Working with Domains

AD domain hierarchy: Site, domain, OU. Sites (physical division of domain) , domains (domain administrator) and OUs (logical division of domain). Sites used to control replication over WAN links.

• Offer centralised accounts database
• roaming profiles
• directory services (directory of shared resources)
• intellimirror (user data and settings management, software installation)

XP Home cannot join a domain. Differences on XP in a domain:

• uses classic logon screen
• supports logon scripts
• no password hints or password reset disks
• no Fast User Switching
• Simple File Sharing not available in a domain (although selected by default)
• share access by users only (no Guest access)
• shared documents, if previously configured, remain available to local user accounts
• Network setup wizard not available
• classic user accounts console only
• Group Policy is more comprehensive and centrally managed in an AD domain
• internet time tab not available in AD domain: XP always synchronises with AD Domain Controllers
• in NT4 domain, you can synchronise with domain controllers, netbios time server or NTP server (to synchronise in an NT domain use 'net time /domain /set /y')

When you join a domain, domain admins and domain users added to local groups.

Profiles

Local settings stored in Documents and Settings (or %systemroot%\profiles). Contents:

• Ntuser.dat: user portion of registry (HKCU)
• Ntuser.pol (NT4 domains only) contains system policy settings
• Cookies
• Desktop
• Favorites
• Local Settings, contains data and files that don't roam with the profile
• Application Data: machine specific
• History
• Temp
• Temporary Internet Files
• My Documents
• NetHood
• PrintHood
• Recent
• SendTo
• Start Menu
• Templates

Folder redirection is a feature of IntelliMirror, which allows you to redirect the following folders from profiles to a network share (or to the local computer):

1. My Documents
2. Application Data
3. Desktop
4. Start Menu

Use GPO in AD environments or System Policy in NT4 domains to configure redirection (Local Security Policy will not work). Roaming profiles copied to machine when user logs on. Changes merged to server when user logs off. Mandatory profiles cannot be changed by the user. Default User used to create profile at first logon if user has no roaming/mandatory profile. By default Default User is hidden and can be changed by administrators only. When configuring Default User, copy files to folder to ensure they inherit permissions correctly. Deleting Profiles using User Profiles from sysdm.cpl, ensures profile gets removed from registry (HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ProfileList). Users should have at least Read access to their profiles and Everyone should have full control of Documents and Settings folder (presumably this is not inherited by subfolders). Move 'My Documents' by right-clicking and choosing properties. In a Domain, use gpedit to redirect other folders

Group Policy

• manage registry-based policy
• assign scripts
• specify security options
• preferred method to configure uniform user settings

Group Policy scripts found at system32\GroupPolicy\user (logon/off) and machine (startup/shutdown). Access a remote computers policy via

'gpedit.msc /gpcomputer:'computername'

The Administrative Templates folders are extensible. The templates are stored in .adm files located at system32\GroupPolicy\Adm. Adding or removing templates does not change the underlying policy: merely whether it is displayed or not. Use filtering to view policies for particular OS or only configured policies. A GPO is a collection of Group Policy settings. In a domain, GPOs are applied at the domain level. Local group policy objects are stored as a series of files in system32\grouppolicy. Contents:

• gpt.ini: stores information about which extensions contain modified settings, and whether computer or user branch is disabled
• Adm: folder containing templates in use
• User: contains registry.pol file controlling user registry settings. Also contains subfolders for internet explorer maintenance tree and a scripts folder
• Machine: registry.pol file plus scripts folder

Configured policies are stored in regisrty.pol file. Registry.pol files are read into registry at startup and during periodic refresh. Avoid configuring policies for features that are already as required by default, e.g. enabling personalised menus. If the feature is already available, then there will be no need to configure this as a policy, and just adds extra registry processing at logon. Keys written to mirror keys in CurrentVersion\Policy, and take precedence over the keys they mirror. Default refresh period is 90miutes plus or minus 30. Use 'gpupdate' command to refresh immediately. Policies applied in following order:

• site
• domain
• OU

Inheritance in effect, and higher level in hierarchy overwrites lower level. Policy settings are cumulative: use 'gpresult' command to see RSoP or 'Help and Support, Use Tools, Advanced System Info, View Group Policy Settings'. Displays source of policy. Computer configuration settings take precedence over user settings. Default policy setting is 'not configured'. From root of console tree, properties show how many policies are set under 'revision'. By default all policies are set to 'not configured'. Deny read access to Group Policy folder to a particular group, means that group is not affected by user policy settings (machine policy settings are applied before logon). User rights are defined at 'computer configuration\windows settings\security\security settings\Local Policies\User Rights Assignment'.

Eventlog

Check CurrentControlSet\Services\Eventlog to see which applications write to which logs. Different sources can use the same event id numbers. Events on remote computers are adjusted to display time as localtime (using difference in GMT offsets between the two computers). Event descriptions are stored separately from the log (evt) files for localisation purposes. Each event type is mapped to descriptive text (CurrentControlSet\Services\Eventlog\Logname\eventsource). next to the previous and next buttons, there is a clipboard button to copy an event to the clipboard. You can also use Ctrl+C to copy the descriptive text. By default, each log file has 512 KB maximum size, and 7 days maximum age for events. Only administrators can clear eventlogs. When exporting eventlogs to non-evt format, you loose the binary data from each event, if any. Use 'Save As' to save the whole log, or 'Export List' to save the event visible with current filter. Ntbackup can backup eventlog files: don't try to copy them from system32\config folder (files are open). If eventlog files become corrupt:

• disable eventlog service
• reboot
• delete corrupt files
• re-enable and re-start the service

Third Party monitoring tools include: Wdumpevt, EventAdmin, Event Reporter, Event Log Monitor.

Auditing

Auditing can severely degrade performance. System must write an event record to the security log for each audit check the system performs. Auditing enabled via Local Security and can only be done by an administrator. Auditable events:

• logon events
• account management
• directory service access
• account logon events
• object access (must then be turned on at the object)
• policy change
• privilege use
• process tracking
• system events