Networking: A Beginner’s Guide Fifth Edition- P57

Chia sẻ: Cong Thanh | Ngày: | Loại File: PDF | Số trang:5

Thêm vào BST

Báo xấu

44
lượt xem 3
download

Download Vui lòng tải xuống để xem tài liệu đầy đủ

Networking: A Beginner’s Guide Fifth Edition- P57:I have run into many people over the years who have gained good even impressive working knowledge of PCs, operating systems, applications, and common problems and solutions. Many of these people are wizards with desktop computers.

Chủ đề:

Bình luận(0) Đăng nhập để gửi bình luận!

Lưu

Nội dung Text: Networking: A Beginner’s Guide Fifth Edition- P57

262 Networking: A Beginner’s Guide restriction. (Note that the Log On To feature works only if the network uses the NetBIOS or NetBEUI protocols; it will not work with TCP/IP-only networks unless the Windows Internet Naming Service is set up on the network.) NOTE Allowing a user to log on to another user’s computer does not mean that user can log on with the other user’s permissions or access anything that only the other user can access. This simply means the user can use the listed physical computer to log on to his own account from that computer. The Account Options section of the Account tab enables you to select various binary (on/off) account options. Yet set some of the options, such as requiring a user to change the password at the next logon, as you add the account. Some options listed are unique to the user’s Properties dialog box. The two most important of these additional options are Account Is Disabled and Account Is Trusted for Delegation. Account Is Disabled, if selected, disables the user account while leaving it set up within Active Directory. This option is useful if you need to deny this user account access to the network, but might need to reenable the account in the future. (Account Is Disabled is handled as a high-priority change within the domain, and it takes effect immediately, even across large numbers of domain controllers.) Because deleting an account also deletes any permissions the user might have, you should always disable an account instead if you might need to grant access to the network again to that user. For example, if someone is on vacation, you could disable the user’s account while she is gone, and then clear the Account Is Disabled checkbox when she returns. You must select Account Is Trusted for Delegation option if you want to designate the user account to administer some part of the domain. Windows Server 2008 enables you to grant administrative rights to portions of the Active Directory tree without needing to give administrative rights to the entire domain. The last option on the Account tab of the user Properties dialog box is the expiration date setting, Account Expires. By default, it is set to Never. If you wish to define an expiration date, you may do so in the End Of field. When the date indicated is reached, the account is automatically disabled (but not deleted, so you can reenable it if you wish). Another tab that you will use often in the user’s Properties dialog box is the Member Of tab, in which you define the security groups for a user, as shown in Figure 17-8. Security groups are discussed after the description of deleting or disabling a user account. Deleting or Disabling a User Account Deleting a user account is easy using the Active Directory Users and Groups console. In the left pane, select the Users folder, and then select the user in the right pane. Either right-click the user and choose Delete or open the Action pull-down menu and choose Delete. Disabling an account is just as easy. Select the user account, right-click it, and choose Disable Account (or open the Action pull-down menu and choose Disable Account).
Chapter 17: Administering Windows Server 2008: The Basics 263 Figure 17-8. Controlling a user’s membership in groups TIP If you need to delete a large number of accounts, you can save time by selecting them all before choosing the Delete or Disable Account commands. Just be sure you haven’t selected accounts that you don’t want to delete or disable! Working with Active Directory Security Groups On any network, you usually need to administer permissions to many different folders and files. If you were able to grant access only by user account, you would quickly go crazy trying to keep track of all the necessary information.
264 Networking: A Beginner’s Guide For example, suppose that a group of people, such as an accounting department, has specific permissions to access 20 different folders on the server. When a new accountant is hired, do you need to remember or look up all those 20 folders so you can give the accountant the same permissions as the rest of the department? Or suppose that a user who has many different permissions changes departments. Do you need to find each permission so you can make sure he has only the appropriate permissions for his new department? To address such problems, network operating systems support the concept of security groups (or just groups). You first create the group, and then assign all the appropriate users to it so you can administer their permissions more easily. When you grant permission to a folder on the server, you do so by giving the group the network permission. All the members of the group automatically inherit those permissions. This inheritance makes maintaining network permissions over time much easier. In fact, you shouldn’t try to manage network permissions without using groups. Otherwise, you might quickly become overwhelmed trying to keep track of everything, and you’re almost certain to make mistakes over time. Not only can users be members of groups, but groups can be members of other groups. For instance, suppose that you define a group for each department in your company. Half those departments are part of a larger division called Research and Development (R&D) and half are part of Sales, General, and Administration (SG&A). On your network, some folders are specific to each department, some are specific to all of R&D or SG&A, and some can be accessed by every user on the network. In such a situation, you would first create the departmental groups, and then create the R&D and SG&A groups. Each departmental group would then become a member in either R&D or SG&A. Finally, you would use the built-in Domain Users group, or another one you created that represents everyone, and then assign R&D and SG&A to that top-level group for every user. Once you’ve set up your groups, you can grant permissions in the most logical way. If a resource is just for a specific department, you assign that departmental group to the resource. If a resource is for R&D or SG&A, you assign those divisions to the resource; then all the individual departmental groups within that division will inherit permission to access the resource. If a resource is for everyone, you assign the master, top-level group to the resource. Using such hierarchical group levels makes administering permissions even easier, and this approach is practically necessary for larger networks with hundreds of users. Creating Groups You create groups using the Active Directory Users and Computers console. Groups appear in two of the domain’s containers: Builtin and Users. The built-in groups, shown in Figure 17-9, are fixed. They cannot be deleted or made members of other groups. The built-in groups have certain important permissions already assigned to them, and other groups you create can be given membership in the built-in groups. Similarly, if you want to disable a particular built-in group, you would do so simply by removing all its member groups.
Chapter 17: Administering Windows Server 2008: The Basics 265 Figure 17-9. Viewing the list of built-in groups CAUTION Be careful changing the membership of the built-in groups. For most networks, while it’s important to understand what these groups are and how they work, you generally want to leave them alone. Generally, you work only with groups defined in the Users container. Figure 17-10 shows the default groups in the Users container, which you can distinguish from user accounts by both the two-person icon and the type designation. To add a new group, select the Users container in the left pane. Then open the Action pull-down menu, choose New, and choose Group. You see the New Object – Group dialog box, as shown in Figure 17-10. Enter the name of the group in the first field. You’ll see the name you enter echoed in the second field. This field enables you to specify a different group name for Windows NT (pre-Windows 2000) computers. However, using different group names is usually not a good idea, because it can quickly make your system confusing.
266 Networking: A Beginner’s Guide Figure 17-10. Creating a new group After naming the group, you can select from the available option buttons in the lower half of the dialog box. The Group Scope section refers to how widely the group is populated throughout a domain: Domain local groups exist only within a single domain and can contain members only from that domain. Global groups can contain members only from the domain in which they exist. However, you can assign global group permissions to any domain within the network, even across multiple domains. Universal groups exist throughout an organization, even when the organization’s network is made up of many individual domains. Universal groups can also contain members from any domain in an organization’s network.