CompTIA A+ 220-1102 Topic: Book Chapter 13 – Users, Groups, and Permissions
December 14, 2022

1. Introduction to Users and Groups

Pretend with me for a minute that this file box is actually my C drive. I have a lot of data inside this file box, which is my C drive. For example, I’ve got an operating system that kind of gets its own little special place. I’ll put it right there. And then I’m going to have, oh, I don’t know, some mutual music. Oh, for you younger people, this is what we called a CD. We’ve got some videos. I’ve got a bunch of documents. And the thing is that I start filling up my drive with all kinds of documents. I started filling up my drive with all this stuff. Well, I want to share it. Now I have to be cautious when I say share it. What I want to do is give other people access to it. For example, my music I want people to be able to listen to my music, but I don’t want them to add to the folder that it’s in. I just want them to be able to listen to it. I might have some documents where I want them to be able to add documents.

But on these documents in this other folder, if there’s a document in there, they can add to it, but they can’t delete it. You get the idea. There are all these different things I want to do with all of these files and folders that are on my drive. And if you want to do super-granular stuff like this, Microsoft Windows, particularly when running the Nt file system, is the absolute king of this level of control. Now, the challenge you run into is that I also have some files over here. I don’t want anybody to look at these files. What’s my payroll? or something like that. So I need to have very careful control over not only who can access this drive but also who can access what folders and who can access certain documents. And I need this to be very flexible for every different folder and document that’s on this drive. And NTFS does an amazing job. So what I want to do is go over to my computer right now, and I’ve got a folder. I want you to take a look at this real quick. So I’ve made this folder called Ten A on my C Drive. Now, if I right-click on this and select Properties, Now, let’s just go right into this thing called security.

Do you see all these weird things? Full control over list holder contents, including modification, reading, and execution; read and write. These are called NTFS permissions, and they’re absolutely incredible. These allow us to have very granular controls. For example, I can set it up so that a person can only read the file. They can’t make any changes. They can’t delete it, but they can read it. I can set it up so that somebody can add files to a folder, but that’s all they can do. I can set it up so that they can access a folder, but they can’t read the contents of it. Why would someone do something crazy like that? Well, there are good reasons. The bottom line is, first of all, that I’ve got an entire episode where we’re going to go into these permissions in great detail right now. I don’t want you to worry about that. What’s important to me is that if we have all of these super-duper permissions, how do I give them to Bob or Janet? What permissions? To whom? And how is this all tied together? The bottom line is that we need users and groups. Let me show you some basic concepts of how users and groups work with NTFS permissions. So I’ve got this computer right here, and it has a folder in it called Ccommy.

Now there are three users who have local user accounts on this computer. There’s Janet, there’s Bob, and there’s Path. Janet has full control over that Timmy folder. She can do anything she wants. Bob can only read the contents of the Timmy folder, and Pat can read all the contents. And if he wants to add some files to the Timmy folder, well, he can do that. So, in this case, we’re adding permissions to the Janet account, the Bobaccount, and the Pat account all separately. The problem here is that this can get complicated quickly. Janet may have full control of the Timmy folder, but Janet is an important person. So we’re giving her all kinds of other kinds of permissions to other folders and such. So she might have a read-only permission here, a read-write permission there, and another full control permission there. We keep adding all these permissions to the Janet account. Well, it works fine, except for one problem. What if Janet quits all of a sudden? We now have a big problem where we have to get a new hire in and try to recreate all of those same permissions for Jane, who replaces Janet. So it’s always a bad idea to apply permissions to user accounts. Instead, what we’re going to do is create something called a “group,” which I’m going to manifest as nothing but a name tag. So Jane is in the accounting department, so we’re going to make a group called Accounting and put her account into that group.

Bob is a member of human resources, so we’ll make a human resources group, and Pat is part of production, so he will get a production group. What we’re going to then do is apply those permissions not to the accounts but to accounting itself. As a result, Timmy is completely under the control of the accounting department. The human resources group can read anything in the Timmy folder, and production can read or write. The beautiful part is that if somebody quits, all we have to do is delete their account, create a new user account, and add them to that particular group. Now, a couple of things about groups. Number one: an individual user account can be a member of multiple groups. So what will happen if you’re a member of two or three different groups that all have some type of permission for a particular folder? It becomes cumulative. So you basically add all the permissions together. The other thing is that you can have groups within groups. It happens all the time, especially in more enterprise environments. So you can have a lot of complexity and fun. The secret is: how do we manage all this? How do we create users, modify them, and delete them in groups? Well, I’m going to have to save that for another episode.

2. Managing Users and Groups

If you’re going to be managing users and groups well, Microsoft ought to give you a place to do it, right? And man, oh man, does Microsoft do that in Windows? In fact, there are at least three different places to do this within the Windows environment. So let’s take a look at all of them, starting with the easiest and then going to where the cool kids hang out. Okay, first of all, the place we want to go is in Settings. So here in Settings, we go to Accounts. Here’s me, all logged in. There’s my name. Here’s a thing that says “Total Homemachelm” and then “administrator.” First of all, I’m logged in to what’s called a domain. So I don’t just log locally into my computer; I’m logged into some big server. If you were just in your house, it would probably just say Michael M. And then I am in a group called Administrator. Well, because I am a cool administrator. So what I want to do here is have a little fun. First of all, let’s create an account so we can talk to other people. Now it has two choices here, and what’s actually interesting is that you can do either of these. What they’re trying to do here is get you to log into a Windows domain, and here they’re just trying to create a local account. But to be honest, either of these will work. So let’s go ahead and add someone else to this PC. Now Microsoft just loves Microsoft accounts, so they’re trying to create an online account.

It will still be a local account here, but it allows you to turn on OneDrive and your email and all that stuff at the same time. I’m not a big fan of them personally. Some people like them. So I don’t have this person’s sign-in information, so it wants me to create a Microsoft account. I’m going to skip that. I’m just going to make a regular old local account on this computer, and I’m going to call this person Bob and give it a password. And then there were the silly security questions. All right, I have just made an account called Bob. Now, he is a local account, but that’s really all we’ve got on this. So we can click on change account type, and we have two choices: administrator and standard user. Windows comes with a lot of built-in premade groups. Two of those groups are administrators and standard users. The super administrator account in Windows is any account that is a member of the Administrators group. As a result, when you look in Windows, you will always see an administrator account. There’s really nothing special about it other than the fact that it’s in the Administrators group. That’s all there is to it.

So if I want to, I can make Bob an administrator just by doing that. And now Bob’s an administrator. Using settings to create user accounts is pretty basic. It doesn’t have a lot of features. So we’re going to dial it up a little bit. And the next thing I’m going to show you is how to make a user account from the Control Panel. So just for fun, I went ahead and logged in as Bob. He’s a local administrator, so I should be able to do anything I want. So, let’s get started with Control Panel. and this time we’re going to find user accounts. These are alphabetical lists. You always start at the bottom. And now I’ve logged in as Bob. You can see he’s a local administrator right there. Okay, so first of all, if you want to, this is where you can change your account name and your account type. But what I’m interested in right here, and the reason we see this is because we are administrators for this computer, So I see I’ve got two accounts here. One of the things I can do is add a user account. And again, here comes Microsoft, just really wanting us to do that. We’re going to do a local account, and we’re going to call it Janet, not Jambitjanet, and I’ve now made a Janet account. So what do we really do with this account? We can change the account name and change the password. That can be handy. Let’s change the account type. So once again, all we get are two choices here: the standard user, a regular user, or just a user, and an administrator.

So I’m just going to leave it as Janet for now. The problem with the two tools I’ve shown you so far is that they’re pretty limited in scope. I mean, we could create a user; we could delete it if we wanted to; but we could only make them a member of the administrators, which is like the super account. Or we can make them a standard user, or we can just say user account. Well, on my part, you say we could do accounting and stuff like that. You can. However, the challenge is that you can’t do it with these default tools. Look, Microsoft knows that most people are not going to mess with creating complicated groups and stuff like that on basic accounts. If I made this computer a member of a domain, we’d see some other features. But for right now, in order to get to the real power of users and groups, we have to go to something called local users and groups. It is one of Windows’s oldest applications. It’s really old. Let’s fire it up. The best way to get to local users and groups is through the Control Panel, which is under Administrative Tools in Computer Management. Let’s get this over so you guys can see it. There it is. Local users and groups This is a very, very powerful tool. So let’s go and create a new user. Well, first of all, take a look at this. Wait a minute. Sure, there’s Janet. Sure, there’s Mike.

Sure, there’s Bob But what are these other accounts? Well, first of all, do you see the down arrow? These accounts are disabled. Windows automatically creates and disables certain accounts. A guest account’s nice. For example, if you have a website or something else, you want people to be able to just get to your website. This works out pretty well. Plus, you’ll see a lot of strange guys like this WDAG utility; I’m not sure who uses it, but it’s some kind of default account, so you’re always going to have that. Now, if you really want to see some defaults, check this out. Windows comes with a bunch of default groups. So if you take a look very carefully here, you’ll see administrators. We know that one. Users will be seen. The other application is called “standard users.” But there’s some other stuff here. For example, power users If administrators are the super-duper accounts that can do just about everything, power users are only one click beneath them. The one thing that the administrator account can do that power users cannot do is that if somebody were to quit, for example, on this system I could log in as an administrator and take control of all of their stuff. So power users are very powerful, but they can’t take control of other users’ accounts stuff.

So other things are kind of interesting for performance log users, performance monitor users, and backup operators. Groups like these aren’t really for people; they’re really for programs. Remember, when you log in, any programme you fire up is running under your name. So even your own computer system has an account. We have these groups so that if somebody were running something like a performance monitor, it could monitor the performance of everything, even stuff that they don’t have control over. So we need these kinds of accounts. Same with the backup. If somebody’s running a backup and we need to backup Bob and Mike’s stuff as well, then it can handle that for us. So we need these special groups to allow us to deal with other kinds of weird stuff like that. All right, so let’s go back in and go ahead and create a user. So I just right-click in a blank area here, hit “new user,” and the username is going to be Timmy. We don’t have a Timmy yet, and the full name is anything you want to write in here; give him a password. Now here are some features we didn’t see with the other ones. First and foremost, the user must change their password upon their next login. So a lot of times we can throw in a temporary password and say, “Please log in, then change the password.” I’m going to uncheck that for now. The user cannot change the password. It’s probably not a good idea, but we could put it in there. A password never expires. We can set it up so that passwords expire after 30 days or 60 days.

We’ll go ahead and leave this one up and running, and here’s a handy If somebody quits, we don’t want to just delete their account. Remember, when you create a user account on a computer, you’re also creating their own desktop, their own documents, and all their own personal stuff, and there might be a chance we would need access to that. So typically, if somebody quits or even goes on vacation, we disable the account, and here’s where we can do something like that. All right, let’s go ahead and create it; now it’s actually cool here. You’ll notice it goes right back to blank because if you reuse this, they’re assuming you’ve got to make a lot of accounts, so we’ll just go ahead and hit close. Now that we’ve created Timmy’s account, you’ll notice that we didn’t really make him a member of any groups, so I’m going to right-click on this and go to Properties, where we can go to Member of and I can make him a member of whatever I want. In fact, let’s go ahead and make him a member of the Administrators. Unfortunately, at this level, you better know the name of the group or you’re going to be in trouble.

So Administrator Tours, don’t forget the s. I can click on check names; it underlines everything, so it’s happy, and I’ve now made Timmy a member of Administrators, so really the place to go is Local Users and Groups for users, but it also works for groups. Let’s go back in here and make some of those cool groups. So I want to start a group called Accounting, and this is the place to do it. I’m going to type in Duts for Accountants, so I’ve made the group, but it’s got to have some members, so I’m going to add Timmy in there, and again, you have to have the account names just right here. The fact that it underlined it showed that I did it right. If I had typed Tiny, I would have gotten an error code, and now I’ve made Timmy a member of that group, and I’ve created the group as well. So where do you go? There? Is there a county right there? We can open that up, and we can see that Timmy is a member of Accounting. For most of us, particularly at home or in very small offices, just using settings or user accounts in the control panel will do. A fine job of setting stuff up for a lot of situations with just a standard user and administrators is more than enough; however, if you really want to get into the real power of NTFS, you’ve got to go to local users and groups.

3. NTFS Permissions

So you’ve got some resources you want to share with other people. Well, in order to let other people have access to it, you’re going to have to give them permission. Now, Microsoft will manifest this as sharing. However, you’ve got to be a little bit careful here because we live in a strange world. Number one, NTFS doesn’t care whether you log on locally to the same computer as the person who shared it or whether you are in Toledo, Ohio. So the network share aspect isn’t really the same as just sharing something within NTFS. When we get into the network chapters later, we’re going to talk about network shares, which are a little bit of a different animal at this point; really all we’re talking about is sharing among different NTF users. Okay, so are you ready to try this? It’s really easy. The best place to start is with Timmy. So I’ve got this volume called D. There’s not much in there. I have some virtual machines. What I’m going to do is create a new folder, which I’m going to call Kitty. So I’m logged in as Bob. So what I want to start off with is a quick look at the properties right now. And what we’re going to look at isn’t sharing. Don’t go over here. Go over to security.

Right now. These are the default NTFS permissions for this particular folder. As you can see, all users receive the Read and Execute List Folder contents by default. So let’s go ahead and discuss each of these NTFS permissions. Now, what I’ve got to warn you about is that NTFS permissions can be applied to folders or they can be applied to files, and they’re a little bit different. So let’s go ahead and run through these real quick to make sure you’re really clear on the different types of NTFS permissions. So let’s start with a folder. First of all, we have full control, which basically means if you have full NTFS permissions for a folder, you can do anything you want. You can change its name, delete it, delete files within it—whatever you want. Next is Modified, which enables you to read, write, and delete both files and subfolders. You can see the contents of the folder and any subfolders, as well as run any executable programmes or associations, if you select Read and Execute.

They mean files like a Word document in that folder. Next is a list of folder contents, which means you can see what is in that folder or any of its subfolders. After that is read, That allows you to view the folder’s contents and open any file in the folder. Last but not least, write. That enables you to write files and create new files and folders. Some of the differences between these permissions are pretty subtle. For example, with Read, I can see anything in the folder. But with Read and Execute, I can see anything within the folder. Plus, I can run any executables. Someone new to this might say, “Mike, who came up with this stuff?” They did decades of research to come up with the best type of permissions to give the best kind of granularity. These types of permissions are nearly 40 years old, and nobody’s changed them. You know why? because they’re fantastic. Let’s do it again, this time for files. So if you have full control over a particular file, you can do anything you want with it. It is possible to delete it, edit it, add to it, and change its name.

In fact, not only can you do that, you can give other people permission to do it. Modify means you can read, write, and delete the file. Read and Execute allows you to open and run the file. You can run it if it’s an executable. Read allows you to open a file. So it’s a Word document. You can open it up in Word and Write enables you to open and write to file number one. Don’t panic and try to memorise all these. Well, first of all, I think everybody should know them if you’re at Tech. However, the A+ exam does not specifically go into detail, saying you need to know every one of these NTFS permissions. I’m Mike Myers, an alpha geek and super nerd who says any good techie should know how to do NTFS. Okay, let’s keep playing with this a little bit. This time I want to go back to Timmy. So I’ve got Timmy here. And what I’m going to do with Timmy is specifically give him permissions. Now, normally we wouldn’t do this. We just give individual groups permissions. But let’s have some fun. So we’re going to edit, and I’m going to add Mike. Let me check the names to make sure I typed them in right. Yep. Hooray. So I’ve got Mike in here now. Right? Now Mike, because he’s a user, has the same permissions any other user might have. But I’m going to give him everything but full control. We leave special permissions alone.

That’s strange, weird, and dangerous. So we’re going to hit apply, and okay, so now we know Mike has everything but full control of the Timmy folder. So let’s open that up. Nothing’s in here. Now watch this. I’m going to create another folder here. Call it Tammy. Now take a look at the permissions. Let’s just use Mike as an example. First of all, notice that these are greyed out, but Mike has the same permissions as before. What you’re looking at here is called inheritance. If you have a folder and you put a file in it, that file, by default, will have the same NTFS permissions as the folder it was in. And these subfolders contain the same game. So inheritance is a big deal. So now I want you to come back in here and take one more peek. You’ll notice there’s a whole other column here called “Deny Now.” Right now, there’s not much I can do with it, but watch this. I’m going to go back to Timmy so we can see here in Timmy that Mike has the permissions we saw earlier. But watch this. If I click on Edit, we can actually go through something called Deny. The whole idea of “Deny” is to stop inheritance. There could be a situation where Mike gets all of these permissions, but there’s another subfolder way down here, and we don’t want Mike to have those permissions. We can go ahead and put a deny in there, and it will stop Mike from having the same permissions he had before in the NTFS world. And by the way, there are books this thick that go into NTFS permissions. Using the word “denier” implies that you’ve made a mistake somewhere. You didn’t organise your NTFS permissions properly, and it’s going to give you a problem.

All right. For the exam, it’s important that you’re comfortable with the concept of NTFS permissions. Number one, NTFS permissions don’t care whether you’ve jumped onto the computer locally, you’re logging in via the network, or you’re connecting from Timbuktu. It makes no difference to NTFS. It has to do with the local account that you have on that system. Number two, just because NTFS doesn’t care where you’re coming from, the fact that you have to go through something called a network share does. You can’t get to a particular resource through the network unless you go through a whole different second step that says, “I’m going to share it on the network,” and we’re going to save that when we get into networking. So there’s a bit of a difference there. The last thing is that NTFS permissions, while a little bit complicated, actually make sense if you work with them a little bit. And keep in mind, inheritance is a very big deal. If you make a folder, remember that anything you put in it is going to get the exact same permissions. Music you.

4. Linux and macOS Permissions

Microsoft’s NTFS pretty much has lock-on, very granular control of file permissions. However, it’s not the only game in town. Both Linux and macOS also have this feature. However, theirs is a bit simpler, based on the attitude that you don’t really need that much granularity. To understand how these work, we must first comprehend the concept of an owner group and everyone. Let me show you. I have an account on my Linux machine called Mike. I’ve actually very creatively made my own group called Mike because I don’t really share it with anybody. So when I log in, I log in as Mike, and I’m in the group called Mike. I’m also in some other groups, but that’ll get me started. So I’m working away on my Linux box, and I’m using a programme called Libra Office, which is a wonderful word documenting program, and I create a file called Timmy ODT. Now that I have saved this file to my computer, I have read, write, and execute privileges. Read means I can actually read the file and take a look at it. Write means I can modify the file; it means I can append the file; I can do anything.

I could delete the file, actually, and X stands for execute. Let me explain that for a minute. The Linux world is filled with script files. A script file is basically just a text file that has the ability to actually run like an executable program. Of course, Linux has plenty of executable programmes as well. By placing the execute permission on that file, I can run it like an actual program. So if I have a script file and I want to really run it, I have to have the permission to execute it. Got the idea? Let’s keep going. The second set of permissions are for my group, so anybody who’s a member of my group can set this to read, write, and execute as well. Now keep in mind that if I wanted to, I could set this up. So it’s not executable for people within my group, but I like everybody in my group, so I’m going to go ahead and keep it executable. And the last one is for everyone. Everyone is exactly who it sounds like—everybody. I don’t want anybody messing with this, so I’m going to just give read permission; I’m not going to give write permission, and I’m not going to give execute permission. When you’re messing with these types of files, you have nine different sets of permissions to set. Luckily, it’s usually pretty straightforward within a graphical user interface. I’ve got a couple of files here, just like I did with the Boontoo Linux, and I’ve gone ahead and created these. So what I want to do is show you the permissions as they’re currently configured. So I’m going to go down to properties and look at permissions.

As you can see, I have read and write permission as the owner. Now that makes sense if you think about it. This is a word processing document. It’s not truly an executable file, and it’s not even a script. So I definitely would not want to have execute privileges here. If I wanted to change that, I could go to read-only for the group microphone; I have read and write; and then for everybody else, I have read-only. Or I could just say they have no permission at all. This thing has a checkbox to allow files to be executed as programs; this is a bad idea. So I’m going to uncheck that. You might be thinking to yourself, “Well, Mike, that’s great for Linux, but you’ve been talking about Linux and macOS in this entire episode.” Hey, how about a little macOS here? Well, buddy, you got it. So what I’m going to do is put up a little screen. Take a look at this. So what we’re looking at right here are the permissions for one example file on the Mac OS. Notice that we’ve got the creator owner, we’ve got the group, and we’ve got everyone, and you’ll notice it’s read, write, and read permissions. How easy is that? So whether you’re using Linux or macOS, you’ve always got read, write, execute, read, write, execute for the owner, for the group, and for everyone. I want you to keep that in mind, because later, when we get into working with the command line, you’re going to see this again.

5. File Explorer

Microsoft’s NTFS pretty much has lock-on, very granular control of file permissions. However, it’s not the only game in town. Both Linux and macOS also have this feature. However, theirs is a bit simpler, based on the attitude that you don’t really need that much granularity. To understand how these work, we must first comprehend the concept of an owner group and everyone. Let me show you. I have an account on my Linux machine called Mike. I’ve actually very creatively made my own group called Mike because I don’t really share it with anybody.

So when I log in, I log in as Mike, and I’m in the group called Mike. I’m also in some other groups, but that’ll get me started. So I’m working away on my Linux box, and I’m using a programme called Libra Office, which is a wonderful word documenting program, and I create a file called Timmy ODT. Now that I have saved this file to my computer, I have read, write, and execute privileges. Read means I can actually read the file and take a look at it. Write means I can modify the file; it means I can append the file; I can do anything. I could delete the file, actually, and X stands for execute. Let me explain that for a minute. The Linux world is filled with script files. A script file is basically just a text file that has the ability to actually run like an executable program. Of course, Linux has plenty of executable programmes as well.

By placing the execute permission on that file, I can run it like an actual program. So if I have a script file and I want to really run it, I have to have the permission to execute it. Got the idea? Let’s keep going. The second set of permissions are for my group, so anybody who’s a member of my group can set this to read, write, and execute as well. Now keep in mind that if I wanted to, I could set this up. So it’s not executable for people within my group, but I like everybody in my group, so I’m going to go ahead and keep it executable. And the last one is for everyone. Everyone is exactly who it sounds like—everybody. I don’t want anybody messing with this, so I’m going to just give read permission; I’m not going to give write permission, and I’m not going to give execute permission. When you’re messing with these types of files, you have nine different sets of permissions to set. Luckily, it’s usually pretty straightforward within a graphical user interface. I’ve got a couple of files here, just like I did with the Boontoo Linux, and I’ve gone ahead and created these. So what I want to do is show you the permissions as they’re currently configured. So I’m going to go down to properties and look at permissions. As you can see, I have read and write permission as the owner. Now that makes sense if you think about it. This is a word processing document. It’s not truly an executable file, and it’s not even a script.

So I definitely would not want to have execute privileges on here. If I wanted to change that, I could go to read-only for the group microphone; I have read and write; and then for everybody else, I have read-only. Or I could just say they have no permission at all. This thing has a checkbox to allow files to be executed as programs; this is a bad idea. So I’m going to uncheck that. You might be thinking to yourself, “Well, Mike, that’s great for Linux, but you’ve been talking about Linux and macOS in this entire episode.” Hey, how about a little macOS here? Well, buddy, you got it. So what I’m going to do is put up a little screen. Take a look at this. So what we’re looking at right here are the permissions for one example file on the Mac OS. Notice that we’ve got the creator owner, we’ve got the group, and we’ve got everyone, and you’ll notice it’s read, write, and read permissions. How easy is that? So whether you’re using Linux or macOS, you’ve always got read, write, execute, read, write, execute for the owner, for the group, and for everyone. I want you to keep that in mind, because later, when we get into working with the command line, you’re going to see this again.

6. Sharing Resources

It drives me crazy to talk about users, groups, and NTFS permissions without giving you a little tease about the concept of network shares. The problem is that every Windows system suffers from the long, long history of a very, very old protocol programmer called Microsoft Land Manager. Microsoft Land Manager predates Windows; it was a tool in which you had operating systems from your forefathers, such as Dos, and you had to install this other thing just to be able to look at other people’s hard drives. So the challenge is that Microsoft Land Manager lives and breathes the most recent and most modern Windows system there is. So we end up having two very different things. We have NTFS permissions, and then we have network shares. Let me show you how this breaks down. So here is a Windows system, and it has two local users. It’s going to be Joe and Janet. Joe and Janet have set up all kinds of NTFS permissions. There’s a particular folder that they use called SQL and Backslash. Fred and Janet would like to access this.

However, sometimes Janet’s not over there. Janet is on her machine over here on the network. And the problem is that Janet wants access to this folder. You cannot do this with NTFS. NTFS may not care about networking, but it has no networking function built into it. What we use is a feature called Network Shares. The problem is that when Janet’s over here, she can’t see all of the folders that she has access to over here.So what we do is light up network shares that basically advertise out on the network that this particular folder is available. So what will happen is that Janet will first connect to that, and then, because of her NTFS permissions, she can actually do whatever she wants—read, write, modify, whatever it is.So there are two things going on. We have a network share that advertises all of these shares out there, and then we have the NTFS. Once you get to that individual system, network shares are absolutely fabulous. Network shares. You don’t even need NTFS. If you want to, you can format a drive with Ex Fat or something like that, or guess if it’s small enough at 32. Put your Windows on there, the whole shebang, and you can access shared folders and files over the network. The trick is, how do you go about sharing?

Now, I’m going to go into a lot more detail on this when we get into the network episodes, but I want to make sure we’re comfortable with the concept called the Universal Naming Convention, or UNC. So basically what we do is, well, let’s just put it right here. So I’ve got this folder called “C Colon.” Fred okay. And what I want to do is present this computer to the network and say, “You may use this.” I am offering this as a resource. And what will happen is that we will create a universal naming convention. And it looks like this: You put two backslashes, and then you put the name of the machine serving it. So we’ll say this computer here is Mike’s PC. So there you have it, Mike’s PC. And then you have to name whatever you’re sharing. So C-colon is back, Fred. We’re just going to call it something really creative, like here, put another slash, and we’re going to call it Fred C. You get the idea. This is a universal naming convention, and for us to access shared resources, we have to be able to connect to these. Now again, we’re going to touch on this here, but other episodes in my networking section are really, really going to go into detail. But make sure you recognise UNC when you see it. So let’s go ahead and start doing some sharing. You ready? So I’ve got this folder on my D drive called Timmy, and I want to share it on the network. So I’m going to right-click on it and I’m going to click “Give access to,” and I’m going to say with whom I want to share that. So first of all, I believe Janet is here. Let’s type in Janet. And because I’ve already created the user Janet, you’ll see that she now has read access to this folder.

Network shares don’t have nearly the power of NTFS. They predate NTFS. This is old stuff. However, it’s quick and dirty, and it doesn’t care what kind of file system you have. So when I choose a share like this, I basically have two choices: read or read. Write. “Read” means I can just read anything. I can’t copy anything to the folder. I can’t change the file I’m reading; I can’t do anything other than read it and read it. Writing basically means you can do anything you want. In fact, in the old days, we used to call that “modifying.” But I’m old, and those are old versions of Windows. So either you have read or you have read and written. But take one more peek here. Do you see? Owner. Owner simply means Bob created this folder. That’s really all that boils down to: Bob can do anything he wants. But here’s me. Yep, that’s my email address too. Say hi sometime. I can also do anything I want because I have read-write permissions. We can change this if we want. For example, if I want to give Janet ReadWrite, I just click on there, and she’s got it. That’s really all it takes.

So you’ll notice that we have a number of different people who have access to this particular file. Now, I’ve already clicked once, but take a look right here. So what you’re actually looking at is this, which is the UNC for that share. And the share is called Wackwhackdesktop, a digital website named after Wack Timmy. That’s because when Bob set this up, he already had a share named Timmy on there. I could change that name to anything I want. It doesn’t have to be Timmy just because the folder is called Timmy. I could type in there. I love bananas. and that’s a legitimate share. So let’s go ahead and hit “done.” Now there’s one more way to share. I’m going to do this one really quickly. Watch this, everyone. Basically, anyone who can connect to my system via the network can access whatever is in there at whatever level you set. Now you’d say to yourself, “Well, Mike, that sounds like a terrible idea because I don’t want just anybody in there.” Well, the answer is something called “Microsoft best practices.” According to Microsoft Best Practices, “MTFs are king.” That’s what we do. If you want to share a folder, go ahead and share it, but make it wide open to everybody. You don’t impose any restrictions. Never use the word read or anything similar. and instead use NTFS permissions to control exactly what people can do.

So, while we have Read and Write access, keep in mind that Microsoft recommends that if you’re going to share something, make it wide open and then use goodNTFS permission control to limit what people can do. and that’s a good idea. All right, so I’m going to go ahead and let everybody in there, and we’ve all got a hold of Timmy. All right, what I want to do now is actually access other people’s shares. So that’s pretty simple to accomplish. I’m just going to go out on my network, and I can pick an arbitrary system. Here’s something called Total FS Three. And here are all the shares that are on that computer. This is a big server system, okay? I mean, it still works even with individual computers, but it’s not uncommon for one computer to have lots of different shares out there. So now I can pick a particular share and double-click on it. And I can see all kinds of fun stuff in here. Here, I can do whatever I need to do. I don’t have to do anything special. If there’s a Word document in there, I just click, click, click, boom, boom, boom. And assuming I have the right NTFS permissions, then I could just open it up and do whatever I want to do. But there are some situations where I don’t just want to use a UNC to get something done. Sometimes I need something that’s kind of more permanent. And in that case, we go through a process called mapping. So let me show you what mapping means. I go into this user’s folder all the time. So what I’ll do is map the network drive. I just hit right-click, and it’s going to say, “Great, here’s the UNC; what drive letter do you want it to have?” So I’m going to leave it with Z. That’s fine. And did you notice this checkbox right here? This says “reconnected sign-in.” So next time, after I log off this computer and log back in, he’s going to go and reconnect and make this Z drive.

If this is unchecked, this will only work if I have this checkbox checked. Otherwise, if I turn it off like I did right there, well, it’s going to be good only until I log off. And the next day, or whenever I come back, that Z drive won’t be there, and I’m going to have to remap the drive. So this is a matter of personal choice. A lot of times I’m like, “I only need it for the day,” so I’m going to uncheck that. I’m going to keep it checked, even though I like it here every morning. You could also connect with different credentials. So if I want to, when that Z drive is accessed, it’ll make a little popup and say to log in under a different name. You’ve got to remember that when you’re using workgroups, each different computer has different usernames and passwords. Just because you’ve logged in here as Bob with a password or something, when you go to somebody else’s share, you’re not going to have any access to it unless you have that local account. because I have access. I’m just going to hit finish. And now look right there. So you can see, there’s my Z drive, all properly mapped and ready to go. Look, this is just a quick overview. I just want to make sure, because we’ve done all this with NTFS, that you can centralise the difference between NTFS and network shares. Check out my networking chapter to get a lot more detail on how all this works.

7. Security Policies

NTFS provides fantastic security for your files and folders. But there’s a lot of other stuff that happens on your computer where you’d like a little security. For example, what if you want everybody to have passwords that are at least ten characters long? Or what if you have Bob whose way out in Denver, and we don’t want him walking up to this machine when he’s here in town and logging in? But from Denver, we want him to be able to log in. So log in remotely rather than locally. There’s lots of little security stuff that Windows takes care of via what we call our security policies. Now we’re going to be setting up policies for just this computer. So we call it a local security policy. So let me show you how this all works. So local security policy is an application that we run. Let me center it because I like it in the center. Now, what you have here is a whole big pile of things you can set up for your system. So let’s start off with account policies.

You have two options in this section: password policy and account lockout policy. The reason they’re at the top is because people love to use them. So let’s take a look at some of these and make sure you understand them because they’re going to be on the exam. Number one: maximum password age. That is, how long can a password remain in place before it must be changed? So I’ve set it to 42 days for the time being. The minimum password length is zero characters. If I wanted to, I could come in here now. It’s going to make me change a few things. Watch this. I’m going to make it require eight characters. At the moment I do that, it goes ahead and sets this for me. Now I have to do eight characters. Passwords must meet complexity requirements. I enable this by clicking on it. So I’m not going to be able to use a password of eight ones anymore. For example, I’m going to have to use upper- and lower-case letters and then some numeric value. It’s built into Windows solely for the purpose of creating more complex passwords.

Now we can understand a few more of these. First and foremost, set the password history to zero. I’m going to say you don’t have to remember any passwords, but let’s just set it to three for fun. And what we’ve just done is, look, you’re going to have to change your password every 42 days. And then, when you change it, you can’t use the same password, or at least the last three passwords. So that’s how we can control that particular issue. So we’re all set, except for one more thing I want to talk about, and that is storing passwords using reversible encryption. Most of the time, when you store a password on a Windows system, it has an unreversible encryption known as a hash. And we’ll talk about hashes in other episodes. However, if you ever needed to easily crack a password for some reason here, you could go ahead and enable this, and it’ll store it in a much more secure, if not nearly as secure, way. Sometimes, if you want to recover a password quickly, you have that option. I always keep it disabled. So this sets up some of the passwords. But what if people are unable to log in? What if they keep using the wrong password?

I mean, there’s a certain point where somebody keeps using the wrong password. I want to stop them. I want to lock them out because they might be bad guys. And that’s where we have to go to this next tab, account lockout policy. So first of all, we have an account lockout threshold. So right now it’s set to zero invalid attempts, but I can say, set this to five. Now, it needs to do a couple other things. I’ll explain this in just a few sentences. So what’s going to happen is that after five invalid log-on attempts, you’re going to be locked out for a certain amount of time. By default, it’s set to 30 minutes. I can change that. So maybe if I want to be an attentive person, I’ll set it to ten minutes. So after five attempts, you’re locked out for ten minutes. Now it’s going to have to deal with this, which we’re going to talk about right now. And that is to reset the account lockout counter after a certain amount of time.

OK, so you’re logging in and you type in once wrong; that’s one try. You typed it incorrectly once more. Oops, that’s two tries. So if you do it five times, you’re locked out, right? Well, this other setting says, “How long do I keep you at two before I set you back to zero?” Get the idea? After it’s been implemented, that’s what reset account lockout means. So usually we set these to the same value, but again, that’s a matter of personal choice. Okay, so passwords are important and logins are important, but there are a few others I want to show you here, or at least give you a quick touch on. Take a look here under “local policies.” Now, we cover audit policy and other episodes. When we’re talking about auditing, however, just get an idea. This is just some of the built-in stuff. So allow log-on locally; here’s where we could say yes or no to that.

I can go in here and make sure that Bob’s not a member of that, and he won’t be able to login locally unless he’s a member of the users group. So there are all kinds of different little options in here that really depend on you and what your needs are. And then even more complex are the security options. So I can do things like—here’s a fun one—rename the administrator account. How would you like to change the administrator account to Timmy’s? This is where it’s done. I wouldn’t recommend doing that, folks. I’m just saying that this is the type of policy that you can configure with your local security policy. So this works great. But now I’m going to switch to another computer and we’ll go over this again. Now, this other computer is a member of a domain. We’re going to see something very different. Watch this. So here I am on my domain computer, and I’m going to fire up local security policy. Now, this time when I fire it up, it’ll look just the same. However, let’s take a look at something. So we’ll see. Hey, wait a minute. It appears that you notice how nicely coloured everything is. That means that something’s been set up. Yeah, it is. One password was remembered. Well, let’s change that.

Wait, I can’t change it. There’s a very good reason why you can’t change it, and that’s because we have domain policies on my Windows Server system. He not only has all of those local policies, but he has, like, a bazillion more, even more complicated ones. And the domain administrator overrides mylocal policy with his own domain policies. Anytime you’re working with your local security policy on your own machine and you’re a member of a domain and suddenly you have things you can’t change in your local security policy, that’s because your domain administrators have set up their own group policies that override your stuff. So be aware of that, because I’m pretty sure you’re going to see it on the exam.

Leave a Reply

How It Works

img
Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
img
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
img
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!