How To Create Group Policy In Server 2008

Default Domain Policy

Microsoft Windows Server 2008

Aaron Tiensivu , in Securing Windows Server 2008, 2008

Fine-Grain Password and Account Lockout Policies

: Windows Server 2008 creates a Default Domain Policy GPO for every domain in the forest. This domain is the primary method used to set some security-related policies such as password expiration and account lockout.
: You can use fine-grain password and account lockout policy to apply custom password and account lockout policy settings to individual users and global security groups within a domain.
: The domain password policy allows you to specify a range of password security options, including how frequently users change their passwords, how long passwords must be, how many unique passwords must be used before a user can reuse one, and how complex passwords must be.
: You can use account lockout to prevent successful brute force password guessing. If it's not enabled, someone can keep attempting to guess username/password combinations very rapidly using a software-based attack. The proper combination of settings can effectively block these types of security vulnerabilities.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597492805000031

Mitigating Network Vulnerabilities

Thomas W. Shinder , ... Debra Littlejohn Shinder , in Windows Server 2012 Security from End to Edge and Beyond, 2013

Define the Address Space of Your Intranet Network

1.: In the Group Policy Management snap-in (gpmc.msc), open the Default Domain Policy.
2.: From the Group Policy Management Editor, expand Computer Configuration, Policies, Administrative Templates, Network and then click Network Isolation.
3.: In the right pane, double-click Private network ranges for apps.
4.: In the Private network ranges for apps dialog box, click Enabled. In the Private subnets text box, type the private subnets for your intranet (separated by commas).
5.: Double-click Subnet definitions are authoritative. Click Enabled if you want the subnet definitions that you previously created to be the single source for your subnet definition.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B978159749980400011X

MCSA/MCSE 70-294: Working with Group Policy in an Active Directory Environment

Michael Cross , ... Thomas W. Shinder Dr. , in MCSE (Exam 70-294) Study Guide, 2003

Automatically Enrolling User and Computer Certificates

If your organization is using Certificate Services to manage user and computer certificates, you might want to enable autoenrollment of the certificates. Your certification authorities (CAs) need to be configured to support autoenrollment, but without enabling this setting in policy, users have to go through a manual process to enroll.

You will set the autoenrollment policy in both the user configuration and the computer configuration of the GPO. Since you will probably want the settings to apply to all systems in the organization, enable the settings in the Default Domain Policy object at the root of each domain in the organization. Follow these steps to enable this security setting:

1.: Open Active Directory Users and Computers.
2.: Right-click the domain container in the console tree and select Properties.
3.: Click the Group Policy tab and select the Default Domain Policy.
4.: Click Edit to open the Group Policy Object Editor.
5.: Expand the Computer Configuration object, and then the Windows Settings object.
6.: Expand the Security Settings object, and then select the Public Key Policies object.
7.: Double-click the Autoenrollment Settings object in the right-hand pane.
8.: Click the Enroll certificates automatically option button.
9.: Enable the Renew expired certificates, update pending certificates, and remove revoked certificates check box.
10.: Enable the Update certificates that use certificate templates check box. Your settings should now appear as shown in Figure 9.28.

Figure 9.28. Configuring Autoenrollment Settings
11.: Click Apply, and then click OK.
12.: Expand the User Configuration object in the console tree, and then the Windows Settings object.
13.: Expand the Security Settings object, and then select the Public Key Policies object.
14.: Double-click the Autoenrollment Settings object in the right-hand pane.
15.: Click the Enroll certificates automatically option button.
16.: Enable the Renew expired certificates, update pending certificates, and remove revoked certificates check box.
17.: Enable the Update certificates that use certificate templates check box.
18.: Click Apply, and then click OK.

If your organization has multiple domains, repeat this process for each domain in the environment. Remember that only systems running Windows 2000 or later will be able to participate in autoenrollment of certificates.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781931836944500155

MCSE/MCSA 70–294: Creating User and Group Strategies

Michael Cross , ... Thomas W. Shinder Dr. , in MCSE (Exam 70-294) Study Guide, 2003

1.

From the Windows Server 2003 desktop, click Start | Administrative Tools | Active Directory Users and Computers.

2.

Right-click the domain you want to administer, and then select Properties.

3.

Select the Default Domain Policy , and dick the Edit button.

4.

Navigate to the account lockout policy by clicking Computer Configuration | Windows Settings | Security Settings | Account Policies | Account Lockout Policy. You'll see the screen shown in Figure 3.7.

Using Account Lockout Policy, you can configure the following settings:

■: Account lockout duration This option determines the amount of time that a locked-out account will remain inaccessible. Setting this option to 0 means that the account will remain locked out until an administrator manually unlocks it. Select a lockout duration that will deter intruders without crippling your authorized users; 30 to 60 minutes is sufficient for most environments.
■: Account lockout threshold This option determines the number of invalid logon attempts that can occur before an account will be locked out. Setting this option to 0 means that accounts on your network will never be locked out.
■: Reset account lockout counter after This option defines the amount of time in minutes after a bad logon attempt that the "counter" will reset. If this value is set to 45 minutes, and user jsmith types his password incorrectly two times before logging on successfully, his running tally of failed logon attempts will reset to 0 after 45 minutes have elapsed. Be careful not to set this option too high, or your users could lock themselves out through simple typographical errors.

5.

For each item that you want to configure, right-click the item and select Properties. To illustrate, we create an Account lockout threshold of three invalid logon attempts. In the screen shown in Figure 3.8, place a check mark next to Define this policy setting, and then enter the appropriate value.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B978193183694450009X

Microsoft Windows Server 2008

Aaron Tiensivu , in Securing Windows Server 2008, 2008

Enabling Group Policy Settings for BitLocker and TPM Active Directory Backup

Here are the steps to follow to configure Group Policies for clients and servers to use BitLocker Active Directory Backup.

1

Log on with a domain administrator to any Domain Controller.

2

Click Start, click All Programs, click Administrative Tools, and then click Group Policy Management.

3

In the Group Policy Management Console, expand the forest tree down to the domain level.

4

Right-click the Default Domain Policy and select Edit.

5

In the Group Policy Management Editor, open Computer Configuration, open Administrative Templates, open Windows Components, and then open BitLocker Drive Encryption.

6

In the right pane, double-click Turn on BitLocker backup to Active Directory.

7

Select the Enabled option, select Require BitLocker backup to AD DS, and click OK.

To further enable storage of TPM recovery information:

8

Open Computer Configuration, open Administrative Templates, open System, and then open Trusted Platform Module Services.

9

In the right pane, double-click Turn on TPM backup to Active Directory.

10

Select the Enabled option, select Require TPM backup to AD DS, and click OK.

Warning

In this example, we use the Default Domain Policy to configure Active Directory backup for BitLocker and TPM recovery information. However, in a real-world scenario you would create a new GPO that contains only BitLocker specific settings!

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597492805000055

MCSE 70-293: Planning, Implementing, and Maintaining a Security Framework

Martin Grasdal , ... Dr. Thomas W. Shinder , in MCSE (Exam 70-293) Study Guide, 2003

Security Policies

Windows Server 2003 makes it easy to set security policies on local computers or for a domain, using Group Policy. To set security policies on a local computer, open the Local Security Policy GPO by selecting Start | All Programs | Administrative Tools and selecting Local Security Policy (you will not find this option on domain controllers). To set security policies in a domain, edit the default domain policy as follows:

1.: Select Start | All Programs | Administrative Tools | Active Directory Users and Computers.
2.: Right-click the domain node in the left pane and click Properties.
3.: Choose the Group Policy tab.
4.: Select the Default Domain Policy and click Edit.
5.: In the left pane of the GPO Editor, expand Computer Configuration, then Windows Settings, then Security Settings.

In either case, you will see the following folders under Security Settings:

■: Account Policies Password, Acount Lockout and Kerberos policy settings.
■: Local Policies Audit, User rights assignment and Security options, Guest account names, CD-Rom access, driver installation and logon prompts.
■: Public Key Policies Certificate submission, certificate requests and installations and create then distribute certificate trust lists.
■: Software Restriction Policies Used to create hash rules, certificate rules. File identity through a specified path and the ability to create an internet zone rule.
■: IP Security Policies Used to create and manage IPSec security policies.

In the case of the domain policy, you will also see other entries under Security Settings, including Restricted Groups, System Services, Registry, File System, and Wireless Networks.

Some of the most important aspects of your security strategy include the configuration of password policies, Kerberos policies, account lockout policies, and user rights policies. In the following sections, we will discuss each of these in more detail.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781931836937500154

Defining Protection Policies

Brien Posey , in GFI Network Security and PCI Compliance Power Tools, 2009

Active Directory Based Deployment

Even though GFI EndPointSecurity contains a built-in mechanism for deploying agents, you have the option of deploying agents through the Active Directory. If you look at Figure 9.9, you'll notice that there is a Deploy Through Active Directory option located in the Computers section. If you click on this link, you'll be taken to a screen that gives you the chance to save a copy of the agent to a location of your choice. In order for Active Directory based deployment to work correctly, you need to save this file to a central location that can be accessed by all of your domain controllers.

Once you have copied the file to an accessible location, it is time to configure the Active Directory to assign the agent to the target computers. Keep in mind that the Active Directory provides two different methods for deploying software. You can either assign applications, or you can publish them. In this case, it is better to assign the application, because assigning an application causes it to automatically be installed on the PC without any user intervention. In contrast, publishing an application gives end users the option of installing or uninstalling the application at will. If you would like to learn more about publishing and assigning applications, then check out my article at: www.brienposey.com/kb/assigning_and_publishing_applications.asp.

The steps that you would use to assign the agent through a group policy setting vary depending on which group policy you want to use. To assign the agent as a part of the domain policy, perform the following steps on a domain controller:

1: Open the Active Directory Users and Computers console.
2: Right-click on the container representing your domain, and choose the Properties command from the resulting shortcut menu.
3: When the domain's properties sheet appears, select the Group Policy tab.
4: Select the Default Domain Policy , as shown in Figure 9.10, and click the Edit button.
5: When the Group Policy Object Editor opens, navigate through the console tree to Computer Configuration | Software Settings | Software Installation.
6: Right-click on the Software Installation container, and select the New | Package commands from the resulting shortcut menus, as shown in Figure 9.11.
7: When prompted, select the agent installation package, and click Open.
8: If you see a message stating that Windows cannot verify that the path is a network location, make sure that you have accessed the installation package through a mapped drive or a Universal Naming Convention (UNC) share (not a local drive letter), and click Yes to use the path.
9: Choose the Assigned option from the Deploy Software dialog box, as shown in Figure 9.12.
10: Click OK.

Active Directory deployment will only work if the managed machines are domain members and are subject to the Group Policy Object that you are using to assign the agent application.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597492850000091

MCSA/MCSE 70-294: Active Directory Infrastructure Overview

Michael Cross , ... Thomas W. Shinder Dr. , in MCSE (Exam 70-294) Study Guide, 2003

Command-Line Tools

Windows Server 2003 provides a number of command-line tools that you can use for managing Active Directory. These tools use commands typed in at the prompt, and can provide a number of services that are useful in administering the directory. The command-line tools for Active Directory include:

▪: Cacls Used to view and modify discretionary access control lists (DACLs) on files.
▪: Cmdkey Used to create, list, and delete usernames, passwords, and credentials.
▪: Csvde Used to import and export data from the directory.
▪: Dcgpofix Restores Group Policy Objects (GPOs) to the state they where in when initially installed.
▪: Dsadd Used to add users, groups, computers, contacts, and OUs.
▪: Dsget Displays the properties of an object in Active Directory.
▪: Dsmod Used to modify users, groups, computers, servers, contacts, and OUs.
▪: Dsmove Renames an object without moving it, or moves an object to a new location.
▪: Ldifde Used to create, modify, and delete objects from Active Directory.
▪: Ntdsutil Used for general management of Active Directory.
▪: Whoami Provides information on the user who's currently logged on.

In the sections that follow, we will briefly discuss each of these tools, and show you how they can assist you in performing certain tasks when administering Active Directory.

Cacls

Cacls is used to view and modify the permissions a user or group has to a particular resource. Cacls provides this ability by allowing you to view and change DACLs on files. A DACL is a listing of access control entries (ACEs) for users and groups, and includes permissions the user has to a file. The syntax for using this tool is:

Cacls filename

Cacls also has a number of switches, which are parameters you can enter on the command line to use a specific functionality. Table 1.1 lists the switches for Cacls.

Table 1.1. Switches for the Cacls Tool

Parameter	Description
/t	Change the DACLs of files in the current directory and all subdirectories.
/e	Edit the DACL.
/r username	Revokes the users' rights.
/c	Ignore any errors that might occur when changing the DACL.
/g username permission	Grants rights to a specified user. Rights that can be granted are: n (None), r (Read), w (Write), c (Change), and f (Full Control).
/p username permission	Replaces the rights of a specified user. The rights that can be replaced are: n (None), r (Read), w (Write), c (Change), and f (Full Control).
/d username	Denies access to a specified user.

Cmdkey

Cmdkey is used to create, view, edit, and delete the stored usernames, passwords, and credentials. This allows you to log on using one account, and view and modify the credentials of another user. As with other command-line tools we'll discuss, cmdkey has a number of switches that provided needed parameters for the tool to function. Table 1.2 lists these parameters.

Table 1.2. Switches for the Cmdkey Tool

Parameter	Description
/add:targetname	Adds a username and password to the list, and specifies the computer or domain (using the targetname parameter) with which the entry will be associated.
/generic	Adds generic credentials to the list.
/smartcard	Instructs cmdkey to retrieve credentials from a smart card.
/user: username	Provides the username with which this entry is to be associated. If the username parameter isn't provided, you will be prompted for it.
/pass: password	Provides the password to store with this entry. If the password parameter isn't provided, you will be prompted for it.
/delete: {targetname \| /ras}	Deletes the username and password from the list. If the targetname parameter is provided, the specified entry will be deleted. If /ras is included, the stored remote access entry is deleted.
/list: targetname	Lists the stored usernames and credentials. If the targetname parameter isn't provided, all of the stored usernames and credentials will be listed.

Csvde

Csvde is used to import and export data from Active Directory. This data is comma delimitated, so that a comma separates each value. Exporting data in this way allows you to then import it into other applications (for example, Microsoft Office tools such as Access and Excel).Table 1.3 lists the parameters for this command.

Table 1.3. Switches for the Csvde Tool

Parameter	Description
-i	Used to specify the import mode.
-f filename	Specifies the filename to import or export data to.
-s servername	Sets the DC that will be used to import or export data.
-c string1 string2	Replaces the value of string1 with string2. This is often used when importing data between domains, and the DN of the domain data is being exported from (string1) needs to be replaced with the name of the import domain (string2).
-V	Verbose mode.
-j path	Specifies the location for log files.
-t portnumber	The portnumber parameter is used to specify the LDAP port number. By default, the LDAP port is 389 and the GC port is 3268.
-d BaseDN	The BaseDN parameter is used to specify the DN of a search base for data export.
-p scope	Used to set the search scope. The value of the scope parameter can be Base, OneLevel, or SubTree.
-l LDAPAttributeList	Specifies a list of attributes to return in an export query. If this parameter isn't used, then all attributes are returned in the query.
-o LDAPAttributeList	Specifies a list of attributes to omit in an export query.
-g	Used to omit paged searches.
-m	Used to omit attributes that apply to certain objects in Active Directory.
-n	Specifies that binary values are to be omitted from an export.
-k	If errors occur during an import, this parameter specifies that csvde should continue processing.
-a username password	Specifies the username and password to be used when running this command. By default, the credentials of the user currently logged on are used.
-b username domain password	Specifies the username, domain, and password to use when running this command. By default, the credentials of the user currently logged on are used.

Dcgpofix

Dcgpofix is used to restore the default domain policy and default DC's policy to they way they were when initially created. By restoring these GPOs to their original states, any changes that were made to them are lost. This tool has only two switches associated with it:

▪: /ignoreschema Ignores the version number of the schema.
▪: /target: {domain | dc | both} Specifies the target domain, DC, or both.

When the /ignoreschema switch is used, dcgpofix will ignore the version number of Active Directory's schema when it runs. This will allow it to work on other versions of Active Directory, as opposed to the one on the computer on which dcgpofix was initially installed. You should use the version of dcgpofix that was installed with your installation of Windows Server 2003, as GPOs might not be restored if versions from other operating systems are used.

Dsadd

Dsadd is used to add objects to Active Directory. The objects you can add with this command-line tool are users, computers, groups, OUs, contacts, and quota specifications. To add any of these objects, you would enter the following commands at the command prompt:

▪: dsadd user Adds a user to the directory
▪: dsadd computer Adds a computer to the directory
▪: dsadd group Adds a group to the directory
▪: dsadd ou Adds an OU to the directory
▪: dsadd contact Adds a contact to the directory
▪: dsadd quota Adds a quota specification to the directory

While the commands for this tool are straightforward, there is a variety of arguments associated with each. For full details on these arguments, type the command at the command prompt followed by /? . This will display a list of parameters for each command.

Dsget

Dsget is used to view the properties of objects in Active Directory. The objects you can view with dsget are users, groups, computers, servers, sites, subnets, OUs, contacts, partitions, and quota specifications. To view the properties of these objects, enter the following commands:

▪: dsget user Displays the properties of a user
▪: dsget group Displays the properties of a group and its membership
▪: dsget computer Displays the properties of a computer
▪: dsget server Displays the properties of a DC
▪: dsget site Displays the properties of a site
▪: dsget subnet Displays the properties of a subnet
▪: dsget ou Displays the properties of an OU
▪: dsget contact Displays the properties of a contact
▪: dsget partition Displays the properties of a directory partition
▪: dsget quota Displays the properties of a quota specification

Dsmod

Dsmod is used to modify existing objects in Active Directory. The objects you can modify using dsmod are users, groups, computers, servers, OUs, contacts, partitions, and quota specifications. To edit these objects, enter the following commands:

▪: dsmod user Modifies the attributes of a user in the directory
▪: dsmod group Modifies the attributes of a group in the directory
▪: dsmod computer Modifies a computer in the directory
▪: dsmod server Modifies the properties of a DC
▪: dsmod ou Modifies the attributes of an OU in the directory
▪: dsmod contact Modifies the attributes of a contact in the directory
▪: dsmod partition Modifies a directory partition
▪: dsmod quota Displays the properties of a quota specification

While the commands for this tool are straightforward, there is a variety of arguments associated with each. For full details on these arguments, type the command at the command prompt followed by /?. This will display a list of parameters for each command.

Dsmove

Dsmove is used to either rename or move an object within a domain. Using this tool, you can rename an object without moving it in the directory, or move it to a new location within the directory tree.

Exam Warning

The dsmove tool can't be used to move objects to other domains.

Renaming or moving an object requires that you use the DN, which identifies the object's location in the tree. For example, if you have an object called JaneD in an OU called Accounting, located in a domain called syngress.com, the DN is:

CN = JaneD, OU = Accounting, DC = syngress, DC = com

The –newname switch is used to rename objects using the DN. For example, let's say you wanted to change a user account's name from JaneD to JaneM. To do so, you would use the following command:

Dsmove CN = JaneD, OU = Accounting, DC = syngress, DC = com -newname JaneM

The –newparent switch is used to move objects within a domain. For example, let's say the user whose name you just changed was transferred from Accounting to Sales, which you've organized in a different OU container. To move the user object, you would use the following command:

Dsmove CN = JaneM, OU = Accounting, DC = syngress, DC = com -newparent OU = Sales, DC = syngress, DC = com

In addition to the –newname and –newparent switches, you can also use the parameters listed in Table 1.4 to control how this tool is used.

Table 1.4. Switches for Dsmove

Parameter	Description
{-s Server –d Domain}	Specifies a remote server or domain to connect to. By default, dsmove will connect to the DC in the domain you logged on to.
-u Username	Specifies the username to use when logging on to a remote server.
-p {Password \| *} word.	Specifies the password to use when logging on to a remote server. If you type the * symbol instead of a password, you are then prompted to enter the pass-
-q	Sets dsmove to suppress output.
{-uc \| -uco \| -uci}	Specifies dsmove to format input and output in Unicode.

Ldifde

Ldifde is used to create, modify, and delete objects from the directory, and can also be used to extend the schema. An additional use for this tool is to import and export user and group information. This allows you to view exported data in other applications, or populate Active Directory with imported data. To perform such tasks, ldifde relies on a number of switches that enable it to perform specific tasks, listed in Table 1.5.

Table 1.5. Switches for Ldifde

Parameter	Description
-I	Sets Idifde to import data. If this isn't specified, then the tool will work in Export mode.
-f Filename	Specifies the name of the file to import or export.
-s Servername	Specifies the DC that will be used to perform the import or export.
-c string1 string2	Replaces the value of string1 with string2. This is often used when importing data between domains, and the DN of the domain data is being exported from (string1) needs to be replaced with the name of the import domain (string2).
-v	Verbose mode.
-j path	Specifies the location for log files.
-t portnumber	The portnumber parameter is used to specify the LDAP port number. By default, the LDAP port is 389 and the GC port is 3268.
-d BaseDN	The BaseDN parameter is used to specify the DN of a search base for data export.
-p scope	Used to set the search scope. The value of the scope parameter can be Base, OneLevel, or SubTree.
-r LDAPfilter	Specifies a search filter for exporting data.
-I LDAPAttributeList	Specifies a list of attributes to return in an export query. If this parameter isn't used, then all attributes are returned in the query.
-o LDAPAttributeList	Specifies a list of attributes to omit in an export query.
-g	Used to omit paged searches.
-m	Used to omit attributes that apply to certain objects in Active Directory.
-n	Specifies that binary values are to be omitted from an export.
-k	If errors occur during an import, this parameter specifies that ldifde should continue processing.
-a username password	Specifies the username and password to be used when running this command. By default, the credentials of the user who's currently logged on are used.
-b username domain password	Specifies the username, domain, and password to use when running this command. By default, the credentials of the user who's currently logged on are used.

Ntdsutil

Ntdsutil is a general-purpose command-line tool that can perform a variety of functions for managing Active Directory. Using Ntdsutil, you can:

▪: Perform maintenance of Active Directory
▪: Perform an authoritative restore of Active Directory
▪: Modify the Time To Live (TTL) of dynamic data
▪: Manage domains
▪: Manage data in the directory and log files
▪: Block certain IP addresses from querying the directory, and set LDAP policies
▪: Remove metadata from DCs that were retired or improperly uninstalled
▪: Manage Security Identifiers (SIDs)
▪: Manage master operation roles (Domain Naming Master, Schema Master, Iinfrastructure Master, PDC Emulator, and RID Master)

Typing ntdsutil at the command prompt will load the tool and the prompt will change to ntdsutil:. As shown in Figure 1.23, by typing help at the command line, you can view different commands for the tasks being performed. After entering a command, typing help again will provide other commands that can be used. For example, typing metadata cleanup after first starting ntdsutil, and then typing help will display a list of commands relating to metadata cleanup. This allows you to use the command as if you were navigating through menus containing other commands. You can return to a previous menu at any time, or exit the program by typing Quit.

Whoami

Whoami is a tool for displaying information about the user who is currently logged on. Using this tool, you can view your domain name, computer name, username, group names, logon identifier, and privileges. The amount of information displayed depends on the parameters that are entered with this command. Table 1.6 lists the available parameters.

Table 1.6. Switches for Whoami

Parameter	Description
/upn	Displays the UPN of the user currently logged on.
/fqdn	Displays the FQDN of the user currently logged on.
/logonid	Displays the Logon ID.
/user	Displays the username of the user currently logged on.
/groups	Displays group names.
/priv	Displays privileges associated with the currently logged-on user.
/fo format	Controls the format of how information is displayed. The format parameter can have the value of: table (to show output in a table format), list (to list output), or csv to display in a comma-delimited format.
/all	Displays username, groups, SIDs, and privileges for the user currently logged on.

Exercise 1.03

Using WHOAMI

1.: From the Windows Start menu, click Command Prompt.
2.: When the Command Prompt opens, type WHOAMI at the prompt and then press the Enter key. The output will show the account you are currently logged on with.
3.: Type WHOAMI /UPN and then press Enter. The UPN of the currently logged-on user will be displayed on the screen.
4.: Type WHOAMI /FQDN and then press Enter. The FQDN of the user that's currently logged on will appear on the screen.
5.: Type WHOAMI /ALL and then press Enter. A listing of privileges associated with the account you are currently logged on with should appear on the screen.
6.: Type WHOAMI /ALL and then press Enter, As shown in Figure 1.24, a listing of information relating to the account you're currently logged on with will be listed on the screen.

Figure 1.24. Results of Using the WHOAMI /ALL Command

Implementing Active Directory Security and Access Control

Security is an important part of Windows Server 2003 and Active Directory. Two primary methods of implementing security are user authentication and access control. Authentication is used to verify the identity of a user or other objects, such as applications or computers. After it's been determined they are who or what they say they are, the process continues by giving them the level of access they deserve. Access control manages what users (or other objects) can use, and how they can use them. By combining authentication and access control, a user is permitted or denied access to objects in the directory.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781931836944500076