Configuring User Rights Policies

from Chapter 8, Microsoft Windows 2000 Administrator's Pocket Consultant by William R. Stanek.

Chapter 7 covered built-in capabilities and user rights. Although you can't change built-in capabilities for accounts, you can administer user rights for accounts. Normally, you apply user rights to users by making them members of the appropriate group or groups. You can also apply rights directly, and you do this by managing the user rights for the user's account.

Note: Any user who is a member of a group that's assigned a certain right also has that right. For example, if the Backup Operators group has the right and TJSMITH is a member of this group, TJSMITH has this right as well. Keep in mind that changes you make to user rights can have a far-reaching effect. Because of this, only experienced administrators should make changes to the user rights policy.

You assign user rights through the Local Policies node of Group Policy. As the name implies, local policies pertain to a local computer. However, you can configure local policies and then import them into Active Directory. You can also configure these local policies as part of an existing Group Policy for a site, domain, or organizational unit. When you do this, the local policies apply to computer accounts in the site, domain, or organizational unit.

To administer user rights policies, complete the following steps:

  1. Access the group policy container you want to work with, and then access the Local Policies node by working your way down the console tree. Expand Computer Configuration, Windows Settings, and then Local Policies.

  2. Expand User Rights Assignment, shown in Figure 8-5, You can now manage user rights.

  3. To configure user rights assignment, double-click a user right or right-click on it and select Security. This opens a Properties dialog box.

  4. You can now configure the user rights as described in Steps 1–4 of the section of this chapter entitled "Configuring User Rights Locally" or Steps 1–7 of the following section, "Configuring User Rights Globally."

    Figure 8-5: Use User Rights Assignment to configure user rights for the current group policy container.

    Figure 8-5: Use User Rights Assignment to configure user rights for the current group policy container.

Configuring User Rights Globally

For a site, domain, or organizational unit, you configure individual user rights by completing the following steps:

  1. Open the Properties dialog box for the user right, shown in Figure 8-6.

    Note: All policies are either defined or not defined. That is, they are either configured for use or not configured for use. A policy that isn't defined in the current container could be inherited from another container.

  2. Select Define These Policy Settings to define the policy.

  3. To apply the right to a user or group, click Add. Then, in the Group Name dialog box, click Browse. This opens the Select Users Or Groups dialog box shown in Figure 8-7. You can now apply the right to users and groups. The fields of this dialog box are used as follows:

    • Look In To access account names from other domains, click the Look In list box. You should now see a list that shows the current domain, trusted domains, and other resources that you can access. Select Entire Directory to view all the account names in the directory.

      Figure 8-6: Define the user right and then apply the right to users and groups.

      Figure 8-6: Define the user right and then apply the right to users and groups.

      Note: Only domains that have been designated as trusted are available in the Look In drop-down menu. Because of the transitive trusts in Windows 2000, this usually means that all domains in the domain tree or forest are listed. A transitive trust is one that isn't established explicitly. Rather, the trust is established automatically based on the forest structure and permissions set in the forest.

    • Name The Name column shows the available accounts of the currently selected domain or resource.

    • Add Add selected names to the selection list.

    • Check Names Validate the user and group names entered into the selection list. This is useful if you type names in manually and want to ensure that they're available.

  4. After you select the account names to add to the group, click OK. The Group Name dialog box should now show the selected accounts. Click OK again.

  5. The Properties dialog box is updated to reflect your selections. If you made a mistake, select a name and remove it by clicking Remove.

  6. When you're finished granting the right to users and groups, click OK.

Configuring User Rights Locally

For local computers, you apply user rights by completing the following steps:

  1. Open the Properties dialog box for the user right, shown in Figure 8-8.

  2. The effective policy for the computer is displayed, but you can't change it. However, you can change the local policy settings. Use the fields provided to configure the local policy. Remember that site, domain, and organizational unit policies have precedence over local policies.

    Figure 8-7: Use the Select Users Or Groups dialog box to apply the user right to users and groups.

    Figure 8-7: Use the Select Users Or Groups dialog box to apply the user right to users and groups.

  3. The Assigned To column shows current users and groups that have been given a user right. Select or clear the related check boxes under the Local Policy Setting column to apply or remove the user right.

You can apply the user right to additional users and groups by clicking Add. This opens the Select Users Or Groups dialog box shown previously in Figure 8-7. You can now add users and groups.

Adding a User Account

You need to create a user account for each user who wants to use your network resources. You create domain user accounts with Active Directory Users And Computers. You create local user accounts with Local Users And Groups.

Creating Domain User Accounts

Generally, there are two ways to create new domain accounts:

  • Create a completely new user account Create a completely new account by right-clicking on the container in which you want to place the user account, pointing to New, and then selecting User. This opens the New Object - User Wizard shown in Figure 8-9. When you create a new account, the default system settings are used.

    Figure 8-8: Define the user right and then apply the right to users and groups.

    Figure 8-8: Define the user right and then apply the right to users and groups.

  • Base the new account on an existing account Right-click the user account you want to copy in Active Directory Users And Computers, and then select Copy. This starts the Copy Object - User Wizard, which is essentially the same as the New User dialog box. However, when you create a copy of an account, the new account gets most of its environment settings from the existing account. For more information on copying accounts, see the section of Chapter 9 entitled "Copying Domain User Accounts."

Once either the New Object - User or the Copy Object - User Wizard is started, you can create the account by completing the following steps:

  1. As shown in Figure 8-9, the first wizard dialog box lets you configure the user display name and logon name.

  2. Type the user's first and last name in the fields provided. The first and last names are used to create the Full Name, which is the user's display name.

  3. Make changes to the Full Name field as necessary. For example, you may want to type the name in LastName FirstName MiddleInitial format or in FirstName MiddleInitial LastName format. The Full Name must be unique in the domain and must be 64 characters or less.

  4. In User Logon Name, type the user's logon name. Then use the drop-down list to select the domain the account is to be associated with. This sets the fully qualified logon name.

  5. The first 20 characters of the logon name are used to set the Windows NT version 4.0 or earlier logon name. This logon name must be unique in the domain. If necessary, change the Windows NT version 4.0 or earlier logon name.

    Figure 8-9: Configure the user display and logon names.

    Figure 8-9: Configure the user display and logon names.

  6. Click Next. Then configure the user's password using the dialog box shown in Figure 8-10. The options for this dialog box are used as follows:

    • Password The password for the account. This password should follow the conventions of your password policy.

    • Confirm Password A field to ensure that you assign the account password correctly. Simply reenter the password to confirm it.

    • User Must Change Password At Next Logon If selected, the user must change the password upon logon.

    • User Cannot Change Password If checked, the user can't change the password.

    • Password Never Expires If selected, the password for this account never expires. This setting overrides the domain account policy. Generally, it's not a good idea to set a password so it doesn't expire because this defeats the purpose of having passwords in the first place.

    • Account Is Disabled If checked, the account is disabled and can't be used. Use this field to temporarily prevent anyone from using an account.

  7. Click Next, and then click Finish to create the account. If there are problems creating the account, you'll see a warning and you'll need to use the Back button to retype information in the user name and password dialog boxes, as necessary.

Once the account is created, you can set advanced properties for the account as discussed later in the chapter.

Figure 8-10: Configure the user's password.

Figure 8-10: Configure the user's password.

Creating Local User Accounts

You create local user accounts with Local Users And Groups. You can access this utility and create an account by completing the following steps:

  1. Choose Start, then Programs, then Administrative Tools, and then Computer Management. Or select Computer Management in the Administrative Tools folder.

  2. Right-click the Computer Management entry in the console tree and select Connect To Another Computer on the shortcut menu. You can now choose the system whose local accounts you want to manage. Domain controllers don't have local users and groups.

  3. Expand the System Tools node by clicking the plus sign (+) next to it and then choose Local Users And Groups.

  4. Right-click Users and then select New User. This opens the New User dialog box shown in Figure 8-11. Each of the fields in the dialog box are used as follows:

    • Username The logon name for the user account. This name should follow the conventions for the local user name policy.

    • Full Name The full name of the user, such as William R. Stanek.

    • Description A description of the user. Normally you'd type the user's job title, such as Webmaster. You could also type the user's job title and department.

    • Password The password for the account. This password should follow the conventions of your password policy.

    • Confirm Password A field to ensure that you assign the account password correctly. Simply reenter the password to confirm it.

      Figure 8-11: Configuring a local user account is different than configuring a domain user account.

      Figure 8-11: Configuring a local user account is different than configuring a domain user account.

    • User Must Change Password At Next Logon If selected, the user must change the password upon logon.

    • User Cannot Change Password If checked, the user can't change the password.

    • Password Never Expires If selected, the password for this account never expires. This setting overrides the local account policy.

    • Account Is Disabled If checked, the account is disabled and can't be used. Use this field to temporarily prevent anyone from using an account.

  5. Click Create when you're finished configuring the new account.

Adding a Group Account

You use group accounts to manage privileges for multiple users. You create global group accounts in Active Directory Users And Computers. You create local group accounts in Local Users And Groups.

As you set out to create group accounts, remember that you create group accounts for similar types of users. Following this, the types of groups you may want to create include the following:

  • Groups for departments within the organization Generally, users who work in the same department need access to similar resources. Because of this, you can create groups that are organized by department, such as Business Development, Sales, Marketing, or Engineering.

  • Groups for users of specific applications Often, users will need access to an application and resources related to the application. If you create application-specific groups, you can be sure that users get proper access to the necessary resources and application files.

  • Groups for roles within the organization Groups could also be organized by the user's role within the organization. For example, executives probably need access to different resources than supervisors and general users. Thus, by creating groups based on roles within the organization, you can ensure that proper access is given to the users that need it.

Creating a Global Group

To create a global group, complete the following steps:

  1. Start Active Directory Users And Computers. Right-click the container in which you want to place the user account. Afterward, point to New, and then select Group. This opens the New Object - Group dialog box shown in Figure 8-12.

  2. Type a name for the group. Global group account names follow the same naming rules as display names for user accounts. They aren't case sensitive and can be up to 64 characters long.

  3. The first 20 characters of the group name are used to set the Windows NT version 4.0 or earlier group name. This group name must be unique in the domain. If necessary, change the Windows NT version 4.0 or earlier group name.

    Figure 8-12: The New Object - Group dialog box allows you to add a new global group to the domain.

    Figure 8-12: The New Object - Group dialog box allows you to add a new global group to the domain.

  4. Select a group scope, either Domain Local, Global, or Universal.

  5. Select a group type, either Security or Distribution.

  6. Click OK to create the group. Once the account is created, you can add members and set additional properties, as discussed later in the chapter.

Creating a Local Group and Assigning Members

You create local groups with Local Users And Groups. You can access this utility and create a group by completing the following steps:

  1. Choose Start, then Programs, then Administrative Tools, and then Computer Management. Or select Computer Management in the Administrative Tools folder.

  2. Right-click the Computer Management entry in the console tree and select Connect To Another Computer on the shortcut menu. You can now choose the system whose local accounts you want to manage. Domain controllers don't have local users and groups.

  3. Expand the System Tools node by clicking the plus sign (+) next to it and then choose Local Users And Groups.

  4. Right-click Groups and then select New Group. This opens the New Group dialog box shown in Figure 8-13.

  5. After you type a name and description of the group, use the Add button to add names to the group. This opens the Select Users Or Groups dialog box, which was shown previously in Figure 8-7. You can now add members to the group. You can use the fields of this dialog box as follows:

    • Look In To access account names from other computers and domains, click the Look In list box. You should now see a list that shows the current computer, trusted domains, and other resources that you can access. Select Entire Directory to view all the account names in the directory.

    • Name The Name column shows the available accounts of the currently selected domain or resource.

    • Add Add selected names to the selection list.

    • Check Names Validate the user and group names entered into the selection list. This is useful if you type names in manually and want to make sure that they're available.

  6. After you select the account names to add to the group, click OK.

  7. The New Group dialog box is updated to reflect your selections. If you made a mistake, select a name and remove it by clicking Remove.

  8. Click Create when you're finished adding or removing group members.

    Figure 8-13: The New Group dialog box allows you to add a new local group to a computer.

    Figure 8-13: The New Group dialog box allows you to add a new local group to a computer.

Handling Global Group Membership

You use Active Directory Users And Computers to configure group membership. When working with groups keep the following points in mind:

  • All new domain users are members of the group Domain Users, and their primary group is specified as Domain Users.

  • All new domain workstations and member services are members of Domain Computers, and their primary group is Domain Computers.

  • All new domain controllers are members of Domain Controllers and their primary group is Domain Controllers.

Active Directory Users And Computers gives you several ways to manage group membership. You can

  • Manage individual membership

  • Manage multiple memberships

  • Set primary group membership for individual users and computers

Managing Individual Membership

You can add or remove group membership for any type of account by completing the following steps:

  1. Double-click the user, computer, or group entry in Active Directory Users And Computers. This opens the account's Properties dialog box.

  2. Select the Member Of tab.

  3. To make the account a member of a group, click Add. This opens the Select Groups dialog box, which is the same as the Select Users Or Groups dialog box discussed in previous examples. You can now choose groups that the currently selected account should be a member of.

  4. To remove the account from a group, select a group and then click Remove.

  5. Click OK.

Managing Multiple Memberships

Another way to manage group membership is to use a group's Properties dialog box to add or remove multiple accounts. To do this, follow these steps:

  1. Double-click the user or computer entry in Active Directory Users And Computers. This opens the account's Properties dialog box.

  2. Select the Members tab.

  3. To add accounts to the group, click Add. This opens the Select Users Or Groups dialog box. You can now choose users, computers, and groups that should be members of this currently selected group.

  4. To remove members from a group, select an account and then click Remove.

  5. Click OK.

Setting the Primary Group for Users and Computers

Primary groups are used by users who access Windows 2000 through services for Macintosh. When a Macintosh user creates files or directories on a Windows 2000 system, the primary group is assigned to these files or directories. All user and computer accounts must have a primary group regardless of whether the accounts access Windows 2000 systems through Macintosh. This group must be a group with global or universal scope, such as the global group Domain Users or the global group Domain Computers. To set the primary group, complete the following steps:

  1. Double-click the user, computer, or group entry in Active Directory Users And Computers. This opens the account's Properties dialog box.

  2. Select the Member Of tab.

  3. Select a group with global or universal scope in the Member Of list box.

  4. Click Set Primary Group.

All users must be a member of at least one primary group. You can't revoke membership in a primary group without first assigning the user to another primary group. To do this, complete the following steps:

  1. Select a different group with global or universal scope in the Member Of list box, and then click Set Primary Group.

  2. In the Member Of list box, click the former primary group and then click Remove. The group membership is now revoked.

from Microsoft Windows 2000 Administrator's Pocket Consultant by William R. Stanek. Copyright © 1999 Microsoft Corporation.

Link
Click to order