W5-User_Group_Directories
In this module we explore the following
Managing a user account
Group management policies
Windows account admin
Workgroups
Domains
Member servers
Domain controllers
Manage User Accounts
Users is consist of
username
user ID (uid) - used by the OS internally
Each user must belong to at least one group
Groups have:
group name
group ID (gid)
User management policies
Organisations have policies for user accounts, e.g.
How uid's are allocated
What groups a user may belong to
How usernames will be generated
Security features (e.g. password aging) to be enforced
Whether accounting or resource limiting will be enforced
Unix user data file
Original UNIX user data file is /etc/passwd
Readable by everybody, writable only by root
rw r r 1 root root 2955 Aug 16 08:20 /etc/passwd
Only place where username and uid are linked
Use vipw command if editing manually (does locking)
/etc/shadow
/etc/passwdmust be world readable
–Encryption algorithm is known
–Users sometimes choose bad passwords, so cracking is easy
/etc/shadowis only readable by root user
–Shadow entries must match users in /etc/passwd
If /etc/shadow is present and has a password, the password field in /etc/passwdcontains 'x'
/etc/group
/etc/groupdefines available groups
–-rw-r--r--1 root root1122 Aug 16 08:20 /etc/group
–Users have one default group, but can be in many groups
•Default group is in /etc/passwd
–Users can switch groups with the newgrpcommand
newgrpdevelopers #Attemtsto log in to the group developers, current working environment remains unchanged
newgrp–developers #if successful, user environment re-initialized as though he or she had just logged in
but setgidbits on directories more common
–Sample /etc/groupentries:
Member Servers
Contain an account in a domain
Not configured as a domain controller
Typically be used for file, print, application, and host
network services
Domain Controllers
Set with Active Directory Domain service role
–Serves user authentication requests
–Serve queries about domain objects
•Often set up to be master DNS server and LDAP (directory) server
Manage accounts
Use GUI:
–Start Control Panel User accounts
–Server Manager Tools Computer Management Local Users and Groups
–You can view an object (user/group) properties
•Use command line:
–net usercommand eg: net user /add chris
–wmic useraccountcommand
•You manage group policies via the gpeditcommand
–You can edit computer or user configuration/properties