Introduction to Microsoft Management Console MMC MMC is a common console framework for management applications MMC provides a common environment for snap ins the tools that support management functionality MMC allows you to perform a number of tasks The MMC Window MMC Consoles Introduction to Snap Ins Stand Alone Snap Ins Stand alone snap ins are usually referred to simply as snap ins Each snap in provides one function or a related set of functions Extension Snap Ins Extension snap ins are usually referred to as extensions An extension provides additional administrative functionality to another snap in Extensions are designed to work with one or more stand alone snap ins Some snap ins can act as stand alone snap ins or as extensions Console Options Create a Custom Console Run MMC Author mode User mode Full Access Limited Access Multiple Windows No access to console tree Can t open new windows Limited Access Single Window Windows 2000 User Accounts Domain user accounts Local user accounts Built in user accounts Domain User Accounts Allow users to log on to the domain and gain access to resources anywhere on the network Created in an OU in the Active Directory store Replicated to all domain controllers Local User Accounts Allow users to log on to and gain access to resources on the computer where they log in Created in the computer s security database Not replicated to domain controllers Built In User Accounts Administrator Rename Create new account with administrator privleges runas user domain name username prog Guest Disabled by default Naming Conventions The naming convention establishes how users are identified in the domain Several considerations User account Naming Password requirements Account options Logon hours Computer restrictions Logon Name Must be uniques within the OU 20 characters max invalid Not case sensitive How will you deal with duplicates Services may require an account name to run Password Requirements Always assign a password for the Administrator account Determine whether the administrator or the users will control passwords Use passwords that are hard to guess Passwords can be up to 128 characters a minimum length of eight characters is recommended Use both uppercase and lowercase letters numerals and valid non alphanumeric characters Account Options Logon hours Computer from which users can log on Account expiration Creating Domain User Accounts Creating Local User Accounts Overview of Modifying Properties A set of default properties is associated with each user account Properties defined for a domain user account can be used to search for users in the Active Directory store Several properties should be configured for each domain user account You can use the Active Directory Users And Computers snap in to modify a domain user account You can use the Local Users And Groups snap in to modify a local user account The Properties Dialog Box Personal properties tabs Account tab Profile tab Desktop settings Home Directories Published Certificates tab Member Of tab Dial In tab Object tab FQDN of Object USN Security tab Terminal Services tabs Administering User Accounts Managing user profiles Modifying user accounts Creating home folders Managing User Profiles A user profile is a collection of folders and data that stores your current desktop environment and application settings as well as personal data Microsoft Windows 2000 creates a local user profile the first time you log on at a computer User profiles operate in a specific manner Stored in systemdrive Documents and Settings logon name systemdrive profiles Profiles Customizable ntuser dat Mandatory ntuser man Local Stored on the local machine Roaming Stored in a shared folder on a server Assigning a Customized Roaming User Profile Creating Home Folders Introduction to Groups A group is a collection of user accounts Groups simplify administration of user permissions Users can be members of more than one group When you assign permissions you give users the capability to gain access to specific resources You can add user accounts contacts computers and other groups to groups Types of Groups Security groups Distribution groups Group Scopes Introduction to Group Membership The group scope determines the membership of the group Membership rules define which members a group can contain Domain local groups and global groups can be converted to universal groups Group Nesting You can add groups to other groups to reduce the number of times permissions need to be assigned You should create a hierarchy of groups based on business needs Try to minimize the levels of nesting Nesting reduces the number of times you assign permissions however tracking permissions becomes more complex Document group membership to keep track of permission assignments Effective nesting in a multiple domain environment will reduce network traffic between domains and simplify administration Consider the domain operation mode when nesting groups Group Strategies Introduction to Groups Determine the required group scope based on how you want to use the group Avoid adding users to universal groups Determine whether you have the necessary permissions to create a group in the appropriate domain Determine the name of the group Group Scope Domain Local Users from any domain Access to Domain resources only Global User from same domain Access to all domains resources Universal Open membership Open access Administering Groups Overview of Group Implementation A local group can contain user accounts on a computer and can be assigned to resources on that computer There are two types of local groups Local Domain local Try to follow specific guidelines when using local groups Non domain local groups can contain local user accounts from the computer on which you create the local groups Creating Local Groups Built In Global Groups Windows 2000 creates built in global groups to group common types of user accounts The groups are created in the Active Directory store The Users OU contains the built in global groups Windows 2000 includes a number of commonly used built in global groups Built In Domain Local Groups Built in domain local groups provide users with user rights and permissions to perform tasks on domain controllers and in the Active Directory store Built in domain local groups give predefined rights to user accounts when you add user accounts or global groups as members Windows 2000 includes a number of commonly used built in domain local groups Built