Chapter 10: Rights, User, and Group Administration

Rights• A right is the ability to perform an action.

• Rights include the ability to log on to a computer, print to a printer, open a file, or create a user account.

• Default rights: Automatically assigned by the operating system. Include ability to log on and run certain programs.

• A policy is a collection of rights assigned to a user or computer.

• Through policies, administrators can control the allocation of rights.

Permissions• A permission is a type of right.

• Permissions allow or deny access to a particular object. Objects include files, folders, and printers. Permissions also include the ability to modify and delete objects.

For example: To edit a document, a user needs to be able to access it and to modify it.

• Permissions also include the ability to execute an object, usually an application file.

For example: You allow one group of users to execute a certain application, but deny access to another group of users.

• Folders have special permissions such as list and create. Without these permissions a user cannot view files in a folder or create new files in that folder.

Windows Rights• Windows rights are assigned using group policy.

• Group policies can be assigned on the domain level, the LAN level, and to specific collections of users on the basis of

their organizational unit.

• Windows allows multiple users and groups to be assigned different permissions to an object. This list of permissions is known as an ACL (Access Control List).

Linux Rights• Linux rights are assigned using configuration files.

• You edit the configuration file of a particular application or service and list the accounts or groups which are able to

control that application or service.

• Linux does not natively support ACL. Permissions can only be assigned for one user, one group, and all users. The

possible permissions are read, write, and execute. These are represented in the file system as shown.

-RWXRW-R-- 1 orin managers 1010 July 18 02:22 file.txt

In the above example, user orin has read, write, and execute permissions. The managers group has read and write permissions, and everyone else has read permissions.

Novell Rights• A trustee is an object (can be a user or group) trusted to perform

specific actions to or with a network resource.

• Novell has file system rights, entry rights, object rights, property rights, selected property rights, directory attributes

and file attributes.

Novell Rights

Accounts• An account represents an individual identity to the operating

system.

• There are several account types:

User accounts: assigned to peopleSystem accounts: assigned to servicesComputer accounts: assigned to computers

• Individual accounts can be assigned rights, though it is good practice to assign rights to groups and then add user

accounts to the group.

• The list of accounts is known as the account database.

Local and Centralized Accounts• A local account is stored in a single computer’s account database.

• A local account can only be assigned rights on the computer which hosts it.

• Local accounts are managed by a local administrator.

• Centralized accounts are located in databases such as Active Directory or eDirectory.

• A centralized account can be assigned rights to any resource located within the domain.

Local and Centralized Accounts

• Centralized accounts are managed by centralized administrators.

• A local administrator can assign rights on the local machine to a centralized account.

• A centralized administrator cannot assign rights on the local computer unless they have been also assigned local administrator rights on that computer.

Creating a Windows User

Enter user first name, last name, and logon name.

Enter temporary password and ensure that user is forced to changepassword at next logon.

Review summary and click Finish.

Edit user properties and add user to appropriate groups.

Linux Accounts

Linux accounts can be added using the adduser command, the Webmin utility, or X-Windows utilities such as Red Hat User Manager.

Secure Linux systems use a shadow password file, which stores information in encrypted format.

Administrator account is called root and cannot log on remotely. A user can elevate their rights using the su command.

Novell Accounts• User accounts are created

using an administrative utility such as ConsoleOne or iManager.

• Each user account requires a unique user identifier and a last name.

• All Novell accounts are network accounts and can be assigned rights to resources to objects stored within eDirectory.

Groups• Groups are collections of accounts.

• Some operating systems have built-in groups that have special rights assigned to them.

For example: Any user that is a member of the Administrators group on Windows Server 2003 has Administrator rights.

• Best practice on all operating systems is assign rights to groups and then add users to groups.

• It is easy then for an administrator to ascertain which users have been assigned a particular right (all members of that

group). It is easier to remove users from a group than it is to remove rights from individual user accounts.

Windows GroupsDistribution Group. Used only for the delivery of e-mail.

Security Group. Used for assigning rights and permissions.

Domain Local Group. Used to assign rights and permissions to a group of users within a domain. Only visible to one domain.

Global Groups. Visible to all domains in forest, can only contain users from one domain.

Universal Groups. Visible to all domains in the forest. Can contain users from any domain in the forest.

The type of group you use depends on your forest structure. Universal groups require information to regularly be replicated to each domain. Single domain environments should use domain local groups.

Linux and Novell Groups• Linux has local groups.

• Members are stored in the /etc/group file.

• Multiple groups can not be assigned permission to a file or folder within Linux.

• Netware only has one type of group which is visible to all parts of eDirectory.

• An organizational role object is an object within eDirectory that represents a role within an organization. Used to assign special rights like the ability to back up files.

Summary• Rights enable users to perform actions.

• Permissions are a special type of right used to mediate access to resources on the LAN.

• Rights on Windows computers are allocated through group policy.

• Rights on Linux computers are allocated by editing configuration files.

• Accounts represent individual entities to the operating system.

• Groups are collections of accounts.

• Groups are used to simplify the administration process.

Discussion Questions What are the benefits of assigning rights to groups rather

than individual users?

What is the difference between a Windows domain local and universal group?

What is the primary difference between file permissions in Linux as opposed to file permissions in Novell or

Windows?

What is the difference between a right and a policy?

Explain the difference between a centralized and a local account.