mercredi 30 janvier 2008
Local vs. Domain Accounts
In this chapter, our focus is on local accounts—user accounts and security groups that are stored in your computer's SAM. A stand-alone computer or a computer in a workgroup uses only local accounts. Each computer in the workgroup maintains its own SAM with local accounts for that computer only. Local accounts allow users to log on only to the computer on which the accounts are stored and allow access only to resources on that computer. Other users on your network can access resources on your computer only if they authenticate themselves using a local account. (In many cases, the Guest account is used for this purpose. For more information about sharing resources over a network in a workgroup configuration, see Chapter 14, "Network Security 101.")
By contrast, domain accounts are stored on a central computer called a domain controller. If your computer is joined to a domain—a network that has at least one computer running Windows .NET Server or Windows 2000 Server and serving as a domain controller—you ordinarily log on using a domain account. (Windows NT Server can also act as a domain controller, but it does not use Active Directory or the Kerberos V5 authentication protocol, two features that define most current domains.) In the Log On To box in the Log On To Windows dialog box, you specify either your computer name (to log on using a local account) or the name of a domain (to log on using a domain account).
With a domain account, you can log on to any computer in the domain (subject to your privileges set at the domain level and on individual computers), and you can gain access to permitted resources anywhere on the network. The logon dialog box shown here displays the extra information used to log on to a domain. Notice that the user name is followed by an @ sign and the domain name.
NOTE
--------------------------------------------------------------------------------
Users running Windows XP Home Edition can connect to shared resources on a Windows domain by entering an authorized user name and password, but they cannot join the domain, save a roaming user profile on the domain, or save the user name and password for a domain account locally.
Domains are unnecessary for small networks, but they add security and make administration easier as networks grow. On a four-computer network, for instance, where each computer has a single user, it's not particularly difficult to create matching user accounts on each computer and coordinate file sharing. On a network with 20 or 200 or 2,000 computers, however, the task of synchronizing identical sets of user accounts on each of those computers would be overwhelming. Adding a domain controller allows a network administrator to centralize security settings.
Domain user accounts, each with its own unique SID, are stored in the domain's directory, which is managed by the domain controller. Every member of the domain can connect to this database and use its list of accounts for security purposes. Thus, an individual computer user can grant access to a shared resource using the name of a domain security group. When the network administrator adds a new user to the network and assigns that user to the group in question, the new user automatically has access to the shared resource without requiring the local computer user to take any action.
Even in a domain environment, the local computer's SAM plays a role. Accessing resources on the local computer requires a local user account or membership in a local group. For that reason, when you join your computer to a domain, Windows adds the Domain Admins group (a domain-based security group for administrators) to the local Administrators group and adds the Domain Users group to the local Users group.
Domain-based accounts and groups are also known as global accounts and global groups.
For more details about using Windows XP and Windows 2000 as part of a domain, see Workgroups vs. Domains.
In this chapter, our focus is on local accounts—user accounts and security groups that are stored in your computer's SAM. A stand-alone computer or a computer in a workgroup uses only local accounts. Each computer in the workgroup maintains its own SAM with local accounts for that computer only. Local accounts allow users to log on only to the computer on which the accounts are stored and allow access only to resources on that computer. Other users on your network can access resources on your computer only if they authenticate themselves using a local account. (In many cases, the Guest account is used for this purpose. For more information about sharing resources over a network in a workgroup configuration, see Chapter 14, "Network Security 101.")
By contrast, domain accounts are stored on a central computer called a domain controller. If your computer is joined to a domain—a network that has at least one computer running Windows .NET Server or Windows 2000 Server and serving as a domain controller—you ordinarily log on using a domain account. (Windows NT Server can also act as a domain controller, but it does not use Active Directory or the Kerberos V5 authentication protocol, two features that define most current domains.) In the Log On To box in the Log On To Windows dialog box, you specify either your computer name (to log on using a local account) or the name of a domain (to log on using a domain account).
With a domain account, you can log on to any computer in the domain (subject to your privileges set at the domain level and on individual computers), and you can gain access to permitted resources anywhere on the network. The logon dialog box shown here displays the extra information used to log on to a domain. Notice that the user name is followed by an @ sign and the domain name.
NOTE
--------------------------------------------------------------------------------
Users running Windows XP Home Edition can connect to shared resources on a Windows domain by entering an authorized user name and password, but they cannot join the domain, save a roaming user profile on the domain, or save the user name and password for a domain account locally.
Domains are unnecessary for small networks, but they add security and make administration easier as networks grow. On a four-computer network, for instance, where each computer has a single user, it's not particularly difficult to create matching user accounts on each computer and coordinate file sharing. On a network with 20 or 200 or 2,000 computers, however, the task of synchronizing identical sets of user accounts on each of those computers would be overwhelming. Adding a domain controller allows a network administrator to centralize security settings.
Domain user accounts, each with its own unique SID, are stored in the domain's directory, which is managed by the domain controller. Every member of the domain can connect to this database and use its list of accounts for security purposes. Thus, an individual computer user can grant access to a shared resource using the name of a domain security group. When the network administrator adds a new user to the network and assigns that user to the group in question, the new user automatically has access to the shared resource without requiring the local computer user to take any action.
Even in a domain environment, the local computer's SAM plays a role. Accessing resources on the local computer requires a local user account or membership in a local group. For that reason, when you join your computer to a domain, Windows adds the Domain Admins group (a domain-based security group for administrators) to the local Administrators group and adds the Domain Users group to the local Users group.
Domain-based accounts and groups are also known as global accounts and global groups.
For more details about using Windows XP and Windows 2000 as part of a domain, see Workgroups vs. Domains.
0 Comments:
Funny Blogs
Blogger Roll
Free Software
