255
Chapter 17:
Administering Windows Server 2008: The Basics
The primary reason you should pay attention to this subject before learning about
administration is that you should determine the appropriate network security early,
so that you can allow for it as you administer the network on a daily basis. Network
security doesn't need to take up much of your time, provided you set up your
administrative procedures so they presuppose the level of security you require. For
example, if you know what your password policies will be on the network, it takes
only a few seconds to ensure that new users have those policies set for their account.
If you know that you maintain a paper-based log of changes to security groups in the
network, then it takes only a second to follow this procedure as you change group
membership occasionally. Failing to determine these security practices and policies
early on will result in needing to undertake much larger projects as part of a security
review or audit. Security is an area where you're much better off doing things right the
first time!
Working with User Accounts
For anyone--including the administrator--to gain access to a server running Windows
Server 2008, the user must have an account established on the server or in the domain.
(A domain is essentially a collection of security information shared among Windows
servers.) The account defines the user name (the name by which the user is known to
the system) and the user's password, along with a host of other information specific
to each user. Creating, maintaining, and deleting user accounts is easy with Windows
Server 2008.
NOTE
Every account created for a Windows Server 2008 domain is assigned a special number,
called a security ID (SID). The server actually recognizes the user by this number. SIDs are said
to be "unique across space and time." This means that no two users will ever have the same SID,
even if they have the same user name and even the same password. This is because the SID is
made up of a unique number assigned to the domain and then a sequential number assigned to
each created account (with billions of unique user-specific numbers available). If you have a user
called Frank, delete that account, and then create another account called Frank, the accounts
will have different SIDs. This ensures that no user account will accidentally receive permissions
originally assigned to another user of the same name.
To maintain user accounts, you use the Active Directory Users and Computers
console. You can open this console by clicking the Start menu, choosing Programs, and
then selecting Administrative Tools. To accomplish activities in the console, you first
select either a container in the left pane or an object in the right pane, and then either
right-click the container or object or open the Action pull-down menu and choose
from the available options. Because the available options change based on the selected
container or object, first selecting an object with which to work is important.