understanding local groups

a local group is a collection of user accounts on a computer. use local groups to assign permissions to resources residing on the computer on which the local group is created. windows xp professional creates local groups in the local security database.

preparing to use local groups

guidelines for using local groups include the following

• use local groups on computers that do not belong to a domain

you can use local groups only on the computer on which you create them. although local groups are available on member servers and domain computers running windows 2000 server, do not use local groups on computers that are part of a domain. using local groups on domain computers prevents you from centralizing group administration. local groups do not appear in the active directory service, and you must administer them separately for each computers.

• you can assign permissions to local groups to access only the resources on the computer on which you create the local groups.

note - you cannot create local groups on domain controllers because domain controllers cannot have a security database that is independent of the database in active directory.

membership rules for local groups include following

• local groups can contain local user accounts from the computer on which you create the local groups.
• local groups cannot belong to any other group.
  

understanding groups

a group is a collection of user accounts. groups simplify administration by allowing you to assign permissions and rights to a group of users rather than to each user account individually.

• groups are collection of user accounts
• members receive permissions given to groups
• users can be members of multiple groups
• groups can be members of other groups

permissions control what users can do with a resource such as a folder, file or printer. when you assign permissions, you allow users to gain access to a resource and you define the type of access that they have. fro example, if several users need to read the same file, you can add their user accounts to a group and then give the group permission to read file. rights allow users to perform system tasks, such as changing the time on a computer and backing up or restoring files.

password requirenments

to protect access to the computer, every user account should have a password. consider the following guidelines for passwords.

• always assign a password to the administrator account to prevent unauthorized access to the account.
• determine whether the administrator or the users will control passwords. you can assign unique passwords to user accounts and prevent users from changing them, or you can allow users to enter their own passwords the first time they log on. in most cases users should control their passwords.
• use passwords that are hard to guess. for example avoid using passwords with an obvious association, such as a family members name.
• passwords can contain up to 128 characters, a minimum length of 8 characters is recommend.
• include both uppercase and lowercase letters (unlike user names, user passwords are case sensitive) numerals and the valid non-alphanumeric characters.
  

naming conventions

a naming convention is an organizations established standard for identified users in the domain. following a consistent naming convention helps administrators and users remember logon names. it also makes it easier for administrators to locate specific user accounts to add them to groups or perform account administration.

naming convention guidelines

• create unique user logon names - local user account names must be unique on the computer on which you create the local account. user logon names for domain user accounts must be unique to the directory.

• use a maximum of 20 characters -user account names can contain up to 20 uppercase or lowercase characters. the field accepts more than 20 characters, but windows xp professional recognizes only the first 20

• remember that user logon names are not case sensitive - you can use combination of special and alphanumeric characters to establish unique user accounts. user logon names are not case sensitive, but windows xp professional preserves the case for display purposes.

• avoid characters that are not valid -the following characters are not valid: " / \ [ ] : ; | - , + * ? < >

• accommodate employees with duplicate names - if two users have the same name, you could create a user logon name consisting of the first name, the last initial and additional letters from the last name to differentiate the users. for example if two user are named john evans, you could create one user account logon as johne and the other as johnev. you could also number each user logon name-for example, johne 1 and johne 2.

• identify the type of employee - some organizations prefer to identify temporary employees in their user accounts. you could add a T and a dash front of the users logon name (T-johne) or use parenthecs at the end- for example, johne(temp)

• rename the administrator and guest built-in user accounts - you should rename the administrator and guest accounts to provide greater security.
  

domain user accounts

domain user accounts allow you to log on to the domain and access resources anywhere on the network. when you log on, you provide your logon information-your user name and password. microsoft windows 2000 server uses this logon information to authenticate your identity and build and access token that contains your user information and security settings. the access token identifies you to the computers in the domain on which you try to access resources. the access token is valid throughtout the logon session.

characteristics of domain user accounts

• provide access to network resources
• provide access token for authentication
• created in active directory of domain controller