Week 11: Nov 19 Discuss new room & options for Spring 2008 * History of logon rights * Local policy * Local user profile stuff ============================ History of logon rights: * under windows 95 (and 98 and ME), there was no such thing as "user accounts", hence no such thing as permissions (though notice that certain files on a running system could be (and were) locked by that system). Software always had "full admin privileges". Under NT (~1993), and Win2000 Pro, there *were* user accounts. But, software written for the "home" versions often assumed users had full admin privileges. So that was often necessary on other machines. Most sole users gave themselves admin accounts. This has been a bad idea since ~1970, at least. Problems: accidental damage + viruses Under XP, MS pushed for use of "limited" accounts for general use. However, some software still sometimes broke. Exercise: what makes an account "limited"? ============================ Reinstalling windows: 1. boot from cd, pick partition, let it copy stuff to disk 2. licensing. ~30 min of copying 3. install net drivers, activate 4. gpmc.msi, commonscenarios, DNS, AD 5. Install SP2 6. Set Display, add a user 7. Figure out how to enable local logon. What a pain! ======================== Local Computer Policy (set with gpedit.msc) Brief digression re mmc.exe (MS Management Console) and *.msc files Every machine has Local ComputerPolicy. Group Policy can be used to *set* Local Policy. The following site has a good summary of how to cure some "windows annoyances" using this: http://www.amset.info/windows/policy.asp Disable External Branding of Internet Explorer [!] User config -> Admin Templates -> win components -> ie, 3rd non-folder item Disable Auto Play (Auto Run??) Turn off Personalized Menus Disable Shutdown Event Tracke Local Comp Policy, Comp Config, Admin Templates, System, "display event tracker". Local Policy: proper name of a subset of "Local Computer Policy" Audit Policy User Rights Security Options Accounts www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_sceacctpols.mspx?mfr=true Account Policies: Password Lockout Kerberos For domain accounts, there can be only one account policy. The account policy must be defined in the Default Domain policy and is enforced by the domain controllers that make up the domain. A domain controller always obtains the account policy from the Default Domain Policy Group Policy object, **even if there is a different account policy applied to the organizational unit that contains the domain controller**. By default, workstations and servers joined to a domain (such as member computers) will also receive the same account policy for their local accounts. However, local account policies can be different from the domain account policy, such as when you define an account policy specifically for the local accounts. Problems with security through Local Computer Policy: * it applies to everyone, including Administrators: Trick: give DENY READ permissions to c:\windows\system32\GroupPolicy Is this a hack, or what?? Read the "Bypass traverse checking" stuff at http://technet2.microsoft.com/windowsserver/en/library/6d1cf160-25c8-4b0f-90b5-428bf5c24eae1033.mspx?mfr=true Administrators and "Take Ownership" right. ======================== Local Computer Policy v Group Policy: Group Policy is a way of *propagating* settings over the network. ======================== ============================================================= User profiles: Unix approach: all "profile" info is installed at account-creation time Windows approach: everything is set up to be installed/copied at time of first logon. What's the difference? Basically, if things are installed only when you first log on, there's no space used if you never log on. With non-roaming profiles, this might matter a lot. ========================================================== Problem: how do we set some default entries for a user? MS Shared Computer Toolkit says to log into each account to make settings There HAS to be a better way! See http://isg.ee.ethz.ch/tools/realmen/det/skel.en.html for good ties to registry settings The profile is the ENTIRE directory All folders can be redirected, not just four. These don't get roamed: Local Settings Temp Local method: 1. create an account, log into it, and then copy that user's NTUSER.DAT (and maybe other parts of profile) to C:\Documents and Settings\Default User 2. on a domain, do the same peter/sandy demo: 1. create different profiles for each on laptop6 respective NTUSER.DAT files are ntuser.peter, ntuser.sandy 2. create pclone, sclone accounts, never used! 3. copy ntuser.peter to NTUSER.DAT in the following folder on winserver01: d:\windows\sysvol\sysvol\csed430.cs.luc.edu\scripts\Default User Now try logging into pclone and seeing what profile we get. Now try another machine! With some experimenting, we can demonstrate that the profiles are not getting stored on winserver01, and hence that we're not roaming!! If you do roam, you need to redirect folders to reduce copying overhead. =============================================================