Exam 70-215:
Installing, Configuring, and Administering Microsoft Windows 2000 Server
Installing Windows 2000 Server
If you choose to reformat the partition as NTFS, only Windows 2000 and Windows NT (with service pack 4 or newer) will have access to that partition. Windows NT 4.0 needs Service Pack 4.0 or later to read NTFS v.5. Servers are installed as Member Servers by default. To promote a machine to a Domain Controller, run dcpromo.
If Windows 2000 is being integrated into an existing Windows NT 4.0 domain structure, mixed mode must be used. If Windows 2000 is being installed into an infrastructure where all domain controllers will be running Windows 2000, the domain controllers should use native mode. Once all domain controllers in a domain are upgraded, the domain can be moved from Mixed mode to Native mode. In Native mode all clients make use of Windows 2000 transitive trust. A user can connect to any resource in the enterprise. Native mode allows group nesting.
Upgrading from a Windows NT Domain
Plan for a Windows NT domain upgrade.
Prepare for a Windows NT domain upgrade.
Upgrade the PDC.
Upgrade the BDCs.
Upgrade member servers.
Upgrading from Microsoft Windows NT 4.0
Run WINNT32 /CHECKUPGRADEONLY to check for compatible hardware and software. This generates a report indicating which system components are Windows 2000 compatible.
Run WINNT32.EXE to upgrade from a previous version of Windows.
Upgrade installations from a network file share are not supported in Windows 2000. Do a CD-based upgrade or perform a clean installation of Windows 2000 and re-install needed applications.
Upgrade paths are not available for Windows NT 3.51 with Citrix or Microsoft BackOffice Small Business Server.
Upgrading Windows NT Server retains most system settings, preferences, and application installations. If you need a dual-boot configuration, choose the Install Windows 2000 Server option instead of upgrade. Windows 2000 Server will upgrade and preserve settings from Windows NT 3.51 and 4.0 Server, Windows NT 4.0 Terminal Server, and Windows NT 4.0 Enterprise Edition.
A Windows NT4.0 Member Server can not become a domain controller until it is upgraded to Windows 2000.
Install and Configure Local and Network Printers
Enabling Availability option allows Administrator to specify the hours the printer is available.
Internet Printing allows you to enter the URL where your printer is located. The print server must be a Windows 2000 Server running Internet Information Server. All shared printers can be viewed at: http://servername/printers.
Print Pooling allows two or more identical printers to be installed as one logical printer.
Print Priority is set by creating multiple logical printers for one physical printer and assigning different priorities to each.
Print services can only be provided for Windows, UNIX, Apple, and Novell clients.
The FIXPRNSV.EXE command-line utility to resolves printer incompatibility issues. Services for UNIX 2.0.
To remedy a stalled spooler, you will need to stop and restart the spooler services in the Services applet in Administrative Tools in the Control Panel.
Windows 2000 can store and execute the printer drivers for clients running Win2000, WinNT 4, WinNT 3.51 and Windows 95/98/ME. Additional drivers can be added under sharing options for the printer.
Windows 2000 Server supports Line Printer (LPT), COM, USB, IEEE 1394, and network attached devices.
You can change the directory containing the print spooler in the advanced server properties for the printer.
Distributed File System (Dfs)
Dfs is a single, logical, hierarchical file system. It organizes shared folders on different computers in a network to provide a logical tree structure for file system resources.
Computers running Windows 98, Windows NT 4 and Windows 2000 have a Dfs client built-in. Computers running Windows 95 will need to download and install a Dfs client to have access to Dfs resources.
Logon scripts are stored in the SYSVOL folder. Both NT4 and W2K create a hidden share called REPL$ on the export server when it sends out a replication pulse to the import server.
Standalone Dfs:
Only single-level hierarchies are allowed when using standalone Dfs.
Stand-alone Dfs roots have no replication or backup.
Domain-based Dfs
A domain Dfs root must be hosted on either a member server or a domain controller in the domain. Changes to a Dfs tree are automatically synchronized through AD.
Directories from multiple different computers can be shown as one single file and folder hierarchy.
Fault-tolerance is implemented by assigning replicas to a Dfs link. If one replica goes offline, AD directs the Dfs clients to mirrored information that exist in a replica.
In a domain Dfs root, multiple servers hand out referrals for the Dfs namespace. Fault tolerant Dfs roots use Active Directory services to store Dfs tree topology and remove the root as a single point of failure.
User Security
UGLR - Users connect to Global groups, which connect to Local Groups, which connect to resources.
An administrator can take ownership of a file in order to make changes to its permissions, attributes, or to delete or move the file. After taking ownership, the administrator can grant himself permissions to the file.
Local Security on Files and Folders
- Anytime a new file is created, the file will inherit permissions from the target folder.
- NTFS 5 uses unique ACLs only once regardless of the number of objects that share it. NTFS can perform a volume wide scan for files using the owner's SID (SID Searching). Both functions require installation of the Indexing Service.
- NTFS partitions can be defragmented in Windows 2000 (as can FAT and FAT32 partitions).
- Permissions are cumulative, except for Deny, which overrides anything.
- Sparse File Support prevents files containing large consecutive areas of zero bits from being allocated corresponding physical space on the drive and improves system performance.
- Volume Mount Points allow new volumes to be added to the file system without needing to assign a drive letter to it. As Volume Mount Points are based on Reparse Points, they are only available under NTFS 5 using Dynamic Volumes.
NTFS File and Folder Permissions
File attributes within a partition or between partitions:
Files moved from an NTFS partition to a FAT partition do not retain their attributes, but retain their long filenames. The CACLS.EXE utility is used to modify NTFS volume permissions.
Hardware Devices and Drivers
Add and remove hardware by using the "Add/Remove Hardware" applet in the Control Panel.
The Device Manager snap-in manages all currently installed hardware.
Use Hardware Resources to view Conflicts/Sharing, DMAs, IRQs, Forced Hardware, I/O and Memory.
Use the System Information snap-in to view configuration information about your computer.
Use the system BIOS to configure which IRQ’s are available to Plug and play devices or legacy ISA.
Since SCSI drives may contain the Operating System, a low level SCSI driver must be loaded before Windows 2000 begins to load. This driver is provided by the manufacturer, and is NTBOOTDD.SYS. It is located in the root of the system partition.
Disk Devices
Removable media are managed through the Removable Media snap-in.
To Manage disk devices, use Control Panel, Administrative Tools, Computer Management or by creating a custom console and adding the Disk Management snap-in. The Computer Management snap-in enables Disk Management, Disk Defragmenter, Logical Drives and Removable Storage. There is a separate snap-in for each of these tools except for Logical Drives.
Use Disk Management to create, delete, and format partitions as FAT, FAT32 and NTFS. Used to change volume labels, reassign drive letters, check drives for errors and backup drives.
Display Devices
Desktop display properties are managed through the Display applet in Control Panel.
Monitors are installed, removed, and drivers are updated through Monitors under the Device Manager.
Use Display Adapters under the Device Manager to install, remove and update drivers.
Windows System File Verrification
Running SIGVERIF launches File Signature Verification. Checks system files by default, but non-system files can also be checked. Saves search results to SIGVERIF.TXT.
Windows update will use the internet to download newer versions of your system files. You must be logged in with administrative privilege on the server.
System Performance, Reliability and Availability
Performance Console
Windows 2000 provides the System Monitor snap-in and the Performance Logs and Alerts snap-in for monitoring resource usage. The System Monitor snap-in allows you to track resource use and network throughput. The Performance Logs And Alerts snap-in allows you to collect performance data from local or remote computers.
System Monitor Snap-In Allows you to measure the performance of your own computer or other computers on a network. It performs the following tasks:
- Collect and view real-time performance data on a local computer or from remote computers.
- Create HTML pages from performance views.
- Create reusable monitoring configurations that can be installed on other computers that use MMC.
- Incorporate System Monitor functionality into Microsoft Word or other applications in the Microsoft Office suite by means of Automation.
- Present data in a printable graph, histogram, or report view.
- View data collected either currently or previously in a counter log.
Objects include:
Cache-File system cache used to buffer physical device data.
Logicaldisk-Logical drives, stripe sets and spanned volumes.
Memory-Physical and virtual/paged memory on system.
Physicaldisk-Monitors hard disk as a whole.
Processor-Monitors CPU load.
Performance Logs and Alerts Snap-In
Allows you to collect performance data automatically from local or remote computers. Data can be viewed by using System Monitor, or exported to a spreadsheet program or database for analysis and report generation. Performance Logs and Alerts snap-in performs the following:
Collect data in a comma-delimited or tab-separated format for easy import to spreadsheet programs. A binary log-file format is also provided for circular logging or for logging instances such as threads or processes that might begin after the log starts collecting data.
Define start and stop times, file names, file sizes, and other parameters for automatic log generation.
Manage multiple logging sessions from a single console window.
Set an alert on a counter, thereby stipulating that a message be sent, a program be run, or a log be started when the selected counter's value exceeds or falls below a specified setting.
View counter data during collection and after collection has stopped.
Administering Applications
Task manager can be used to stop programs that stop responding. Be sure to kill all child processes of a program to ensure that all processes have ended. Do this by ending the process tree.
The Kernel controls all access to hardware. DOS based applications that attempt to access hardware directly will be shut down.
16-bit programs share memory space, and can cause other 16-bit programs to fail. To run 16-bit programs in a separate memory space, use the start /separate command, or create a shortcut to the program, and specify in the PIF to run in a separate memory space.
Optimize Disk Performance
Defragmenting your hard disks regularly will improve read performance.
Mirrored volumes and spanned volumes slow down system performance.
Page files are fastest when spread across several disks, but not the boot or system disks.
Striping a disk set causes greatest performance increase.
System State data
Comprised of the registry, COM+ class registration database and system startup files. Can also include Certificate Services database if Certificate Services is installed. If machine is a domain controller, Active Directory directory services and SYSVOL directory are included. For machines running Cluster Service, resource registry checkpoints and quorum resource recovery log are included.
Can be backed up from the command line by typing:
ntbackup systemstate /m normal /f d:\sysstate.bkf /j "System State Data Backup"
On a domain controller, an Authoritative Restore may need to be performed to force restored system state data to replicate to other domain controllers throughout Active Directory.
Where /m=backup type (can be copy or normal), /f=filename and /j=job name.
Recovering System State Data Emergency Repair Disk
Use the Backup utility to create an emergency repair disk. To create an ERD, from the Start menu, select Programs, Accessories, System Tools, Backup. Click Emergency Repair Disk. Insert a blank formatted floppy into the A: drive. Select the Also Backup the Registry to the Repair Directory (%systemroot%\repair\regback) check box. ERD contains AUTOEXEC.NT, CONFIG.NT and SETUP.LOG.
Windows Backup
Launched through Control Panel, System applet, Backup or by running ntbackup from the Start menu. Users can back up their own files and files they have read, execute, modify, or full control permission for. Users can restore files they have write, modify or full control permission for. Administrators and Backup Operators can backup and restore all files regardless of permissions. To restore System State data, start Backup, click the Restore tab and check the box next to System State to restore it along with any other data you have selected. If you do not specify a location for it, it will overwrite your current System State data.
Safe Mode
Enter safe mode by pressing F8 during operating system selection phase.
Safe mode loads basic files/drivers, VGA monitor, keyboard, mouse, mass storage and default system services. Networking is not started in safe mode.
Modes:
Boot Normally - Normal boot.
Debugging Mode - Only in Server.
Directory Services Restore Mode - to avoid replication problems with other Domain Controllers. Use the NTDS utility in AD restore mode to force replication of restored AD data.
Enable Boot Logging - Logs loading of drivers and services to ntbtlog.txt in the windir Folder.
Enable VGA Mode - Boots Windows with a generic VGA driver
Last Known GoodConfiguration - Uses registry info from previous boot. Used to recover from unsuccessful driver installs and registry changes
Recovery Console - Only appears if it was installed using winnt32 /cmdcons or specified in the unattended setup file.
Running the Recovery Console
To install the Recovery Console, run WINNT32 /CMDCONS from the Windows 2000 CD i386 folder.
Allows you to boot to a DOS prompt when your file system is formatted with NTFS.
Can be used to disable services that prevent Windows from booting properly.
When starting Recovery Console, you must log on as Administrator.
Dynamic Volumes
Only Windows 2000 supports dynamic storage. Dynamic storage allows you to create a single partition that includes the entire hard disk. Dynamic disks are divided into volumes, which can consist of a portion, or portions of one or many disks. You do not need to restart the operating system after resizing.
Volume Type-Characteristics
Mirrored volume - A mirrored volume consists of two identical copies of a simple volume, each on a separate hard disk. Mirrored volumes provide fault tolerance in the event of hard disk failure.
RAID-5 volume - A RAID-5 volume is a fault-tolerant striped volume. Windows 2000 adds a parity-information stripe to each disk partition in the volume. Windows 2000 uses the parity-information stripe to reconstruct data when a physical disk fails. A minimum of three hard disks is required in a RAID-5 volume.
Simple volume - Contains space from a single disk
Spanned volume - Contains space from multiple disks (maximum of 32). Fills one volume before going to the next. If a volume in a spanned set fails, all data in the spanned volume set is lost.
Striped set - Contains free space from multiple disks (maximum of 32) in one logical drive. Increases performance by reading/writing data from all disks at the same rate. If a disk fails, all data is lost.
Dynamic Volume Limitations
A boot disk that has been converted from basic to dynamic cannot be converted back to basic.
Cannot be directly accessed by DOS, Win95/98 or any versions of Windows NT if you are dual-booting.
Dynamic volumes which were upgraded from basic disk partitions cannot be extended. Volumes created after the disk was upgraded to dynamic can be extended.
Not supported on portable computers or removable media.
Dynamic Volume States
Failed-Volume cannot be automatically restarted and needs to be repaired.
Healthy-Is accessible and has no known problems
Healthy (at risk) -Accessible, but I/O errors have been detected. Drive is displayed as Online (Errors).
Initializing-Volume is being initialized and will be displayed as healthy when process is complete.
Foreign Disks
Disks that have been removed from another computer will appear labeled as Foreign. Choose "Import Foreign Disk" and a wizard appears to provide instructions.
Disk Quotas
By default, only member of the Administrators group can view and change quota settings. Users can be allowed to view quota settings. Volume usage can be monitored on a per-user basis. Disk usage is based on file and folder ownership. Quotas do not use compression. Free space for applications is based on a quota limit. Quotas can be applied only to volumes formatted with NTFS that use Windows 2000. A quota warning should be set to log an event indicating that the user is nearing his limit. An event should be logged when a user exceeds a specified disk space threshold.
Windows 2000 Network Connections
Using Shared Resources
The Administrators and Power Users groups can create shared folders on a Windows 2000 computer. The system folder (Admin$), the location of the printer drivers (Print$) and the root of each volume (C$, D$, etc.) are all hidden shared folders.
Shared folder permissions apply only when the folder is accessed via the network. By default, the Everyone group is assigned Full Control for all new shared folders. Share level permissions can be applied to FAT, FAT32 and NTFS file systems.
TCP/IP protocol
Can be used to connect dissimilar systems.
Installed by default in Windows 2000.
IP addresses can be entered manually or provided automatically by a DHCP server.
It is routable and works over most network topologies.
TCP/IP protocol is required for communicating with UNIX hosts.
Uses Microsoft Windows Sockets interface.
Configuring DHCP to Allow Dynamic Updates
You must configure the DHCP server to perform dynamic updates. To do so, on the DNS tab of the Properties dialog box for a DHCP server, select Automatically Update DHCP Client Information In DNS. You must also specify; Update DNS Only If DHCP Client Requests, or Always Update DNS. Additional options include Discard Forward Lookups When Lease Expires, and Enable Updates For DNS Client That Do Not Support Dynamic Update.
Automatic Private IP Addressing
When "Obtain an IP Address Automatically" is enabled, but no DHCP is available, a Windows 2000 client will use Automatic Private IP addressing. IP address is generated in the form of 169.254.x.x (x.x is the computer's identifier) with a 16-bit subnet mask (255.255.0.0).
Services for UNIX
FTP support has been added to Windows Explorer and to Internet Explorer 5.0
Install SNMP for Network Management (HP, OpenView, Tivoli and SMS).
Print Services for UNIX allows connectivity to UNIX controlled Printers (LPR). A 2000 server would set up a local printer that prints to an LPR port that is directed to the UNIX LPD print queue.
Troubleshooting
Common TCP/IP problems are caused by incorrect subnet masks and gateways.
Check DNS settings if an IP address works but a hostname won't.
Use IPConfig /flushdns to clear the DNS cache
The Ping command tests connections and verifies configurations.
The Tracert command checks a route to a remote system.
Use IPConfig and IPConfig /all to display current TCP/IP configuration.
Use NetStat to display statistics and connections for TCP/IP protocol.
Use NBTStat to display statistics for connections using NetBIOS over TCP/IP.
NWLink (IPX/SPX) and NetWare Interoperability
Frame types for the NWLink protocol must match the computer that the NT system is trying to connect with. Mismatching frame types will cause connectivity problems between the two systems. When NWLink is set to auto-detect the frame type, it will only detect one type and will go in this order: 802.2, 802.3, ETHERNET II and 802.5 (Token Ring).
NetWare 3 servers uses Bindery Emulation (Preferred Server in CSNW). NetWare 4.x and higher servers use NDS (Default Tree and Context.)
In a NetWare 5 environment, the Microsoft client does not support connection to a NetWare Server over TCP/IP. You will have to use IPX/SPX or install the Novell NetWare client.
Other protocols
AppleTalk must be installed to allow Windows 2000 Professional to communicate with Apple printers. File and Print Services for Macintosh allows Apple Clients to use resources on a Microsoft Network.
DLC is a special-purpose, non-routable protocol used by Windows 2000 to talk with IBM mainframes, AS400s and Hewlett Packard printers.
NetBEUI is used solely by Microsoft operating systems and is non-routable.
Remote Access Services (RAS)
RADIUS - Remote Authentication Dial-in User Service. Provides authentication and accounting services for distributed dial-up networking.
Dial-up networking entries can be created for modem connections, LAN connections, direct cable connections and Infrared connections. PPP is generally preferred because it supports multiple protocols, encryption, and dynamic assignment of IP addresses.
Remote Access Policies
A static IP can be assigned to a user when their connection is made.
Callback options let you specify, no callback, set by caller, and always callback to.
Control access through Remote Access Policy is not available on domain controllers in mixed-mode.
Default remote access policy denies all connection attempts unless user account is set to Allow.
On a stand-alone server, policies are configured through Local Users and Groups, Dial-in, Properties. On an AD-based server, they are configured through Active Directory Users and Computers, Dial-in, Properties.
Remote Access policies are stored on the server, not in Active Directory.
Multilink-Configure to use multiple dial-up connections. Can be set to require BAP
Internet Information Server
Provides for sharing of resources (HTTP, FTP, Telnet) over the Internet.
Use the All Tasks option in the IIS snap-in to configure Front Page extensions, which allows users access to update individual web sites through MS Front Page software.
Terminal Services
Terminal Services running on a Windows 2000 Server enables all client application execution, data processing, and data storage to occur on the server. It provides remote access to a server desktop through terminal emulation software. The terminal emulation software can run on a number of client hardware devices, such as a personal computer, Windows CE-based Handheld PC (H/PC), or terminal.
TS Manager-Used to manage and monitor sessions and processes on the server running TS.
TS Licensing-Manages Client Access Licenses.
TS Configuration-Used to manage TS protocol and server configuration.
TS Client-Creator Creates floppies for installing TS Client.
Added through Control Panel, Add/Remove Programs, Windows Components.
Terminal Services uses RDP or RDP-TCP (Remote Desktop Protocol over TCP/IP). This is a presentation protocol and it sends input from the terminal to the server and returns video from the server back to the terminal. It has been optimized for low-speed (modem) connections and is suitable for deployment in a dial-up environment. Administrators must have rights under RDP to control users’ sessions.
Terminal Services Administration Mode
Not suited for tasks that require reboot.
Remote Administration Mode allows a maximum of 2 concurrent connections to be made per server by an Administrator. There are no licensing requirements for using the Remote Administration Mode.
Configuring TS for Application Sharing
A Temp folder is created for each user by default. Use the FLATTEMP.EXE tool or Terminal Services Configuration Tool to change the location of the temp folders or disable them and force one Temp folder (flattemp /disable).
Automatic Printer redirection is supported for all 32-bit Windows clients. TS will detect printers attached locally to the client and create corresponding print queues in the user's session. When a user disconnects print queues any print jobs are terminated. Printers must be manually redirected for 16-bit Windows clients and Windows based terminals.
Sessions will disconnect when the connection is broken but will continue executing a user's processes by default, and can be set to reset on broken connections.
TS cannot be clustered, but it can be load-balanced using Network Load Balancing. This causes a group of servers to appear as a single virtual IP address. Alternately you can use round-robin DNS resolution to load balance your TS servers.
Users can be assigned a specific Terminal Services profile. If one is not available TS will then try to load a user's Roaming Profile. If the two previous are not available TS will load the standard Windows 2000 Profile.
Configuring Applications for Use with TS
Security Configuration
The Security Configuration and Analysis snap-in can be used to directly configure local system security. You can import security templates created with the Security Templates snap-in, and apply these templates to the group policy object (GPO) for the local computer.
A security template is a representation of a security configuration; it is a file where a group of security settings may be stored. Windows 2000 includes a set of security templates, each based on the role of a computer. The templates range from security settings for low security domain clients to highly secure domain controllers. They can be used as provided, modified, or for creating custom templates.
Security Configuration Tool Set
The Security Configuration and Analysis snap-in is used to troubleshoot security in Windows 2000.
The security database is compared to an incremental template such as HISECSV.INF and the results displayed. The log of the analysis will be placed in %systemroot%\security\logs\mysecure.log
The text-based version is run from the command line using SECEDIT.EXE.
Encrypting File System (EFS)
Compressed files can't be encrypted and vice versa.
Designated Recovery Agents can recover encrypted data for the domain using AD and Certificate Server.
EFS resides in the Windows OS kernel and uses the non-paged memory pool to store file encryption keys.
Encrypted files are decrypted if you copy or move them to a FAT volume.
Encrypted files can be backed up and restored using the Backup Utility.
Encryption is transparent to the user.
Only works on Windows 2000 NTFS partitions (NTFS v5).
The EFSINFORMATION.EXE utility in the Win2000 Resource Kit gives information about encrypted files.
Use the Cipher command to work with encrypted files from the command line.
You can't share encrypted files.
Local and System Policy
System Policies are a collection of user environment settings that are enforced by the operating system and cannot be modified by the user.
System Policy Editor (POLEDIT.EXE) - Windows NT 4, Windows 95 and Windows 98 all use the System Policy Editor (POLEDIT.EXE) to specify user and computer configuration that is stored in the registry.
Settings are imported/exported using .ADM templates. Windows 2000 comes with SYSTEM.ADM (system settings), INETRES.ADM (Internet Explorer settings) and CONF.ADM (NetMeeting settings).
Group Policy snap-in (GPEDIT.MSC)
Exclusive to Windows 2000 and supercedes the System Policy Editor. Uses Incremental Security Templates, and is more flexible than System Policies as they can be filtered using Active Directory.
Settings are imported/exported using .INF files. The Group Policy snap-in can be focused on a local or remote system. Settings can be stored locally or in AD, and are considered secure and can be changed only by Administrators.
NTFS computers that have been upgraded from NT 4.0 or earlier, only the Basic security templates can be applied.
Auditing
Auditing in Microsoft Windows 2000 is the process of tracking both user activities and Windows 2000 events. You can specify that Windows 2000 writes a record of an event to the security log. The security log maintains a record of valid and invalid logon attempts and events related to creating, opening, or deleting files or other objects. Auditing can be enabled by clicking Start, Program, Administrative Tools, Local Security Policy. In the Local Security Settings window, double-click Local Policies and then click Audit Policy. Highlight the event you want to audit and on the Action menu, click Security. Set the properties for each object as desired then restart computer for new policies to take effect.
Auditable Events
System-Restart or shut down of the computer, or an event occurred that affects security or the system log.
Process tracking-A program performed an action, usually used by programmers.
Privilege use-A user exercised a right, such as changing the system time.
Object access-A user gained access to a file, folder, or printer. Configure specific files, folders, or printers for auditing. Directory service access is auditing a user's access to specific Active Directory objects. Object access is auditing a user's access to files, folders, and printers.
Logon events-A user logged on or logged off, or a user made or canceled a network connection to the computer.
Policy change-A change was made to the user security options, user rights, or audit policies.
Account logon events-A domain controller received a request to validate a user account
Account management-An administrator created, changed, or deleted a user account or group. A user account was renamed, disabled, or enabled, or a password was set or changed.
Directory service access-A user gained access to an Active Directory object. Configure specific Active Directory objects for auditing to log this type of event.
Local accounts
Built in user accounts are Administrator and Guest.
Creating and duplicating accounts requires username and password. Disabling an account is typically used when someone else will take the user's place or when the user might return.
Delete an account only when absolutely necessary for space or organization purposes.
Domain user accounts reside in AD on domain controllers and can access all resources on a network that they have been accorded privileges for.
Resides only on the computer where the account was created in its local security database. If computer is part of a peer-to-peer workgroup, accounts for that user will have to be created on each additional machine that they wish to log onto locally. Local accounts cannot access Windows 2000 domain resources and should not be created on computers that are part of a domain.
User accounts are added and configured through the Computer Management snap-in.
User logon names are not case sensitive. You can use alphanumeric combinations to increase security, if desired.
When copying a user account, the new user will stay in the same groups that the old user was a member of. The user will keep all group rights that were granted. through groups, but lose all individual rights that were granted specifically for that user.
Account Policy
Accessed through Administrative Tools, Local Security Policy, Account Policies. There are two choices, Password Policy and Account Lockout Policy.
|
