Notes on Account Management

Account permissions can be defined in groups (or individual accounts)

Local Groups are created on workstations and only apply to the workstation.

Global Groups are created on Domain Controllers and apply to all computers in the domain.

Changing permissions of a group changes the permissions of everybody in the group.

Share permissions apply to who can access a shared directory and how.

File permissions determine who and how files are shared. NTFS only.

Administrators always have full access to all resources.

User has combined permissions of all groups.

No Access Permission overrides all others.

NT chooses the most restrictive permission in a conflict.

Account Policies

controls universal security settings for the account (password changing, etc.)

User Rights

controls activities users can engage in. (Shutdown system, logon, change time, etc.)

System Policies

set through the System Policy Editor. Controls various security settings.

Accounts can be disabled, which denies access to this user. Can be reinstated.

Deleting accounts removes all permissions.

Home Directories can be created.

Profiles control desktop, menus, network connects.

Auditing controls what events are recorded. Alerts notify someone when an event occurs.

Distributed File System (Dfs)

Allows directories on multiple server to appear as sub-directories of a single directory.

Advantageous for growing systems to avoid changing the share names.

Dfs is an addition to Windows NT, available as download or service pack.