Microsoft Press Windows Vista Administrator's Pocket Consultant ebook
Page 24
Click OK.
Note
Remind users that Windows Vista makes it easy to maintain service and key ring passwords. To update the key ring and the service password at the same time, use the Change feature of the Logon Information Properties dialog box. See the "Editing Key Ring Entries" section of this chapter for details.
Editing Key Ring Entries
You can edit key ring entries at any time, but keep in mind that local key ring entries are visible only on the computer on which they were created. This means that if you want to modify an entry, you must log on to the local workstation where it was created. The only exception is for users with roaming profiles. When a user has a roaming profile, key ring entries can be edited from any computer where the user is logged on.
Use the following steps to edit a user's key ring entries:
Log on as the user whose key ring entries you want to manage. In Control Panel, click User Accounts and then click User Accounts again. This displays the User Accounts page.
In the left pane, click Manage Your Network Passwords.
In the Stored User Names And Passwords dialog box, you'll see a list of current entries. Select the entry you want to modify and then click Edit.
Change the logon account name and password as necessary.
Click OK.
Tip
If you want to change your password for a service and update the logon information to use the new password, click Change. Type your current password in the Old Password field. Then specify and confirm your new password using the fields provided. Complete the process by clicking OK. If there are multiple entries for this same account in the current domain, the other entries are automatically updated as well. This means you don't have to change the password associated with these entries.
Removing Key Ring Entries
When a user no longer needs a key ring entry, you should remove it. To remove a user's key ring entry, follow these steps:
Log on as the user whose key ring entries you want to manage. In Control Panel, click User Accounts and then click User Accounts again. This displays the User Accounts page.
In the left pane, click Manage Your Network Passwords.
In the Stored User Names And Passwords dialog box, you'll see a list of current entries. Select the entry you want to delete and then click Remove. When prompted to confirm the action, click OK.
As stated previously, local key ring entries can be removed only on the computer on which they were created. When a user has a roaming profile, though, key ring entries can be deleted from any computer where the user is logged on.
Managing Local User Accounts and Groups
Local user accounts and groups are managed much like domain accounts. You can create accounts, manage their properties, reset accounts when they are locked or disabled, and so on. These and other tasks are examined in this section.
Creating Local User Accounts Using Local Users and Groups
In addition to being able to create local user accounts with Control Panel, you can create local user accounts with Local Users And Groups. You can access this utility and create an account by completing the following steps:
Click Start, All Programs, Administrative Tools, Computer Management. Alternatively, access Control Panel, click System And Maintenance, click Administrative Tools, and finally double-click Computer Management.
Right-click the Computer Management entry in the console tree and select Connect To Another Computer on the shortcut menu. You can now select the Windows Vista workstation whose local accounts you want to manage; domain controllers do not have local users or groups.
Expand the System Tools node by clicking the plus sign (+) next to it. Then select Local Users And Groups.
Right-click Users and then select New User. This opens the New User dialog box, shown in Figure 6-6. The fields in the dialog box are used as follows:
q User Name The logon name for the user account. This name should follow the conventions for the local user name policy.
q Full Name The full name of the user, such as William R. Stanek.
q Description A description of the user. Normally you'd type the user's job title, such as Webmaster. You could also type the user's job title and department.
q Password The password for the account. This password should follow the conventions of your password policy.
q Confirm Password A field to ensure that you assign the account password correctly. Simply retype the password to confirm it.
q User Must Change Password At Next Logon If this check box is selected, the user must change the password upon logon.
q User Cannot Change Password If this check box is selected, the user can't change the password.
q Password Never Expires If this check box is selected, the password for this account never expires. This setting overrides the local account policy.
q Account Is Disabled If this check box is selected, the account is disabled and can't be used. Use this field to temporarily prevent anyone from using an account.
Figure 6-6: Configure new workstation accounts using the New User dialog box in Local Users And Groups.
Click Create when you're finished configuring the new account.
Creating Local Groups for Workstations
You create local groups with Local Users And Groups. You can access this utility and create a group by completing the following steps:
Click Start, All Programs, Administrative Tools, Computer Management. Alternatively, access Control Panel, click System And Maintenance, click Administrative Tools, and finally double-click Computer Management.
Right-click the Computer Management entry in the console tree and select Connect To Another Computer. You can now select the computer whose local accounts you want to manage. Domain controllers don't have local users and groups.
Expand the System Tools node by clicking the plus sign (+) next to it. Then select Local Users And Groups.
Right-click Groups and then select New Group. This opens the New Group dialog box, shown in Figure 6-7.
Figure 6-7: The New Group dialog box enables you to add a new local group to a Windows Vista workstation.
After you type a name and description for the group, use the Add button to add names to the group. This opens the Select Users dialog box.
In the Select Users dialog box, click Locations to select the computer or domain in which the users you want to work with are located.
Type the name of a user you want to use in the Enter The Object Names To Select field and then click Check Names. If matches are found, select the account you want to use and then click OK. If no matches are found, update the name you entered and try searching again. Repeat this step as necessary and click OK when finished.
The New Group dialog box is updated to reflect your selections. If you made a mistake, select a name and remove it by clicking Remove.
Click Create when you're finished adding or removing group members.
Adding and Removing Local Group Members
You use Local Users And Groups to add or remove local group members. Complete the following steps:
Access Local Users And Groups in Computer Management and then select the Groups folder. Double-click the group with which you want to work.
Use the Add button to add user accounts to the group. This opens the Select Users dialog box. In the Select Users dialog box, type the name of a user you want to use in the Enter The Object Names To Select field and then click Check Names. If matches are found, select the account you want to use and then click OK. If no matches are found, update the name you entered and try searching again. Repeat this step as necessary and click OK when finished.
Use the Remove button to remove user accounts from the group. Simply select the user account you want to remove from the group and then click Remove.
Click OK when you are finished.
Enabling Local User Accounts
Local user accounts can become disabled for several reasons. If a user forgets the
password and tries to guess it, he or she might exceed the account policy for bad logon attempts. Another administrator could have disabled the account while a user was on vacation. When an account is disabled or locked out, you can enable it using the methods described here.
When an account is disabled, complete the following steps:
Access Local Users And Groups in Computer Management and then select the Users folder.
Double-click the user's account name and then clear the Account Is Disabled check box.
Click OK.
When an account is locked out, complete the following steps:
In Local Users And Groups, select the Users folder.
Double-click the user's account name and then clear the Account Is Locked Out check box.
Click OK.
Creating a Secure Guest Account
In some environments, you might need to set up a guest account that can be used by visitors. Most of the time, you'll want to configure the guest account for use on a specific computer or computers and carefully control how the account can be used. To create a secure guest account, I recommend that you perform the following tasks:
Enable the guest account for use. By default, the guest account is disabled. Therefore, you must first enable it to make it available. To do this, access Local Users And Groups in Computer Management and then select the Users folder. Double-click Guest and then clear the Account Is Disabled check box. Click OK.
Set a secure password on the guest account. By default, the guest account has a blank password. To improve security on the computer, you should set one. In Local Users And Groups, right-click Guest and then select Set Password. Click Proceed at the warning prompt. Type and then confirm the new password. Click OK.
Ensure that the guest account cannot be used over the network. The guest account shouldn't be accessible from other computers. If it is, users at another computer could log on over the network as a guest. To prevent this, start the Local Security Policy tool in the Administrative Tools menu, or type secpol.msc at the command prompt. Then under Local PoliciesUser Rights Assignment, ensure the Deny Access To This Computer From The Network policy lists Guest as a restricted account.
Prevent the guest account from shutting down the computer. When a computer is shutting down or starting up, there is a possibility that a guest user (or anyone with local access) might be able to gain unauthorized access to the computer. To help deter this, you should ensure the guest account doesn't have the Shut Down The System user right. In the Local Security Policy tool, expand Local PoliciesUser Rights Assignment and ensure the Shut Down The System policy doesn't list the Guest account.
Prevent the guest account from viewing event logs. To help maintain the security of the system, the guest account shouldn't be allowed to view the event logs. To ensure this is the case, start Registry Editor by typing regedit at an elevated command prompt and then access the HKLMSYSTEMCurrent ControlSet ServicesEventlog key. Here you'll find three subkeys: Application, Security, and System. Make sure each of these subkeys has a DWORD value named RestrictGuestAccess with a value of 1.
Renaming Local User Accounts and Groups
When you rename an account, you give it a new label. Because the SID for the account remains the same, the permissions and properties associated with the account don't change. To rename an account, complete the following steps:
In Local Users And Groups, select the Users or Groups folder as appropriate.
Right-click the account name and then select Rename. Type the new account name and then click a different entry.
Deleting Local User Accounts and Groups
Deleting an account permanently removes it. Once you delete an account, you can't create another account with the same name to automatically get the same permissions because the SID for the new account won't match the SID for the old account.
Because deleting built-in accounts can have far-reaching effects on the workstation, Windows Vista doesn't let you delete built-in user accounts or group accounts. You can remove other types of accounts by selecting them and pressing the Del key or by right-clicking and selecting Delete. When prompted, click Yes.
Note
When you delete a user account using Local Users And Groups, Windows Vista doesn't delete the user's profile, personal files, or home directory. If you want to delete these files and directories, you'll have to do it manually. See the "Removing Accounts and Denying Local Access to Workstations" section in this chapter.
Managing Remote Access to Workstations
Windows Vista has several remote connectivity features. With Remote Assistance, invitations can be sent to support technicians, enabling them to service a computer remotely. With Remote Desktop, users can connect remotely to a computer and access its resources. In this section, you learn how to configure Remote Assistance and Remote Desktop. By default, neither the Remote Assistance feature nor the Remote Desktop feature is enabled. You must enable these features manually.
In Windows Vista, Remote Assistance and Remote Desktop have been enhanced so that they are faster, use less bandwidth, and can function through Network Address Translation (NAT) firewalls. Remote Assistance also has built-in diagnostic tools. To allow for easier troubleshooting and escalation of support issues, two different support staff can connect to a remote computer simultaneously. When troubleshooting requires restarting the computer, Remote Assistance sessions are reestablished automatically after the computer being diagnosed reboots.
Configuring Remote Assistance
Remote Assistance is a useful feature for help desks, whether in-house or outsourced. A user can allow support personnel to both view and take control of his or her desktop. This feature can be used to walk users through a complex process or to manage system settings while they watch the progress of the changes. The key to Remote Assistance is in the access levels you grant.
By default, when enabled, Remote Assistance is configured to enable support personnel to view and control computers. Because users can send assistance invitations to internal and external resources, this could present a security concern for organizations. To reduce potential security problems, you might want to allow support staff to view but not control computers. A new restriction for Windows Vista is to allow only connections from computers running Windows Vista or later. This option is helpful to limit any possible compatibility issues and ensure any security enhancements in Windows Vista or later operating systems are available within Remote Assistance sessions.
Another key aspect of Remote Assistance you can control is the time limit for invitations. The default maximum time limit is 8 hours; the absolute maximum time limit you can assign is 30 days. Although the intent of a multiple-day invitation is to give support personnel a time window in which to respond to requests, it also means that they could use an invitation to access a computer over a period of 30 days. For instance, suppose you send an invitation with a 30-day time limit to a support person who resolves the problem the first day. That person would then still have access to the computer for another 29 days, which wouldn't be desirable for security reasons. To reduce the risk to your systems, you'll usually want to reduce the default maximum time limit considerably—say, to 1 hour. If the problem were not solved in the allotted time period, you could issue another invitation.
To configure Remote Assistance, follow these steps:
In Control Panel, click System And Maintenance and then click System.
On the System page, click Remote Settings in the left pane. This opens the System Properties dialog box to the Remote tab, as shown in Figure 6-8.
Figure 6-8: Use the Remote tab options to configure remote access to the computer.
To disable Remote Assistance, clear the Remote Assistance Invitations Can Be Sent From This Computer check box, and then click OK. Skip the remaining steps.
To enable Remote Assistance, select Remote Assistance Invitations Can Be Sent From This Computer. If you want users to be able to receive Remote Assistance of
fers from instant messaging contacts, select the Users On This Computer Can Be Offered Remote Assistance check box.
Click Advanced. This displays the Remote Assistance Settings dialog box, shown in Figure 6-9.
Figure 6-9: The Remote Assistance Settings dialog box is used to set limits for Remote Assistance.
The Allow This Computer To Be Controlled Remotely option sets limits for Remote Assistance. When selected, this setting allows assistants to view and control the computer. To provide view-only access to the computer, clear this check box.
The Invitations options control the maximum time window for invitations. You can set a value in minutes, hours, or days, up to a maximum of 30 days. If you set a maximum limit value of 10 days, for example, a user can create an invitation with a time limit up to but not more than 10 days. The default maximum expiration limit is 6 hours.
Click OK twice when you are finished configuring Remote Assistance options.
Configuring Remote Desktop Access
Unlike Remote Assistance, which provides a view of the current user's desktop, Remote Desktop provides several levels of access:
If a user is currently logged on to the desktop locally and then tries to log on remotely, the local desktop locks automatically and the user can access all of the currently running applications just as if he or she were sitting at the keyboard. This feature is useful for users who want to work from home or other locations outside the office, enabling them to continue to work on applications and documents that they might have been using prior to leaving the office.
If a user is listed on the workstation's Remote Access list and is not otherwise logged on, he or she can initiate a new Windows session. The Windows session behaves just as if the user were sitting at the keyboard. It can even be used when other users are also logged on to the computer. In this way, multiple users can share a single workstation and use its resources.