Make your own free website on

Workstation Admin
Home Up MCSE,MCP, Certification training resources







Admin Basics

   Managing Resources

   You will be required to manage the resources of your companies computer systems. This includes creating and deleting users and groups. You should know how to set permissions on resources and to insure a proper security model is in place.

User Accounts

   Creating user accounts and groups are accomplished through the User Manager for Domains. There are several built in accounts you should be familiar with. There are two types of groups local and global. groups. Local groups are only pertinent on the local domain while global groups can span multiple domains. A user can belong to multiple groups at the same time

Built in Groups on Domain Controllers

Group Name Group Type Function
Administrators Local Full administrative rights over the local machine
Backup Operators Local Has permissions to back up and restore resources on domain controllers in the domain.
Guests Local Has no permissions assigned. Default is disabled.
Replicator Local Has permissions to replicate the user database to other domain controllers
Users Local This group has no default permissions. You must assign permissions
Account Operators Local Manage user accounts
Printer operators Local Manage Printers
Server Operators Local All permissions of back up operators plus can create shares.
Domain Admins Global Is by default placed in the local admin group and contains the Built in Administrator  User Account
Domain Users Global Default placed in Local Users
Domain Guests Global No Permissions

Passwords - You can specify that a  user's password follow certain rules including how old it can be, a minimum length, and uniqueness ( so a user can't just use the same password over and over). You can also set an account lockout after a user enters the incorrect password a certain number of times. This will help you keep hackers out of your system attempting to use brut force methods.

Auditing - Auditing is enabled through User Manager for Domains. You can then view it in the Event Viewer. The default for all accounts is do not audit. the events you can audit are included below:

Event Function
Logon/ Logoff Records when a user logon, logoff, or access over the network.   
File Access Access to a file or folder.
Use of User Rights When an assigned user right is performed.
User and Group Management When an account or group is changed or deleted, or a user account is disabled/enabled or a password is changed.
Security Policy Changes When the security policies, audit features, or trust relationships are changed.
Shutdown or Restart When a user re-boots or shutdown a system.
Process Tracking When a program is activated or tries to access an object.

User Policies

   You may want to implement a user domain wide policy. You do this by creating the profile and then placing it in the WinNT\System32\Repl\Export\Scripts\default user directory on the PDC

You can also create roaming profiles by specifying the location of the profile on a Domain Controller and configuring the user account(Through User Manager for Domains) to access it when they log on.

To create a mandatory profile, create the profile and assign it to the user just like roaming. And change the name from NTuser.dat to

Policies are applied to users in a predetermined manner and you should be familiar with it for the exam. The order is Individual User Policy => Group Policy => Default User Policy. 


Security Levels

  1. Full Control - Is assigned by default. User has permission to manage all attributes of folder.

  2. Change - User has rights to change, modify, create or delete files, and all rights assigned by the read level.

  3. Read - User can read, open files, and execute programs.

  4. No access - User can see files and folders in directory but can not access the files. If a no access is assigned to a user then that takes precedence over any other permissions that may be assigned to that user from other groups. No Access means No Access.

Permissions - are cumulative, but when accessing locally the least restrictive takes precedence and when accessing remotely the most restrictive takes precedence. No Access is the only exception.

Levels of share security

  1.     File Level Security - Can only be implemented on an NTFS partition. All folders inherit the permissions from the parent folder unless an individual file permission is set. This is enabled by right clicking the file-> selecting sharing -> and specifying the permission on the security tab of the properties.

  2.     Share Level security - Is enabled on the sharing tab of the properties. Only works to restrict access over the network. Any local access has full control.

Moving and Copying in partitions

    I had a lot of trouble understanding the difference between moving across a partition and copying.

    If you move within a partition you just update the pointers to the file so the file will retain it's original permissions.

    If you copy within a partition then you create a new file so the file inherits the permissions of the target folder.

    Moving to another partition creates a new file, so the file inherits the permissions from the target folder.