Users, Groups, and Offline Files

From Proprofs

Contents 1 Users, Groups, and Offline Files in Windows XP 2 The Local Security Database 3 Users 3.1 User Properties 3.2 User Password Policy 4 Groups 5 Identities 6 Offline Files 6.1 Offline File Configuration 7 Moving Forward 8 Quick Review 9 Answers

[edit section] Users, Groups, and Offline Files in Windows XP

Microsoft has been criticized in the past for not making security a key feature in Windows, especially for the consumer versions that it has released. In response, Windows XP was released with security features in mind. One key element of Windows XP is that it is based on Windows NT architecture, meaning that local security is a main priority and that access to different operating system functions is dictated by the level of security afforded to particular users and groups.

[edit section] The Local Security Database

Every Windows XP computer is equipped with a complex data structure known as the local security database. The database stores all of the user accounts and security groups in Windows XP for use in login and access functions. The database may be accessed upon signing into Windows, for example, or attempting to access a file on an NTFS partition.

[edit section] Users

The functional unit for security and access control in Windows XP, as in many other operating systems, is the individual user account. A user relates to a single account that is given specific parameters and means of access. A user may correspond to a person – for example, JShin may correspond to the account for “Justin Shin.” Alternatively, a user account may correspond to a logical user, such as TS_Internet_User to describe the user who accesses a PC over the Internet. Local users are stored on the local security database. However, domain users are stored on the domain controller or the server designated to store security accounts on the domain. For the 70-270 exam, you will not be expected to know much on the subject of domain accounts, but simply understand that in order to logon to a Windows XP using a domain account, you must be a member of the domain and have a “mirror” local account tied to the domain. For instance, if a user BSmith logged onto the domain Sales, his local login may be \\Sales\BSmith.

[edit section] User Properties

Through the Local Users and Groups management console found on the Computer Management MMC snap-in, an administrator can configure user properties and even create new users. The properties for users are as follows:

• Full Name and Description: Gives you an opportunity to input a more descriptive name and function of an account. For example, PDoe may point to “Patrick Doe”
• User must change password at next login: Mandates that upon the next time the user attempts to logon, he must necessarily change his password to one of his choice that meets password policy
• User cannot change password: The user cannot change his/her own password
• Password never expires: Bypasses the password policy to allow for the password to exist indefinitely
• Account is disabled: The account exists, but is inactive
• Account is locked out: After a certain number of failed attempts to login, Windows XP will lock out the user for a specified duration of time as mandated in the password policy. Use this to forcibly lock an account out or to unlock a locked account

[edit section] User Password Policy

Password policy falls under the umbrella of account policy, which shall be discussed more extensively in our lesson on security. Basically, Windows XP allows administrators to set guidelines as to how passwords may be created and how long they may exist. Here are some policy options available to the budding administrator:

• Minimum password age/Maximum password age: Dictate how long a password can exist (in days) before a user can change it, or what is the maximum number of days that a password may exist
• Minimum password length: Enforce a minimum string length for passwords
• Password must meet complexity requirements: Windows XP defines “complexity” as follows:
  • User’s account name cannot be in password
  • Minimum of 6 characters
  • Must contain uppercase, lowercase, numeric, and symbolic characters (all)
• Enforce password history: If this option is not set to 1, the password history options (age options) will not be in effect

[edit section] Groups

As you can imagine, there sometimes exists the need to configure security policy with regards to certain groupings of users in mind. To this end, Windows XP allows for Groups to be created and configured in the local security database. Groups allow for the ease of administration and convenience for security policy tweaking. Although you can add your own groups, XP includes these built-in groups:

• Administrators: This group has total administrative control over the PC and can make system-wide changes without reservation
• Power Users: Are able to create new accounts, but cannot change or delete accounts. In addition, Power Users can remove users from the Users and Power Users groups
• Users: Are restricted in access and generally cannot make system-wide changes, create new accounts, or delete existing ones. However, users can create new groups.
• Guests: By default, have same permissions as users. This group is disabled by default
• Remote Desktop Users: Can logon remotely and use the desktop
• Backup Operators: Are permitted to logon only to backup files without regard to file permissions; an emergency group

[edit section] Identities

Identities are similar to groups in that they consist of several users, but unlike groups, users are not assigned to identities. Identities are fundamental ideas of accounts, such as:

• Everyone: Every account, including Guests, attempting to access
• Interactive: Connected via remote desktop (interactive remote logon)
• Network: Connected via Windows networking
• Authenticated: Users with accounts that have been authenticated (have logged on)
• Anonymous Logon: Connected without logon

[edit section] Offline Files

Again, we shift gears to a different area of Windows XP: Offline Files. We will briefly look at the concept of offline files and how they work in XP. An offline file is a file normally available over the network that is made available offline by caching network share contents. To make a file available offline, open the properties dialogue for the shared folder and enable the “Allow caching of files in this shared folder” option. Then, select from the three choices in the dialogue box:

• Manual caching of documents: Allows user to manually configure and select which files and folders to be cached as an offline file
• Automatic caching of documents:Every opened file will be cached
• Automatic caching of programs and documents: Read-only program files as well as documents will be cached

[edit section] Offline File Configuration

To configure the way that offline files actually work, go to Folder Options and click on the Offline Files tab. From this menu, you can choose to enable offline files and configure the various options, including:

• Enable offline files: Controls the ability to use offline files whatsoever
• Synchronize before logging on/off: Windows XP will synchronize your offline file cache to match the latest version before logon/logoff
• Encrypt offline files: Use NTFS encryption to ensure data integrity
• Disk space: XP allows you to configure the amount of disk space that the offline files feature will utilize; the recommended setting is usually adequate.

[edit section] Moving Forward

In our next lesson, we will take a look at performance monitoring and optimization in Windows XP. For now, however, let’s take a moment to review what we have learned about users, groups, and offline files in Windows XP.

[edit section] Quick Review

1. Which of the following is true concerning domain user accounts?

a. To login to a domain user account a corresponding local account is required

b. Domain user accounts are stored in the local security database

c. Domain user accounts require domain-level groups

d. Local NTFS permissions do not apply to domain users

e. Domain user accounts require more permissions for use than local user accounts

2. Which of the following groups may create new user accounts and add them to the Power Users, Users, and Guests groups?

a. Administrators only

b. Power users only

c. Administrators and power users

d. Power users and Users

e. Users only

3. You cannot synchronize offline files for some reason. You notice that the error reads that there is not enough space to synchronize. Your hard disk has 200 GB of free space. Which of the following solutions would be best applied?

a. Go to folder options, choose the offline files tab, and increase disk space for offline files

b. Place the offline files folder on a separate volume with a variable-length size

c. Enable RAID and disk mirroring so that two local copies are kept

d. Go to properties for the folder and enable NTFS compression on the offline file folder

e. Go to properties for the folder and enable NTFS encryption on the offline file folder

[edit section] Answers

1. Even if you choose to logon to a domain, you still need a local account that corresponds to the domain account. The answer is A.

2. Obviously, administrators can do anything. The question is if power users can perform the tasks as well. Power users are able to create new accounts but cannot modify or delete existing ones. Furthermore, power users can add users to groups that are at or below their permission level. Since they can create accounts, the answer is C.

3. Since you have a lot of free space available, the best idea would be to increase the quota reserved for offline files on the drive. Note that although D would help, A makes more sense here as there is a large amount of available free space. The answer is A.