As we have learned again and again, group policy is a cornerstone of Windows 2000 administration. The ultimate objective is to set policy, which is a high-level management task. The Group Policy Editor is used for this task. The policies are set at four levels:

• Local
• Site
• Domain
• OU

Also…

• Local computer policy, the Group Policy settings for a local computer, and

• The Group Policy Object, any single set of settings.

A. Start the Group Policy Editor

Exercise 12-1 on page 648 walks through the use of the Group Policy Editor. Pay attention to the Security Settings in Figure 12-1 on page 649.

B. Account Security Policies

Users and Passwords overview

Users and Passwords, in Control Panel, allows you to add users to your computer and to add users to a group. In Windows 2000, permissions and user rights usually are granted to groups. By adding a user to a group, you give the user all the permissions and user rights assigned to that group.

C. Account Lockout Policy

The account lockout policy is for domain or local user accounts, and determines when and for whom an account will be locked out of the system. For example, it can be set so that an incorrect password entered x number of times results in a lockout, or that after a specific period of waiting for the correct password the system performs a lockout.

D. Audit Policy

The following are two advanced security features of Windows 2000: Account Lockout Policy shown in Figure 12-4 on page 654 and Audit Policy, shown in Figure 12-5 on page 655.

Auditing is different from administering. Its purpose is an extension of monitoring for the purpose of improving the system and its security for users. The Scenario & Solution on page 659 reviews some auditing practices.

E. User Rights Assignment

Review the key user rights below. Some rights are a restriction or withholding of rights. Figure 12-6 on page 660 shows how to access user rights.

• Access This Computer from the Network
• Take Ownership of Files or Other Objects
• Act as Part of the Operating System

Be sure to review the principles of ownership outlined in From the Classroom on page 661, as this is essential to understanding user rights.

F. Group Policy Configuration

Encryption is a powerful new feature with Windows 2000, and summarize the following points:

• Encryption depends on NTFS.
• Encryption and compression cannot be applied simultaneously.
• Access to encrypted files is slower.
• File encryption is unique to the user who encrypted it, and transparent to the user who does not have access.
• EFS uses a public key/private key encryption scheme.
• EFS comes with a built-in recovery scheme.

The Exam Watch on page 666, which explains how a folder is marked, not actually encrypted.

A. Moving Your Private Key

B. Recovery Agents

This outstanding feature in Windows 2000 permits recovering lost private keys.

C. The Cipher Command

The cipher command line command and its switches can be used to encrypt and un-encrypt.

Summarize the chapter with the Scenario & Solution on page 670. 

Managing users accounts is about managing rights and permissions, using established policies.

A. Creating and Managing User Accounts

User accounts are created on the Member Server, and usernames can be up to 20 characters in length, helping to reinforce security and privacy.

C. Creating and Managing Local Groups

These attributes make each user, and their profile, unique:

• Desktop settings
• Applications
• Personal data
• Logon and authentication

There are three kinds of profiles:

• Local, for use on a specific computer.
• Nonmandatory roaming, for accessing multiple computers at will. Note the need for a hidden file in the Exam Watch on page 680.
• Mandatory roaming, for the user on a single roaming computer (such as a remote laptop).