1/29/2003 -- Over the last two weeks, we have been examining the objectives for the Installing, Configuring, and Administering Microsoft Windows XP Professional exam (70-270) from Microsoft. This exam can be used as credit on both the MCSA and MCSE tracks, and consists of seven major objective categories:

• Installing Windows XP Professional
• Implementing and Conducting Administration of Resources
• Implementing, Managing, Monitoring, and Troubleshooting Hardware Devices and Drivers
• Monitoring and Optimizing System Performance and Reliability
• Configuring and Troubleshooting the Desktop Environment
• Implementing, Managing, and Troubleshooting Network Protocols and Services
• Configuring, Managing, and Troubleshooting Security

In the first article we looked at the first two objective categories, and last week we looked at the middle two. In this article, we address the remaining three objective categories to complete this three-part series. The complete list of objectives for this exam can be found at http://www.microsoft.com/traincert/exams/70-270.asp.

Objective #5: Configuring and Troubleshooting the Desktop Environment

5.1: Configure and Manage User Profiles and Desktop Settings
Stored in the file NTUSER.DAT, the user profile is the portion of the Registry that is customizable for every user. It holds information about the user's desktop, wallpaper, screensavers, shortcuts and so on. Whenever a user logs in at a system the first time, he automatically creates a local profile on that system by default.

Within the root directory, a subdirectory titled Documents and Settings holds the folder Default User. Beneath Default User exists the NTUSER.DAT file, which is the desktop template used for all new users. When a new user logs in for the first time, a new folder beneath Documents and Settings is created using his or her username, and the profile (NTUSER.DAT) for the Default User is copied into his or her folder for individualized customization. On the second logon, and all subsequent logons, the NTUSER.DAT file beneath the user's folder is used for the user's profile.

When the user logs on, her desktop and Start Menu are based on her profile, as well as entries in the ALL USERS directory (also beneath Documents and Settings). Entries are placed in All Users so that they will appear in the environment for every user using the system.

The problem with local profiles (which have been described here and are the default) is that every workstation you log on to will have its own version of the local profile. User configuration settings will have to be set at each workstation the user logs on to. To overcome this problem, you can implement roaming profiles. With roaming profiles, the user portion of the Registry is downloaded from a designated system to the system the user is currently logged on to. Any changes to those settings will be stored in the central location so that they can be retrieved at the next workstation that they are logged on to.

If you want to configure a user account to use a roaming profile, the first thing to do is set the profile path in the properties for that account. The most common setting to perform is to have a directory shared with a share name, such as "profiles." It should allow the local group USERS the permission of FULL CONTROL. With this share, you can set the user's profile path to be \\server\share\%username%. The next time the user logs on, his or her profile information can be saved to this central profile directory.

An administrator can determine whether the user profiles stored on the local system are roaming or local profiles. The administrator can then change the role by viewing the User Profiles tab in the System applet in the Control Panel. The dialog box shows all the profiles currently stored on the system and whether each one is a roaming or local profile. You can change the profile between roaming and local by clicking the Change Type button. In order to configure roaming, a server must be available.

This dialog box is also used to configure how to handle roaming profiles when the user logs on to the network over a slow WAN link. This is an extremely useful setting for laptop users who may log on to an enterprise network from various locations.

A mandatory profile is a deviation on a roaming profile. It must be configured in the same manner as a roaming profile, only the file is renamed from NTUSER.DAT to NTUSER.MAN. In essence, this makes the file behave as if it is read-only. The profile is read in the same manner when the user logs on, but changes made to any of the profile items while the user is logged on are not kept when the user logs out.

When studying for this objective section, be sure to read the whitepaper "Implementing Common Desktop Management Scenarios" at http://www.microsoft.com/windowsxp/pro/techinfo/administration/scenarios/default.asp.

5.2: Configure Support for Multiple Languages or Multiple Locations
Multiple-language support allows you to create documents that can be read in different languages, as well as change the information text presented. To enable this feature you must be a member of the Administrators group, and then open the Regional and Language Options applet in Control Panel.

As soon as multiple languages have been configured, the System Tray at the bottom right of the Taskbar displays the language currently in use. When composing a document, you can right-click on this icon to view a list of the languages available, allowing you to choose which you want to compose in. Both Notepad and WordPad can let you compose in any character set.

An overview called "Multilingual Features in Windows XP Professional" is posted at http://www.microsoft.com/windowsxp/pro/techinfo/planning/multilingual/default.asp."Comparing Windows XP Professional Multilingual Options" is at http://www.microsoft.com/windowsxp/pro/techinfo/administration/MuiTechOverview/default.asp.

5.3: Manage Applications by Using Windows Installer Packages
Windows Installer is a program intended to simplify the installation of new software and manage existing software. It can be used to add, delete, and modify full applications as well as components. It can alter the Registry, make shortcuts, and prompt for interaction where needed.

Windows Installer is divided into two components: an installer service for the client (MSIEXEC.EXE) and package files (which have the extension .MSI). The .MSI files are the applications themselves and most often will come from software vendors; they can also be created internally by developers.

MSIEXEC uses the MSI.DLL library to read the package files and incorporates items from transform files (with a .MST extension). Transform files are nothing more than deviations from the MSI routine. (To use a different language, for example, also include a patch.)

MSI files contain relational databases (multiple tables) of instructions that need to be carried out. The tables are known as groups. The following tables are included:

• Core table
• File table
• Installation procedure
• Locator table
• Program installation
• Registry table
• System table

Windows Installer can work in four ways: with Windows Explorer, from the command line, with Add/Remove program, and within Group Policy.

Objective #6: Implementing, Managing, and Troubleshooting Network Protocols and Services

6.1: Configure and Troubleshoot the TCP/IP Protocol
Supported by most computer operating systems, TCP/IP is the protocol required for connectivity to the Internet. There are two methods by which you can configure TCP/IP information. The first is to do it manually. Manual configuration, as the name implies, requires you to walk to each machine separately and enter the key pieces of information. The problem with this is that it is very time consuming and leaves a great deal of room for error. The alternative to manual configuration is to use a DHCP server, which issues configuration information to clients when they need it. We will look at both of these methods in turn.

Manual TCP/IP Configuration
When you manually configure a computer as a TCP/IP host, you must enter the appropriate settings, which are required for connectivity with your network. The following network settings are required:

• IP Address. A logical 32-bit address used to identify a TCP/IP host. Each network adapter configured for TCP/IP must have a unique IP address, such as 192.14.200.4. IP address values are 1-223.0-255.0-255.0-255, with the exception of 127, which cannot be used in the first octet because it is a reserved address.
• Subnet Mask. A subnet is a division of a larger network environment, typically connected by routers. Whenever a TCP/IP host tries to communicate with another TCP/IP host, the subnet mask is used to determine whether the other TCP/IP host is on the same network or a different network. If the other TCP/IP host is on a different network, the message must be sent via a router that connects to the other network. A typical subnet mask is 255.255.255.0. All computers on a given subnet must have the same subnet mask value.
• Default Gateway (Router). This optional setting is the address of the router. The router controls communication with all other subnets. If the router's address is not specified, this TCP/IP host can communicate only with other TCP/IP hosts on its subnet.
• Domain Name System (DNS) Server Address. DNS is an industry standard distributed database that provides name resolution and a hierarchical naming system for identifying TCP/IP hosts on the Internet and on private networks. A DNS address must be specified to enable connectivity with the Internet or with UNIX TCP/IP hosts. You can specify more than one DNS address and the search order that specifies the order in which they should be used. To put in more than a Preferred and an Alternate server, you must click the Advanced button, and then choose the DNS tab.

NOTE: On a very small network, a static file named HOSTS can be used to translate host names to IP addresses in place of DNS.

• Windows Internet Name Service (WINS). Computers use IP addresses to identify one another. Users, however, generally find it easier to use other means, such as computer names. Therefore, some method must be used to provide name resolution-the process by which references to computer names are converted into the appropriate IP addresses. WINS provides name resolution for Microsoft networks. If your network uses WINS for name resolution, your computer needs to be configured with the IP address of a WINS server. To configure WINS, you must choose the Advanced button on the General tab, and then choose the WINS tab. Name resolution is the process of translating user-friendly computer names to IP addresses. If the settings for the TCP/IP protocol are specified incorrectly, you will experience problems that keep your computer from establishing communications with other TCP/IP hosts in your network. In extreme cases, communications on your entire subnet can be disrupted.

  NOTE : Although host names (and thus DNS) are understood on all operating systems running TCP/IP, NetBIOS names (and thus WINS) is understood only in the world of Microsoft operating systems. Eventually, WINS will be completely phased out in favor of DNS.

  Both DNS and WINS are services: They can run only on a server (as in Windows 2000 Server). Configuration of the service and server is covered on the Windows 2000 Server exams.

• NOTE: On a very small network, you can use a static file named LMHOSTS to translate NetBIOS names to IP addresses in place of WINS. The Import LMHOSTS button allows WINS to convert your static file to the WINS service.

Using DHCP for TCP/IP Configuration
Manual configuration of TCP/IP creates a lot of administrative work and is not very efficient. One way to avoid the possible problems of administrative overhead and incorrect settings for the TCP/IP protocol is to set up your network so that all your clients receive their TCP/IP configuration information automatically through Dynamic Host Configuration Protocol (DHCP) servers.

DHCP automatically centralizes and manages the allocation of the TCP/IP settings required for proper network functionality for computers that have been configured as DHCP clients. TCP/IP settings that the DHCP client receives from the DHCP server are only leased to it and must periodically be renewed. This lease and renewal sequence enables a network administrator to change client TCP/IP settings, if necessary.

To configure a computer as a DHCP client, all you must do is select the Obtain an IP Address Automatically option on the General tab of the TCP/IP properties box. If you are moving to DHCP after having used manual configuration, you must first empty the manual fields, or the information in them could override the DHCP entries.

Troubleshooting TCP/IP
You can use a number of tools to help troubleshoot and isolate the source of TCP/IP problems. Each tool gives you a different view of the process used to resolve an IP address to a hardware address and then route the IP packet to the appropriate destination. As a general rule of thumb, however, the following statements apply to the tools listed here:

1. If TCP/IP cannot communicate from a Microsoft host to a remote host system, the utilities discussed in this section will not work correctly.
2. If the systems are on different subnets and cannot communicate, remember that TCP/IP requires routing to communicate between subnets.
   
3. If the systems were able to communicate previously but can no longer communicate, suspect either your router(s) or changes in software configuration.

Of the tools described in the following sections, some are just troubleshooting tools, whereas others fall more into the category of applications. The applications can be used to signify that a problem exists or to check to see if the problem lies within one application and not within the connection.

• ARP: After the name has been resolved to an IP address, your computer must resolve the IP address to a MAC address. This is handled by the Address Resolution Protocol (ARP). ARP, as a utility, can be used to see the entries in the Address Resolution table, which maps network card addresses (MAC addresses) to IP addresses. You can check to see if the IP addresses you believe should be in the table are there and if they are mapped to the computers they should be. Usually, you do not know the MAC addresses of the hosts on your network. However, if you cannot contact a host, or if a connection is made to an unexpected host, you can use the ARP command to check this table and begin isolating which host is actually assigned an IP address.
• Event Viewer: The Event Viewer is used to examine events and errors that were written to log files. All critical system messages are stored in the System event log in -- not just those related to TCP/IP. (Other log files include Application and Security.) The Event Viewer is available under the Computer Management MMC snap-in.
• Finger: The Finger command can return information about a remote host and the services and users on it.
• IPCONFIG: IPCONFIG can display IP configuration data. The command's /ALL parameter shows all data; the /RELEASE parameter gives up the DHCP lease; and the /RENEW parameter attempts to extend the life of the lease. The following parameters also work with the IPCONFIG utility:

  Parameter	Function
  /DISPLAYDNS	Shows the contents of the DNS cache
  /FLUSHDNS	Flushes the contents of the DNS cache
  /REGISTERDNS	Renews all leases and DNS configuration
  /SETCLASSID	Changes the DHCP class ID
  /SHOWCLASSID	Shows the DHCP class ID for all adapters

• NBTSTAT: NBTSTAT is a command-line utility that enables you to check the resolution of NetBIOS names to TCP/IP addresses. With NBTSTAT, you can check the status of current NetBIOS sessions. You can also add entries to the NetBIOS name cache from the LMHOSTS file, or check your registered NetBIOS name and the NetBIOS scope assigned to your computer, if any. Whereas NETSTAT deals with all the connections between your system and other computers, NBTSTAT deals only with the NetBIOS connections. NBTSTAT also allows you to verify that name resolution is taking place by providing a method to view the name cache.
• NETSTAT: NETSTAT is a command-line utility that enables you to check the status of current IP connections. Executing NETSTAT without switches displays protocol statistics and current TCP/IP connections. When you have determined that your base-level communications are working, you will need to verify the services on your system. This involves looking at the services that are listening for incoming traffic and/or verifying that you are creating a session with a remote station. The NETSTAT command allows you to do this.
• NSLOOKUP: NSLOOKUP is a command-line utility that enables you to verify entries on a DNS server. You can use NSLOOKUP in two modes: interactive and non-interactive. In interactive mode, you start a session with the DNS server, in which you can make several requests. In non-interactive mode, you specify a command that makes a single query of the DNS server. If you want to make another query, you must type another non-interactive command. One of the key issues regarding the use of TCP/IP is the ability to resolve a host name to an IP address-an action usually performed by a DNS server.
• PING: The PING command is one of the most useful commands in the TCP/IP protocol. It sends a series of packets to another system, which in turn sends back a response. This utility can be extremely useful for troubleshooting problems with remote hosts. The PING command indicates whether the host can be reached and how long it took for the host to send a return packet. On a local area network, the time is indicated as less than 10 milliseconds. Across wide area network links, however, this value can be much greater.
• ROUTE: The ROUTE command-line utility enables you to see the local routing table and add entries to it. Occasionally, it is necessary to see how a system will route packets on the network. Normally, your system will simply send all packets to the default gateway. However, sometimes (such as when you are having problems communicating with a group of computers) ROUTE may provide an answer.
• TRACERT: TRACERT is a command-line utility that enables you to verify the route to a remote host. Execute the command TRACERT hostname, where hostname is the computer name or IP address of the computer whose route you want to trace. TRACERT returns the different IP addresses the packet was routed through to reach the final destination. The results also include the number of hops needed to reach the destination. If you execute the TRACERT command without any options, you see a help file that describes all the TRACERT switches. The TRACERT utility determines the intermediary steps involved in communicating with another IP host. It provides a road map of all the routing an IP packet takes to get from host A to host B. As with the PING command, TRACERT returns the amount of time required for each routing hop.

And there's more. When studying, I recommend you read the "Network Diagnostics Tools Feature Overview," a 29-page whitepaper that can be found at http://www.microsoft.com/WindowsXP/pro/techinfo/administration/diagnostics/Netdiagtools.doc, as well as the document "Configuring TCP/IP" found at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/reskit/prcc_tcp_tuoz.asp.

6.2: Connect to Computers by Using Dial-Up Networking
Dial-Up Networking (DUN) enables you to extend your network to unlimited locations-another computer, a network, or the Internet. DUN clients can work with RAS (Remote Access Server) servers and enable remote clients to make connections to your LAN via either ordinary telephone lines or higher-speed techniques such as ISDN or X.25. When a connection is established, the remote client is able to work as though he were physically located on the network as another node.
With Windows XP Professional, the workstation can be used to dial out to servers or have other clients dial in (effectively making this workstation the remote access server).

Creating Dial-Up Connections
To create a dial-up connection to a remote access server, DUN must be installed. You can install Dial-Up Networking during the installation of Windows XP Professional or at any time afterward. To install DUN after installation, either click on the Network and Dial-Up Connections link in My Computer or click on the folder of the same name in Control Panel. Next, choose the Make New Connection icon, and the Network Connection Wizard begins. When it's initialized, you must choose the connection type you want to establish. The four choices when running the New Connection Wizard are:

• Connect to the Internet
• Connect to the network at my workplace
• Set up a home or small office network
• Set up an advanced connection

After you choose which type of dial-up connection to make, among the first three choices, the wizard prompts for telephone number information on the server you will be calling. The Use Dialing Rules check box allows you to specify different dialing sequences for dialing from different locations.

The next screen of the wizard asks if the connection you are creating will apply only for you or for all users. Following that, you can specify a name for the connection and whether you would like a shortcut icon for it. Upon successful completion, an icon appears under Network and Dial-Up Connections (which you can access by choosing Start, Settings, Network and Dial-Up Connections) and on the desktop, if you so chose.

Configuring Dial-Up Connections
After successfully creating a connection, you can configure it with a plethora of properties. Right-click on the icon and choose Properties from the pop-up menu for additional configuration options. The connection's Properties dialog box contains five tabs of options:

• General. The General tab allows you to choose the connection device (modem, and so on), the phone numbers to dial, including alternates if the first is busy, and the rules to use.
• Options. The Options tab allows configuration of behavioral parameters (show progress, automatically redial, and so on).
• Security. The Security tab allows you to configure whether identity will be validated by unsecured password, secured password, or smart card. Additionally, you can specify whether encryption will also be used on the data (available only if the password is secured) and advanced options on password usage.
• Networking. The Networking tab allows you to specify components used by the connection. Additionally, with PPP (versus SLIP), you can click the Settings button to toggle on or off LCP (Link Control Protocol) extensions, which are used to determine framing, software compression, and multilink.
• Advanced. This tab is used to configure the Internet Connection Firewall and Internet Connection Sharing (allows you to configure a workstation so that other computers on the network can access the Internet through it). If ICS is configured, on-demand dialing can also be turned on to establish a connection. The Windows XP Professional workstation, in essence, becomes a proxy server.

6.3: Connect to Resources Using Internet Explorer
Most of the information within this category will be commonplace knowledge for administrators who have been working with IE for any length of time. To fill in knowledge gaps, start at http://www.microsoft.com/technet/prodtechnol/winxppro/proddocs/app_internet_props.asp and http://www.microsoft.com/technet/prodtechnol/winxppro/proddocs/app_iexplorer.asp.

6.4: Configure, Manage and Implement Internet Information Services (IIS)
The Web Publishing Wizard in Windows XP simplifies the process of publishing files, folders, and pictures. For documentation on this process, start at http://www.microsoft.com/technet/prodtechnol/winxppro/proddocs/webpub_overview.asp, and read the links beneath the Related Topics. Following that, move to IIS installation at http://www.microsoft.com/technet/prodtechnol/winxppro/proddocs/iiiisin2.asp and check out the troubleshooting link at http://www.microsoft.com/technet/prodtechnol/winxppro/proddocs/iitrblsh.asp.

6.5: Configure, Manage and Troubleshoot Remote Desktop and Remote Assistance
As an introduction to the topic, a short video on how to use the Remote Desktop feature can be found at http://www.microsoft.com/windowsxp/wmx/hotwo/mobility_remote.asx, while one on Remote Assistance is located at: http://www.microsoft.com/windowsxp/wmx/hotwo/help_remote_asst.asx.

For more information, "Mobile Computing with Windows XP: Remote Desktop" can be found at http://www.microsoft.com/windowsxp/pro/techinfo/planning/mobility/remotedesktop.asp. "A Step-by-Step Guide to Remote Assistance" is posted at http://www.microsoft.com/windowsxp/pro/techinfo/deployment/remoteguide/default.asp, and companion file "Administering Remote Assistance" is at http://www.microsoft.com/windowsxp/pro/techinfo/administration/adminra/default.asp.

6.6: Configure, Manage, and Troubleshoot an Internet Connection Firewall (ICF)
ICF was introduced in objective 6.2. The "Internet Connection Firewall Feature Overview" walks through installing ICF, configuring it, and the FAQ. It can be found at: http://www.microsoft.com/windowsxp/pro/techinfo/planning/firewall/default.asp.

Objective #7: Configuring, Managing, and Troubleshooting Security

7.1: Configure, Manage and Troubleshoot Encrypting File System (EFS)
The Encrypting File System (EFS) allows you to toggle an attribute for a file or folder just as you would any other, and it protects the contents. If the object you select is a folder, all contents of the folder-files, subfolders and so on-also become encrypted. Files that are pasted into an encrypted folder become encrypted as well, but files that are placed in the folder with drag-and-drop do not become encrypted automatically.

NOTE: In order to use EFS, the file system must be NTFS, and the files must not be compressed. Some files (system files in particular) cannot be compressed. If you move or copy an encrypted file to one of these partitions, it becomes unencrypted automatically.

From the time a file is encrypted, a digital code associated with the user (encryption certificate) is assigned to it. This allows the encrypting user to open and work with the file exactly as if it were unencrypted, but prevents anyone else from doing so. Because only the encrypting user can open the file, EFS is perfect for personal data but unusable for any data you want to share.

NOTE: You can use the Export command in the Certificates snap-in to copy your file encryption certificates to another location-such as a floppy drive. Doing so will allow you to unencrypt your files should a restore operation be necessary after a media failure (at which time you can use the Import command to bring them back from the floppy).

EFS is an integrated component of the NT kernel. To encrypt an entity, simply choose its properties and click the Advanced button to reach the Advanced Attributes dialog box. Check the box Encrypt Contents to Secure Data and click OK. Each encrypted file is given a unique encryption key. All keys are stored in non-paged memory for security purposes.

When you choose to encrypt a file, a dialog box appears asking if you want to encrypt only the one file or the file and its parent folder (the default action). A check box gives you the option of choosing to always encrypt only the file, preventing the dialog box from reappearing in the future.

Microsoft's document "Encrypting File System in Windows XP and Windows .NET Server" was recently posted at http://www.microsoft.com/windowsxp/pro/techinfo/administration/recovery/default.asp.

7.2: Configure, Manage and Troubleshoot a Security Configuration and Local Security Policy
Local Policies are divided broken into three subsections: Audit Policy, User Rights Assignment, and Security Options. The Audit Policy determines whether event auditing (adding entries to a log file) is used or not. The default value for each option is "No auditing." However, valid options include "Success" and "Failure." When auditing is turned on for a particular event, the entries are logged in the Security Log file, which is viewed with Event Viewer.

The User Rights Assignment section contains the meat of the old System Policies. You can add additional groups and users to the list but you cannot remove them. That functionality is not needed. If you want to "remove" a user or group from the list, remove the check mark from the box granting it access.

The Security Options section contains a number of options, most of which are Registry keys. The default for each is "Not defined," but you can assign two other definitions (Enabled and Disabled) or a physical number (such as the number of previous logons to cache).

Security settings for the Professional workstation are located in the Local Security Policy shortcut within the Administrative Tools folder of the Control Panel. This includes settings for Account Policies (discussed earlier) and Local Policies. You can import and export policies by right-clicking on the Security Settings folder and choosing the action you want from the pop-up menu. Exporting can be done on either the Local Policy or the Effective Policy (if applicable).

7.3: Configure, Manage and Troubleshoot Local User and Group Accounts
In Windows XP, as elsewhere, a user can be granted rights and permissions to resources in two ways:

• Individually. She is explicitly assigned a right or permission through her account.
• As a group. She is a member of a group that has a right or permission.

Each Windows XP user account has a unique identifier, which allows a user to log on to the network and access all resources to which she has access. A user's account/password combination identifies his or her access token-the container, if you will, that enables a user to gain access to resources.

User and group accounts are created in the Local Users and Groups portion of the Computer Management snap-in, or through the lusrmgr.msc (Local Users and Groups) snap-in.

Creating and Managing Users
To create a new account in Windows XP Professional, you must be a member of either the Administrators group or the Power Users group. With the Users folder expanded, right-click and choose New User from the pop-up menu that appears. A dialog box for the new user appears. The fields on the property box ask for the following information:

• User name. This is the name that each user will use to log on to the workstation and/or the network. This name must be unique in its scope: If the user will only log on locally, it only has to be unique on this machine. If the user will access the network, this name must be unique within the network. The name can have no more than 20 characters and cannot contain the characters " / \ [ ] : ; |= , + * ? < >.
• Full name. This displays the user's full name. You can use this as a sort setting by selecting Sort by Full Name from the View menu. This is not a required field and is provided only for convenience.
• Description. This setting is copied from account to account if used as a template. It is also used to further describe a user. The setting is not required; use it as it serves your needs.
• Password and Confirm Password. The password for the user can be up to 14 characters long. If the user is using a Windows Logon (versus a Client for Microsoft Networks logon), the password is also case sensitive. If the user is at a Windows 95 or lower system, the password is not case sensitive. Again, you are not required to put enter any value; the default action is that the user will need to change it at the next logon anyway.

  Note: Of the five properties at the top of the dialog box, only the Description will be copied from account to account. All other settings must be re-entered for a copied user.

The lower settings in the User Properties dialog box relate to how passwords will be handled. Those settings are listed here:

• User Must Change Password at Next Logon. This approach forces the user to change his password when he logs on to the network next.
• User Cannot Change Password. This selection is used with higher security networks in which users are assigned passwords for their accounts.
• Password Never Expires. This setting overrides the account policy of password expiration and should be used only for service accounts.
• Account Is Disabled. This setting prevents the user from using this account.

You can change the value of any check box by clicking on it or pressing the spacebar. After you have completed the fields, click the Create button. This opens another blank form, allowing you to add multiple users at one time. The new accounts will not appear behind the dialog box until you choose the Close button to stop creating new accounts.

Working with Account Settings
Once an account exists, you can access its properties by double-clicking on it or by right-clicking it and choosing Properties from the pop-up menu. There are three tabs on the dialog box for a user:

• General. The General tab holds the values supplied when the account was created-with one exception. A new check box has been added at the bottom of the choices: Account Is Locked Out. This box is checked automatically if the user has met the lockout requirements (given the wrong password five times within 30 minutes, for example). Only an administrator can uncheck the box and unlock the account; it is never available for you to lock, and you must use the Account Is Disabled check box if you want to manually prevent the user from logging on.
• Member Of. The Member Of properties are used to assign the user whose account you are modifying to various groups. You do this by clicking the Add button. Only local accounts exist in Windows XP Professional, which you should quickly recognize by the icon showing two users that appears next to each group name. (Global accounts would be marked with an icon showing users in front of a globe.)
• Profile. The Profile tab is one of the main configuration pages. With these options, the administrator can configure the following items to be located centrally:
  -- Profile Path, which designates a specific location on a specified server where the user's profile is going to be stored. The profile contains the user portion of the Registry in the file NTUSER.DAT. If a user uses this profile path, her desktop and personal configuration settings follow her to whichever computer she uses.
  -- Logon Script, which allows an administrator to configure common drive mappings, run central batch files, and configure the system. When you configure a login script, simply include the name of the *.bat or *.cmd file that you want to execute.
  -- Home Folder (formerly known as "home directory") for the user's profile will create a personal directory in which the user can store his data on a network server.

The main reason for locating these options centrally is that you can have all of these items stored on a central server. When users store their profiles and home directories centrally, the process of backing up their data is more manageable.

Creating and Managing Groups
Local groups are the only groups that exist within Windows XP Professional. When assigning local group permissions, the administrator should always consider whether an existing local group has the appropriate permissions. For example, suppose you want to grant a user the ability to create new users or change group memberships. The Power Users group already has these permissions, so there is no reason to create a new local group to perform this task.
By default, the following local groups are found on all Windows XP systems:

• Administrators: can manage any and all aspects of the Windows XP system. The initial membership in the Administrators group is the pre-created Administrator account.
• Backup Operators: members have the right to back up and restore any file on the system. This right will supersede any permission assigned to these files and directories. Backup Operators can also shut down a system.
• Guests: has the ability to grant access to specific resources to guests of the system. The initial membership in the Guests local group is the Guest user.
• Network Configuration: a trimmed-down version of Administrators with the emphasis in power being on administering network configuration.
• Power Users: can be thought of as a subset of the Administrators group.
• Remote Desktop Users: can logon remotely.
• Replicator: used by the Directory Replicator service. Membership in this group allows a user to be involved in the process of maintaining a directory structure and its contents on domain controllers.
• Users : the default group to which all newly created users belong.

Additionally, the groups Debugger Users and HelpServicesGroup can exist, and the titles telegraph their purpose.

To remove an existing group, highlight it, right-click on the group and choose Delete from the pop-up menu. To add a new group, right-click on Groups in the left pane of MMC or in a blank area on the right pane, and then choose New Group from the pop-up menu.

NOTE: Many of the built-in users and groups cannot be deleted. Attempts to do so will return an error and inform you that this operation cannot be performed.

7.4: Configure, Manage, and Troubleshoot Internet Explorer Security Settings
Because the browser is so integral to the operating system, the policy options pertaining to it in a local policy/group policy can greatly change the way the user interacts with the program. Beneath user configuration in the Group Policy (gpedit.msc), the fields for Internet Explorer Maintenance are:

• Browser User Interface: this allows you to add a title and custom logo
• Connection: here you can configure proxy settings and automatic browser configuration, among other things.
• URLs: here you can add favorites and links
• Security: from here you can configure zones (and add sites to the zones), and choose the privacy settings.
• Programs: this allows you to select which program is associated with each Internet service (file type). For example, the default HTML editor is often Microsoft Word, the default e-mail service is Microsoft Outlook, and so on.

Beneath Computer Configuration/Administrative Templates/Windows Components, you can also configure Internet Explorer options for all users. The eight policy options here can greatly change the way every user interacts with the program:

• Security Zones: Use only machine settings
• Security Zones: Do not allow users to change policies
• Security Zones: Do not allow users to add/delete sites
• Make proxy settings per-machine (rather than per-user)
• Disable Automatic Install of Internet Explorer components
• Disable Periodic Check for Internet Explorer software updates
• Disable software update shell notifications on program launch
• Disable showing the splash screen

The administrative template containing these settings is inetres.adm and basic information on it can be found in the overview at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/proddocs/gpe_shippedadms.asp.

More articles by Emmett Dulaney:

• Questions Types 101: How Many Ways Can You Ask the Same Thing?
• CertCities.com's Mega-Guide to Microsoft's 70-210 Exam, Part III
• CertCities.com Mega-Guide to Microsoft's 70-210 Exam, Part II
• CertCities.com Mega-Guide to Microsoft's 70-210 Exam, Part I