W5-User_Group_Directories

In this module we explore the following

  • Managing a user account

  • Group management policies

  • Windows account admin

  • Workgroups

  • Domains

  • Member servers

  • Domain controllers

Manage User Accounts

Users is consist of

  1. username

  2. user ID (uid) - used by the OS internally

  3. Each user must belong to at least one group


Groups have:

  1. group name

  2. group ID (gid)

User management policies

Organisations have policies for user accounts, e.g.

  • How uid's are allocated

  • What groups a user may belong to

  • How usernames will be generated

  • Security features (e.g. password aging) to be enforced

  • Whether accounting or resource limiting will be enforced

Unix user data file

Original UNIX user data file is /etc/passwd

Readable by everybody, writable only by root

rw r r 1 root root 2955 Aug 16 08:20 /etc/passwd

Only place where username and uid are linked

Use vipw command if editing manually (does locking)

/etc/shadow


/etc/passwdmust be world readable

–Encryption algorithm is known

–Users sometimes choose bad passwords, so cracking is easy


/etc/shadowis only readable by root user

–Shadow entries must match users in /etc/passwd

If /etc/shadow is present and has a password, the password field in /etc/passwdcontains 'x'



/etc/group


/etc/groupdefines available groups

–-rw-r--r--1 root root1122 Aug 16 08:20 /etc/group

–Users have one default group, but can be in many groups

•Default group is in /etc/passwd

–Users can switch groups with the newgrpcommand

  • newgrpdevelopers #Attemtsto log in to the group developers, current working environment remains unchanged

  • newgrp–developers #if successful, user environment re-initialized as though he or she had just logged in

  • but setgidbits on directories more common

–Sample /etc/groupentries:



Member Servers

Contain an account in a domain

Not configured as a domain controller

Typically be used for file, print, application, and host

network services

Domain Controllers

Set with Active Directory Domain service role

–Serves user authentication requests

–Serve queries about domain objects

•Often set up to be master DNS server and LDAP (directory) server


Manage accounts


Use GUI:

–Start Control Panel User accounts

–Server Manager Tools Computer Management Local Users and Groups

–You can view an object (user/group) properties

•Use command line:

–net usercommand eg: net user /add chris

–wmic useraccountcommand

•You manage group policies via the gpeditcommand

–You can edit computer or user configuration/properties