Even if you are leveraging Active Directory, you
still need to understand how local users and groups work. Local users
and groups provide a key role not only for maintenance but also for
central administration.
In this section, you will see
how to manage local users and groups on both Windows Server 2008 R2 full
server installations and Server Core installations. You will also learn
the default local users/groups and the default settings on these
servers and how those settings impact your infrastructure.
1. Learn Default Local Users and Groups
Whether you are working
with a Windows Server 2008 R2 full installation or with Server Core,
managing local groups offers some great similarities. Starting with the
default installations, both systems have the same default users and
groups installed.
On your Windows Server 2008 R2 server, by default you have two user accounts that are created, Administrator and Guest.
Administrator
is the default built-in account for administering the local machine.
The Administrator account is by default the only account that is
enabled.
Guest is the default built-in account for guest access to the system; however, the account is disabled by default.
Table 1 describes several other groups installed by default that you need to know.
Table 1. Default Local Groups
| Group | Definition and Usage |
|---|
| Administrators | This
group has unrestricted access to the local computer. This account is
the main account to accomplish any task on a server. By default, the
Administrator account is the only member of this group. |
| Backup Operators | This group, as the name suggests, is designed for the backup and restoration of files on the server. |
| Certificate Service DCOM Access | This group is allowed to connect to certificate authorities for enrollment in your preferred Public Key Infrastructure. |
| Cryptographic Operators | This
group is allowed and authorized to perform cryptography operations on
your server. These settings include the crypto settings in the IPsec
policy of the Windows Firewall, among other settings. |
| Distributed COM Users | This group can activate and launch DCOM objects on the server. DCOM objects are used for the communications of the applications. |
| Event Log Readers | This group can work with and read the local event logs on the server. |
| Guests | Users
of this group by default have the same access as the Users group,
except for the Guest account, which is further restricted. By default,
the only account in this group is the disabled Guest account. |
| IIS_IUSRS | This is the default group account for use with Internet Information Services. |
| Network Configuration Operators | Users in this group have some administrative privileges over managing the configuration of networking features on the server. |
| Performance Log Users | This
group allows its users to schedule the logging of performance counters,
enable trace providers, and collect event traces for the local server.
The tasks can be performed locally or remotely. |
| Performance Monitor Users | This group can access the local performance counter data either locally or through remote administration. |
| Power Users | This
group has limited administrative capabilities on the system and is
primarily included for backward compatibility with previous operating
systems. |
| Print Operators | These users can work with and administer printers on the local server system. |
| Remote Desktop Users | Users in this group are given the right to log on remotely to the server. |
| Replicator | This group is designed for file replication. |
| Users | Have
limited administrative access to the system to prevent members from
inadvertently making changes that can cause system-wide changes;
however, users in this group can run and access most applications. |
Placing user accounts in
these local groups will grant those users access to the proper
permissions and responsibilities for the groups. The basic concept
behind using groups allows you to assign permissions just once to the
group, thus granting permissions to all the members in the group. This
offers an easy way for you to delegate administration for your server.
For example, if you want to have a user perform a daily backup of your
server, you would simply need to add them to the Backup Operators group,
and they would be granted the necessary rights to perform backup and
restore operations.
2. Administer Local Users and Groups
Managing local user groups on
your server is just a matter of loading the correct snap-in for the
Microsoft Management Console (MMC). You can manage either a Windows
Server 2008 R2 full server installation or a Server Core installation.
However, if you want to manage the local users and groups on your Server
Core installation with the MMC you will need to do that remotely. There
are system commands allowing you to manage Server Core locally, and you
will see those commands later in this section. To access the local user
groups, you can go to the Control Panel to manage the accounts, or you
may prefer a more thorough look at the users. You will see the local
users and group management tools for both a full server and Server Core
installation in the following steps.
Select Start => Run, type in MMC, and hit Enter. This loads a blank MMC, as shown in Figure 1.
To perform work in any blank MMC, you need to load the appropriate snap-in. To load snap-ins, select File => Add/Remove Snap-In. This will load the Add Or Remove Snap-Ins dialog box, as pictured in Figure 2.
To
manage your local users and groups, select the Local Users And Groups
snap-in, and click the Add button. This will open the Choose Target
Machine dialog box, as pictured in Figure 3.
In
the Choose Target Machine dialog box, you can either select the local
computer to manage the users on the machine you're running the console
from or select the Another Computer radio button and enter either the IP
address or the name of the computer you want to manage. This option
will allow you to manage the local users and groups on a remote server
such as Server Core, if you have the appropriate permissions. After you
make your selection, click Finish to return to the Add Or Remove
Snap-Ins dialog box.
In the Add Or Remove Snap-Ins dialog box, click OK to load the snap-in into your MMC. Figure 4 shows a local users and group MMC.
After you have loaded your snap-ins into the MMC, you can save your customized MMC for future use. To do so, select File => Save.
After you have loaded the MMC
to manage local users and groups, you can easily work with your users
and groups. Creating user IDs and groups, changing passwords, or other
properties can all be easily done with the interface.
2.1. Create a Local User Account
When you create a local user
account, you are granting the account access to the local server, which
is a straightforward process:
Inside the Local Users And Group MMC you created in the previous procedure, right-click the Users container.
Select New User, which will display the New User dialog box, as shown in Figure 5.
Type
in the username, full name, and optional description, as well as the
password. The password by default must follow the password complexity
requirements listed in the "Default Password Requirements" sidebar.
Additionally, you can mark the account disabled, if you know the account
will not be in use for a period of time. You also have the following
options regarding the setting of the initial password:
User Must Change Password At Next Log On
This is the default setting, and you should consider keeping this check
box enabled when you create a new user account. The only time you
should clear this check box is when the account you are creating will be
a service account for an application. This setting allows the user to
set their own personal password when they log on to the system the first
time. All you need to do as the administrator is set an initial
temporary password for the user. You may want to know the passwords for
your users in case a user leaves the company or is on vacation. In
reality, as long as you know the administrator password, you have the
administrative right to reset a password temporarily and gain access
into an account. Although it is good to have this ability, you should
exercise it with caution and only when the situation warrants it.
User Cannot Change Password
By default this setting is grayed out and becomes available only when
you clear the User Must Change Password At Next Log On setting,
mentioned previously. This allows you to make sure the password for the
account does not change. This is also good for service accounts for
applications loaded on your server. This setting will also bypass any
local machine password account policy.
Password Never Expires
By default this setting is also grayed out, and like the previous
setting, it becomes available only when the User Must Change Password At
Next Log On setting is cleared. The setting, as the name implies, locks
down the password. This setting also will bypass any local machine
password policy.
After
you fill out the form, click Create to create the account. If your
password does not meet the requirements for password complexity, you
will see the screen in Figure 4.6.
|
The default password
requirements are the same for both the local user accounts and the
Active Directory user accounts . The
default password requirements for a Windows Server 2008 R2 server are as
follows:
Cannot contain the user's account name or parts of the user's full name that exceed two consecutive characters Be at least six characters in length Contain characters from three of the following four categories: English uppercase characters (A–Z) English lowercase characters (a–z) Base 10 digits (0–9) Nonalphabetic characters (for example !, $, #, %)
|
If
you have no more local users accounts to create, click Close.
Otherwise, repeat steps 3 and 4 to continue creating local accounts on
your server.
2.2. Create a Local Group
After you create your user
accounts, you will most likely want to create groups to add your users
to. Groups, as you may know, are used to grant permissions generally to
files or printers located on the Windows Server 2008 R2 server. These
local groups can be granted rights and permissions to resources only on
the local server.
Inside the Local Users And Group MMC you created earlier, right-click the Groups container.
Select New Group, which will display the New Group dialog box, as shown in Figure 7.
Type
in the name of the new group and a description. To immediately add
members to your group, click the Add button on the bottom of the screen.
Clicking the Add button displays the Select Users dialog box, as shown
in Figure 8.
To
add users, you can type them in the name text box. To verify the
spelling of the user names you want to add, you can click Check Names,
which will verify the usernames for you. You can also click the Advanced
button, which will expand the dialog box to allow you to list all the
user accounts on the system. This dialog box has a Find Now option to
allow you to quickly list all the users on the system. If you click Find
Now, you will see a screen similar to Figure 9.
After
you click Find Now, you will see a list of users on the system, as well
as local system user and group accounts. Select the user or users you
want to be in your group. To select multiple users, you can hold down
the Ctrl key on your keyboard as you click. You could also select a list
by using the Shift key. If you click the top item of your list, hold
down the Shift key, and click the bottom item on your list, you will
select all the items between and including your top and bottom
selection.
|
You may notice that when you
were adding users to your group, you had several more accounts and
groups that you did not create. These are special identity groups, and
you cannot control the membership of these groups. Your users become
members of these groups through the course of actions they perform on
your servers or how they access servers, and the membership to these
groups is temporary and normally changes given how the user will work
with the system. System groups can be used to help set permissions based
on how users access or interact with the server. Table 2 lists a few of the system groups you may encounter as you work with the server.
The groups that are not
listed in the table are normally system groups that are reserved for the
use of the operating system and the services running on your Windows
Server 2008 R2 server. In particular, you need to pay particular
attention to one special identity account, the SYSTEM account. The
SYSTEM account represents the Windows Server 2008 R2 operating system.
As you work with the files on your server and the user rights, you may
encounter the SYSTEM account, and you should leave this account
unmodified. If you make a change to the permissions or rights the SYSTEM
account has on your server, you could disable your server, which may
result in you reinstalling the operating system.
Table 2. Special Identity Groups| Group | Description |
|---|
| Anonymous Logon | This represents when users do not use credentials of any kind to access the system. | | Authenticated Users | Users
are automatically placed in this group when they log on locally to the
system. Leveraging this group is a great way to make sure only valid,
authenticated users can gain access to resources. | | Creator Owner | When
a user creates an object, such as a file or folder on the server, they
are put into the Creator Owner group for that object. Generally
speaking, the Creator Owner user has full control over the created
object. | | Dialup | When a user connects to the server via a dial-up connection, such as a remote VPN connection, they are added to this group. | | Everyone | Everyone is a member of this group regardless of how they access the server. | | Interactive | When
a user logs on locally to the server (in other words, they have
physical access to the server and log on physically to the server),
users are placed in this group. | | Network | When
a user accesses the server remotely over a network connection, such as
when they connect to a file share, they are placed in this group. | | Remote Interactive Logon | When
a user accesses the server remotely with a local user ID and actively
logs on to the system to perform remote tasks, such as when an
administrator logs on to the server from a remote workstation, they are
placed in this group. | | System | This is the account group ID used by the Windows Server 2008 R2 operating system. | | Terminal Server User | When users access the server using Remote Desktop Services, they are automatically placed in this group. |
|
2.3. Manage Your Local Users and Groups
After you are done
creating your user groups, you will need to maintain and manage the
local accounts. To begin managing local groups, just right-click the
user or group you want to manage. They share some common tasks. When you
right-click a user or group, you can delete, rename, open help, or view
the unique properties for the object.
When you right-click the user,
you can set a new password for the user. The only time you should set
the password for an existing account is if the user has forgotten or
lost their password. The user will lose access to information such as
encrypted files, stored Internet passwords (although the user can
re-create these with the new password), email that is encrypted with the
user's public key, and any stored certificates (again, new certificates
can be issued to still grant access). The potential risk here is losing
data in files that have been encrypted by the encrypted file system
(EFS). If you have backed up your recovery keys, you will be able to
retrieve data; however, if there is no backup of the keys, you will not
be able to access the data.
When you right-click a user
account, you are presented with the choice to set the password. When you
select the option, you will receive the warning shown in Figure 10.
When you right-click a group
and select Add to Group, this will start the same process to add members
to your group as used in the previous procedure when you created the
group. Additionally, when you select the Properties option after you
right-click the group, it will take you to the properties where you can
use the Add Members dialog box.
When you select the
Properties option after you right-click will open a list of properties
you can modify for the user account, as shown in Figure 11.
The properties listed here are
part documentation and part account configuration. The tabs listed will
allow you to configure basic username and description information and
group membership. You can also set properties for Remote Desktop
Services connections information, user profiles, home directory
information, and dial-in access.
2.4. Manage Local Users and Groups on Server Core
You may not have access to a
Microsoft Management Console, and you may need to make modifications to
the local users and groups on a Windows Server 2008 R2 Server Core
installation. You can add, delete, and modify all aspects of the local
users and groups via the command prompt. Specifically, the net command is how you work with users and groups directly on Server Core. The net command will also work on a Windows Server 2008 R2 full server installation.
The net
command has many functions, including starting and stopping services and
configuring the IP address on the server. You will see in this section
how to use the net command to work with your local users and groups.
All of the net commands begin with net; for users this will be followed by user, and for local groups this will be followed by localgroup.
For example, to see the current list of your local users or local
groups, type one of the following straightforward commands and hit
Enter:
To add a user or local group to the system, the commands follow similar syntax. The commands will include the /add switch. For example, to add a user named Harold with a password of pass@word1 to your system, you would use the following command:
net user Harold pass@word1 /add
To add a local group called Writers to your server, you would use the following command:
net localgroup Writers /add
To add Harold to the Writers group, you would use the following command:
net localgroup Writers Harold /add
To see the current membership for the local group Writers, you would use the following command:
net localgroup Writers
The commands are
straightforward and fairly intuitive to learn how to use. To learn more
about commands to work with local users and groups, just use the
built-in help system:
