Authentication" section. You manage domain user accounts with the Active Directory Users and Computers snap-in. Note that unlike in Windows NT 4, in Windows all domain controllers can make changes to the Active Directory database.
When you open the Active Directory Users and Computers snap-in, you connect to an available domain controller. If you want to specify which domain controller or which domain you want to connect to, you right-click the Active Directory Users and Computers node and choose Connect to Domain or Connect to Domain Controller.
Unlike the local security database, which is a flat list of users and groups, Active Directory has containers such as domains and organizational units OUs , which collect database objects such as users that are administered similarly to one another.
OUs are simply containers that allow administrators to logically group Active Directory objects, such as users, groups, and computers. All the objects that are contained within an OU can be administered together. Administration tasks may also be delegated to other administrators for each OU. Therefore, when you manage domain user accounts in Windows , you need to start in the container or OU where the objects reside that you want to work with.
You create a domain user account by right-clicking the OU or container in which you want the user account and then choosing New User. A wizard prompts you for basic account properties, including the following:. Windows user accounts have two logon names. Each user must have a unique UPN in the domain. Each user's pre-Windows logon name must be unique in the domain and by default is the same as the logon name portion of the UPN.
After an account is created, Active Directory provides dozens of attributes to further define that user. You can right-click a user and choose Properties to open a tabbed dialog box full of attributes that can be defined for that user. The only properties you can specify when creating the user are those on the Account tab. You must set the remainder of the properties after the account has been instantiated.
A user object in Active Directory may have numerous attributes defined, including work location, group membership, and superiors within the organization. Often, a new user object shares many of its attributes with one or more other user objects. In that case, it is faster to copy an existing user object than to create a new object and define each and every property for the object.
To copy a user, you right-click the object and choose Copy. You are asked to enter some of the basic account properties, such as name and password. When you expect to create multiple user objects with highly similar properties, you can create a "template" account that, when copied, initiates the new accounts with its defined attributes. The only trick to working with templates is to disable the template account. Then, when you copy the account to create a new user with predefined attributes, you need to make sure to enable the new account.
However, the new copy does not have access to resources for which permissions are assigned directly to the original user account. The process for disabling and deleting domain user accounts is the same as for local user accounts, except that you use the Active Directory Users and Computers snap-in to perform the tasks. The check box for disabling an account is on the user's Account properties sheet.
In Windows you can add a user to a group with either the group's Members properties sheet or the user's Member Of properties sheet, except when adding domain user accounts to local groups, in which case you must use the group's Members properties sheet. A domain user's Member Of properties sheet displays only memberships in global, domain, local, and universal groups. When a user wants to access resources on a machine, that user's identity must first be verified through a process called authentication.
For example, when a user logs on, the security subsystem evaluates the user's username and password. If there is a match, the user is authenticated. The process of logging on to a machine where you are physically sitting is called interactive logon.
0コメント