Using Workgroups and Domains
In a workgroup, every computer has its own directory database of user account and security policies. Each computer in a workstation manages the accounts on that computer for other users and computers that want to access information on it. If you are a member of a workgroup and want to allow another user on another PC to access files on your PC, you must establish an account for that user.
A workgroup can be made up of computers that use either NT Workstation or Windows NT Server. However, PCs that have Windows NT Server installed must be configured as extendable units. A workstation does not require a Windows NT server to be present. Workgroups have no centralized account management or security. Workgroups are generally used for small groups of workstations, and the PC support person is likely to be responsible for managing each user account on each PC in the workgroup. A domain is used
for a large number of workstations, and security for the domain shifts to a business-wide or enterprise function of a network administrator controlling security from a single console.
Using Workgroups and Domains Creating a User Accounting
In a Windows NT domain, a network administrator manages access to the network through a centralized database. Every domain has a primary domain controller (PDC), which stores and controls a database of (1) user accounts (2) group accounts, and (3) computer accounts. This database is called the directory database or the security accounts manager (SAM) database.
The directory database can be updated by an administrator logged on to any workstation or server on the domain by accessing the PDC, but there can be only one PDC on the domain. One or more read-only backup copies of the directory database can be kept on other computers. Each computer with a backup of the directory database is called a backup domain controller (BDC).
A system can be set up so that whenever the database on the PDC is updated, copies are written to each BDC, which is called replication or automation duplication.
BDCs use their copy of the SAM database to authenticate users as they log on, thereby relieving the PDC of the burden of authentication function.
This sharing of functions improves performance in domains with many (more than 1000) workstations. Workstations on the domain are in the lower part. A Windows NT network can contain these Oss functioning in these ways Windows NT Server functioning as a PDC, a BDC, or as a stand-alone server (a server on the network that has no domain controller functions); Windows NT Workstation functioning as a workstation or as a standalone server, and Windows 9x.
User accounts are used on PCs to control who has access to what programs, files, and other resources on a PC or network. When using DOS and Windows 9x, the only all-encompassing security is a power-on password, which is a function of the ROM BIOS rather than the OS.
Windows NT, however, provides an all-encompassing security feature to the PC. In order for a user to gain access to a computer, the user must have a user account on that computer, which is a workgroup, must be set up on each computer, or, in a domain, can be set up from the centralized domain sever. During the Windows NT installation, an administrator account is always created.
An administrator has rights and permission for all computer software and hardware resources.
When Windows NT first boots, someone must log on before the OD can be used. The logon screen is displayed when you press the Ctrl, Alt, and Del keys together.
(Remember that these keystrokes in the DOS and Windows 9x environment are used to soft boot).
To log on, enter a username and password and click Ok. Windows NT tracks which user is logged on to the system and grants rights and permissions according to the user’s group or to specific permissions granted this user by the administrator.
Administering a Network Besides access to the network, permissions granted to a user and the OS environment that the user has are also controlled by the administrator.
An administrator can create user groups and assign restrictions and rights to the entire group that applies to all users. Or, an administrator can assign individual restrictions and rights to a single user.
A user profile is a special file with a .usr file extension that contains information about the desktop configuration, sound, color, and resources that should be made available to a particular user.
The administrator can modify a user profile or group profile to control the types of changes a user can make to his or her environment, including the ability to install or configure software or hardware.
In a typical office environment, a single administrator is responsible for maintaining and supporting the hardware and software of many PCs. An administrator usually controls what users can do through user profiles, most commonly giving users just enough rights and permissions to perform their jobs, but not enough to alter hardware or software settings.
Thus, users may be denied the ability to set an environmental variable, install a printer, install software, or do any other chores that change the PC software or hardware environment. In many office environments, gone are the days when employees could bring that favorite screensaver or game to work and install it on their PC.
Using Windows NT Server, an administrator can set profiles for an entire network of workstations from his or her PC and can allow users to move from PC to PC with their profiles following them.
Creating a User Accounting. User accounts are created and managed by the User Manager portion of Windows NT. Follow these directions to set up a new account.
1. Click on Start, Programs, Administrative Tools, and then select User Manager. The User Manager screen is displayed. The default user accounts, those that NT sets