User and Group Accounts
- Authentication is the process of verifying a user’s identity by using a User ID and Password.
- Domain user accounts are centrally stored on a Domain Controller and provide access control for domain resources such as network file storage and printing.
- Local user accounts are stored locally on the computer for which they provide access control for.
- Windows NT4 user accounts were stored in the Security Accounts Manager (SAM) database.
- The Administrator account has full control over either the local system or the domain and has the special privilege to take ownership of security objects (files, etc.).
- The Guest account is used to grant access to resources to users without an account in the computer or domain where the resource resides.
- Attributes of user accounts –
- User ID
- Password
- Description (or Full Name)
- Windows user account names -
- must be unique to the machine (for local accounts) or unique to the domain (for domain accounts)
- can not be the same as a group name
- can be a maximum of 20 characters, upper or lower case or a combination thereof
- may not include the "special" characters " / \ [ ] : ; | = , + * ? < >
- may include spaces and periods, but not be completely made up of spaces or periods (avoid spaces if possible)
- Security access is controlled by a Security Identifier (SID), not the user’s User Name
- Each user, group and computer account has a SID
- Microsoft calls the username@domainname format a User Principle Name (UPN)
- Group scope determines where the group object resides and what, if any, resources it controls access to.
- Group scopes -
- Local groups:
- may only contain local machine users
- may only be granted access to local machine resources
- Domain local groups:
- may contain members from any domain in the AD forest
- may only grant access to resources in their own domain
- Global groups:
- may only contain members from their own domain
- may grant access to resources in any domain in the AD forest
- may grant access to resources in other AD forests if a trust relationship has established between the forests
- Universal groups:
- may contain members from any domain in the AD forest
- may grant access to any resource in the AD forest
- Making a group a member of another group is called group nesting.
- Two types of groups in Active Directory –
- Distribution groups – used for email distribution lists, have no SID
- Security groups – used to control access to resources, have a SID
Disk Storage
- Fault tolerance is the ability to encounter an error or hardware malfunction and continue to operate.
- A Spanned volume contains disk space from 2 or more disks.
- A Mirror set contains two equal size volumes with identical copies of data.
- RAID stands for Redundant Array of Independent Disks.
- RAID 0 is not fault tolerant, while RAID 3 is fault tolerant.
- In Windows, Disk 0 is a physical disk, Drive C: is a logical drive.
- Basic disks and Dynamic disks use different partitioning schemes.
- Disk quotas limit the amount of disk space a user can use.
- A Physical disk can be divided into Partitions, a volume contains disk space from 1 or more partitions, and a logical drive exists within a volume.
- RAID 5 is the most efficient from an efficiency of data storage standpoint.
- Mounted drives show up as folders on a logical drive.
- You must delete a volume and re-create it to make it smaller.
- Only volumes on dynamic disks can be mirrored.
File Folder Permissions
- Hidden shares are created when Windows is installed, do not show up when a user browses the shared resources on a computer, and are for administrative purposes.
- The ADMIN$ share is mapped to the system root folder, usually C:\Windows.
- Child objects normally get whatever permissions their parent objects are assigned, this is called inheritance, and any rights gained this way are called inherited rights.
- You can create a share with eitherWindows Explorer or the Computer ManagementConsole.
- Share permissions can be set to Full Control, Change, or Read.
- To prevent a file from being deleted, the folder where the file resides must be set to prevent files from being deleted. Making the file Read-only is not enough by itself.
- Publishing a share makes it appear in Active Directory.
- Folder/File Permissions –
- Read
- Write
- Read and Execute
- Modify = Read and Execute + Write
- Full Control
- List Folder Contents
- File permissions usually override folder permissions.
- Less restrictive rights normally override more restrictive rights.
- Effective Permissions = Explicit Permissions + Inherited Permissions
Printing
- A print queue is a list of documents waiting to be sent to a printer, and the queued documents are stored in a printer spool file.
- Each printer installed on a Windows computer has its own spool file.
- The Print Processor de-spools the job from the spool file.
- Microsoft calls a physical printer a Print Device.
- The GDI renders visual output for both the screen and a printer.
- Print spooler components –
- print router
- local print provider
- remote print provider
- print processors
- print monitor
- The advantage of using a print server rather than connecting the client directly to a printer is that the print server can usually queue more documents and it is able to automatically send the client the appropriate print drivers for the printer that the client is trying to use.
Thin Client
- Windows Terminal Service provides a Windows based thin client architecture.
- Terminal Services can be run in one of two modes -
- Remote Administration mode
- Application Server mode
- Remote Admin mode only allows 2 simultaneous connections
- Application Server mode allows as many connections as you have licenses for.
- Thin client takes advantage of centralized processing capacity (like a mainframe).
- The first thin client architecture for Windows was developed by Citrix.
- Many applications require you to run a terminal server compatibility script to make the application work in a multi-user environment.
Backup
- A media rotation schedule is a plan for knowing which backup media to use when.
- Microsoft’s “Normal” backup is the same thing as a “Full” backup, it backs up everything.
- A file’s archive bit tells you whether or not the file has been modified since the last time it was backed up.
- An Emergency Repair Disk (ERD)can help with server boot problems.
- Some data backups should be stored offsite in case of fire/flood/etc.
- The most commonly used media rotation schedule is called Grandfather/Father/Son.
- Backup types –
- Normal(Full) – copies all selected files and then resets the archive bit
- Incremental – copies all selected files with the archive bit set and resets the archive bit
- Differential – copies all selected files with the archive bit set but does not reset the bit
- Daily – copies all files that were edited the day the backup was performed
- Copy – copies all selected files but does not reset the archive bit
- Options in windows backup wizard –
- Back up everything
- Back up selected files
- Only back up SystemState data
Internet
- A web cache is a centralized repository for web pages that have already been downloaded from the Internet. It is intended to improve page loading times and conserve bandwidth on the Internet connection.
- IIS stands for Internet Information Server
- Components of IIS-
- WWW – IIS includes a web server for setting up a web site or intranet site
- FTP – an FTP server is included to handle remote file transfers
- NNTP – IIS includes a network news (Usenet) server. NNTP allows users to browse through a threaded conversation database. Messages are linked based on their conversation thread.
- SMTP – Some simple mail services are provided, but not enough of a mail server implementation to use as an email server. SMTP is provided simply to support HTTP (mail to: links, etc.) and NNTP services.
- There are several things you need to know before setting up a web site using IIS. You should have the following information before starting to set up your site:
- what IP address is the web server live on (important when the server is configured with more than one IP address)
- what port number should the server listen on for requests on (default for HTTP is port 80, don’t change this unless you have a good reason)
- what port number should the server listen on for secure communications (default is port 443)
- what “host header name” the web server should respond to if multiple sites are configured for a single IP address ( is a host header name)
- what directory on the server contains the web site content (where are the HTML files for the site)