4/16/2003 -- Over the last few weeks, we have been examining the Installing, Configuring, and Administering Microsoft Windows 2000 Professional exam (70-210) from Microsoft. This exam can be used as credit on both the MCSA and MCSE tracks, and consists of seven major objective categories:

• Installing Windows 2000 Professional
• Implementing and Conducting Administration of Resources
• Implementing, Managing, and Troubleshooting Hardware Devices and Drivers
• Monitoring and Optimizing System Performance and Reliability
• Configuring and Troubleshooting the Desktop Environment
• Implementing, Managing, and Troubleshooting Network Protocols and Services
• Configuring, Managing, and Troubleshooting Security

In this article, we address the remaining three objective categories to complete this three-part series (click here for Part I and here for Part II). Microsoft's list of objectives for this exam can be found at http://www.microsoft.com/traincert/exams/70-210.asp.

Objective #5: Configuring and Troubleshooting the Desktop Environment

5.1: Configure and Manage User Profiles

Stored in the file NTUSER.DAT, the user profile is the portion of the Registry that is customizable for every user. It holds information about the user's desktop, wallpaper, screensavers, shortcuts, and so on. Whenever a user logs in at a system the first time, he automatically creates a local profile on that system by default.

Within the root directory, a subdirectory titled Documents and Settings holds the folder Default User. Beneath Default User exists the NTUSER.DAT file, which is the desktop template used for all new users. When a new user logs in to Windows 2000 Professional for the first time, a new folder beneath Documents and Settings is created using his or her username, and the profile (NTUSER.DAT) for the Default User is copied into his or her folder for individualized customization. On the second logon, and all subsequent logons, the NTUSER.DAT file beneath the user's folder is used for the user's profile.

NOTE: Although the name of the file itself (NTUSER.DAT) stayed the same, the location of the profiles differs from earlier versions of Windows NT. If Windows 2000 Professional is located on the C: drive and the user kdulaney logs on, the profile will be found in C:\Documents and Settings\kdulaney. In earlier versions of NT, it would have been beneath C:\Winnt\Profiles\kdulaney.

The profile can contain all of the following desktop-related items:

• Application information
• Cookies
• Favorites
• Files saved on the desktop
• Local settings
• My documents
• My pictures
• Nethood
• Printhood
• Recent
• Send to
• Shortcuts
• Start Menu
• Template items

When the user logs on, her desktop and Start Menu are based on her profile, as well as entries in the ALL USERS directory (also beneath Documents and Settings). Entries are placed in All Users so that they will appear in the environment for every user using the system.

The problem with local profiles (which have been described here and are the default) is that every workstation you log on to will have its own version of the local profile. User configuration settings will have to be set at each workstation the user logs on to. To overcome this problem, you can implement roaming profiles. With roaming profiles, the user portion of the Registry is downloaded from a designated system to the system the user is currently logged on to. Any changes to those settings will be stored in the central location so that they can be retrieved at the next workstation that they are logged on to.

Configuring Roaming Profiles
If you want to configure a user account to use a roaming profile, the first thing to do is set the profile path in the properties for that account. The most common setting to perform is to have a directory shared with a share name, such as "profiles." It should allow the local group USERS the permission of FULL CONTROL. With this share, you can set the user's profile path to be \\server\share\%username%. The next time the user logs on, his or her profile information can be saved to this central profile directory.

Naturally, in order to take advantage of a roaming profile, the computer the user uses must have joined the domain that holds the profile.

An administrator can determine whether the user profiles stored on the local system are roaming or local profiles. The administrator can then change his or her role by viewing the User Profiles tab in the System applet in the Control Panel. This dialog box shows all the profiles currently stored on the system and whether each one is a roaming or local profile. You can change the profile between roaming and local by clicking the Change Type button. In order to configure roaming, a server must be available. This dialog box is also used to configure how to handle roaming profiles when the user logs on to the network over a slow WAN link. This is an extremely useful setting for laptop users who may log on to an enterprise network from various locations.

NOTE: Remember that the roaming profile is stored on a specific server even though the user can be authenticated on any domain controller in the domain.

Configuring Mandatory Profiles
A mandatory profile is a deviation on a roaming profile. It must be configured in the same manner as a roaming profile, only the file is renamed from NTUSER.DAT to NTUSER.MAN. In essence, this makes the file behave as if it is read-only. The profile is read in the same manner when the user logs on, but changes made to any of the profile items while the user is logged on are not kept when the user logs out. This can be a lifesaver when you're working with users who need a static desktop environment. If they accidentally delete half their Start menu, the solution is simply to have them log off and back on again. Mandatory profiles do not work well with users who must constantly change their environment for work-related reasons (such as software developers). Therefore, you should consider individual scenarios and situations to determine what is the best fit for a site's needs.

If you are using a mandatory profile for a group of users, you need to cater to the lowest common denominator. For example, if two different desktop sizes (large and small) are in use throughout the organization and you define a bitmap as wallpaper, the bitmap must be to the small desktop in order to work throughout the organization.

NOTE: If changes are needed to a user who has a mandatory profile, you must first rename the mandatory profile back to NTUSER.DAT. Make the changes, and make certain they took effect (log out and back in, etc.). Then complete the process by renaming the file back to mandatory (NTUSER.MAN).

5.2: Configure Support for Multiple Languages or Multiple Locations

One of the new features of Windows 2000 is its ability to work with multiple languages and in multiple settings simultaneously. We will look at each of these items in the following section.

Multiple-language support allows you to create documents that can be read in different languages, as well as change the information text presented in Professional. To enable this feature you must be a member of the Administrators group. First, open the Regional Options applet in Control Panel and then check the languages you wish to install support for.

NOTE: Although multiple languages are turned on at the local machine, you can turn them off by using settings in a Group Policy-either locally or on a network you are connected to.

As soon as multiple languages have been configured, the System Tray at the bottom right of the Taskbar displays the language currently in use. When composing a document, you can right-click on this icon to view a list of the languages available, allowing you to choose which you want to compose in. Both Notepad and WordPad can let you compose in any character set.

The variables on the General tab of Regional Options allow you to change the language settings for reading and writing documents, as well as to specify your locale. Your locale is important because changes made at this drop-down box fill in standard settings for the other tabs within this applet. You can configure the other tabs independently, but you should assume their default setting from the value in the Your Locale (Location) box on the General tab.

The Numbers tab allows you to specify list separators, decimal symbols, and other numerical values. The Currency tab contains settings related to monetary figures. Variables include the following:

• Currency Symbol
• Positive Currency Format
• Negative Currency Format
• Decimal Symbol
• Number of Digits to Display After the Decimal
• Digit Grouping Symbol
• Digit Grouping

The Time tab allows you to specify four variables related to this entity: the format in which time is displayed, the separator between values, the symbol for AM, and the symbol for PM. The Date tab allows you to choose the century in which two-digit years are interpreted to fall within and the formats to use for short and long dates.

The Input Locales tab allows you to choose the keyboard layout to be used currently on the system. It also allows you to turn off the language indicator that shows by default in the System Tray of the taskbar, and specify key sequences. By default, Left Alt+Shift is used to switch between locales, but the key sequence can be changed to Ctrl+Shift.

For other items, such as switching to a native language, you must configure a keyboard sequence. Each keyboard sequence must be either Ctrl+Shift+(a number between 0 and 9) or Left Alt+Shift+(a number between 0 and 9). The only deviations from using a number in the sequences above are that you can also use the tilde (~) and the grave accent (`).

Whenever you add a language (whether it's the second or the tenth), you must reboot the system for the language to be available. Additionally, if you want to enable the reading of documents in multiple languages, you must copy additional files from the CD.

NOTE: The ability to support so many languages is provided through the use of the Unicode standard. In Unicode, and the Unicode Character Set (UCS), each character has a 16-bit value. This allows the same character to be interpreted/represented by 65,536 different entities.

5.3: Manage Applications by Using Windows Installer Packages

Windows Installer is a program intended to simplify the installation of new software and manage existing software. It can be used to add, delete, and modify full applications as well as components. It can alter the Registry, make shortcuts, and prompt for interaction, where needed.

Windows Installer is divided into two components: an installer service for the client (MSIEXEC.EXE) and package files (which have the extension .MSI). The .MSI files are the applications themselves and most often will come from software vendors; they can also be created internally by developers.

MSIEXEC uses the MSI.DLL library to read the package files and incorporates items from transform files (with a .MST extension). Transform files are nothing more than deviations from the MSI routine. (To use a different language, for example, also include a patch.)

MSI files contain relational databases (multiple tables) of instructions that need to be carried out. The tables are known as groups. The following tables are included:

• Core table
• File table
• Installation procedure
• Locator table
• Program installation
• Registry table
• System table

  NOTE: Windows Installer is a component of IntelliMirror and is tightly integrated with Group Policy. In addition to Windows Installer, IntelliMirror also includes the ability to administer user settings, perform remote installation, and mirror data between the network and local machines.

Windows Installer can work in four ways: with Windows Explorer, from the command line, with Add/Remove program, and within Group Policy.

Assume you are using Windows Installer to update 20 machines, and it fails on one. The solution is to restart Windows Installer on the machine it failed on. From within Windows Explorer, double-click on any .MSI file to begin the installation automatically. Right-clicking on the file allows you to choose to Install (the default), Repair, or Uninstall the package.

You can perform a number of operations from the command line. Not only can you install, uninstall/remove, and repair .MSI files, you can also advertise a package and make the installation package.

NOTE: With advertising, the program is not installed automatically, but the ability for it to be installed is advertised to the user. The user can then install it from Add/Remove Programs, or another method.

To install a package, use the following command:

MSIEXEC /i {.MSI filename}

Optionally, you can create a log file of the installation by using this syntax:

MSIEXEC /i {.MSI filename} /L[parameter] {logfile}

You can use the following parameters with /L to dictate what information should go in the log file:

To remove a package, use the following command:

MSIEXEC /x {.MSI filename}

To repair a package, use this command

MSIEXEC /F[parameter] {.MSI filename}

where [parameter] can be any of the following parameters:

If no parameter is specified with /f, the default is to use "pecms."

To advertise a package, use this command:

MSIEXEC /j[parameter] {.MSI file}

where [parameter] is replaced with one of these two valid parameters:

m -- Advertises to all users on the computer
u -- Advertises to the current user only

Finally, to create an administrative installation package, use the following syntax:

MSIEXEC /a {.MSI filename}

Windows Installer and Add/Remove Programs
Windows Installer support is built into Add/Remove Programs. Simply choose Change or Remove Programs within the applet, and Windows Installer is invoked automatically.

Windows Installer and Group Policy
One of the key features of Group Policy is Windows Installer integration. Administrators can include packages within Group Policy and tie them to computer options or user options to have them installed automatically where needed. Parameters for Windows Installer are located beneath both Computer Configuration and User Configuration, as well as beneath Windows Components, which is beneath Administrative Templates.

All that aside, one of the main features of Group Policy is the ability it affords an administrator to enforce desktop settings. Group Policy will only work with Windows 2000 clients, while System Policies work with previous clients.

If you double-click on the setting Disable Windows Installer, a dialog box appears, allowing you to change the setting from Not Configured to either Enabled or Disabled. You can also choose whether installation of applications will be allowed with elevated privileges and whether to log the installation (among other options).

5.4: Configure and Troubleshoot Desktop Settings

Windows 2000 incorporates the Active Desktop, which was first popularized with Windows 98, and first available in Windows 95 OSR2. Active Desktop allows you to make your desktop function like a Web site. You can add Web content to the desktop along with the desktop icons.

Right-click on the desktop and choose Properties to bring up the dialog box for the desktop. A new tab -- Web -- allows you to configure where the Web content will come from. You can specify not only the sites to incorporate but also the depth of pages to download, disk usage limitations, and the frequency schedule.

The New Active Desktop Item wizard walks you through the process of setting up each item and simplifies the process.

The properties dialog box is, in actuality, the DESKTOP.CPL file; you can summon it from the command prompt or from the Run dialog box that appears when you choose Start, Run.

When you walk away from the desktop, you can "lock it" by choosing Lock Computer from the Windows Security dialog box. This requires your password to be re-entered again before the desktop can be used, but allows all background processes to continue to run while you are away.

5.5: Configure and Troubleshoot Fax Support

Windows 2000 allows you to "print" to a fax modem as you would to a printer. Graphics are converted to .TIF files before being sent. Class 1, 2, and 2.0 modems are supported.

NOTE: Windows 2000 does not support fax sharing. The fax modem must be connected to the workstation to be able to be used.

You can control fax jobs from within an application or through the options available in Windows 2000. To access the options in Windows 2000, select Start, Programs, Accessories, Communications, Fax.

As you can see, the Fax menu lists five options. The Fax Queue option allows you to cancel, pause, resume, and view faxes that are waiting to be sent. Fax Service Management allows you to configure the fax modem(s) and logging options. Help is self-explanatory. My Faxes is used to hold cover pages and any sent/received faxes for printing, viewing, and deleting. Send Cover Page Fax starts the Send Fax Wizard, which walks you through the process of creating a uniform cover page.
Within the Properties dialog box, the Advanced Options tab allows you to add a fax printer (something you can also do from the Fax applet in Control Panel). All fax printers are added to the Printers folder, and any one can be selected as the default print destination, just as local and network printers can.

The executable file represented by the Fax applet in Control Panel is FAX.CPL. You can summon it from the command prompt or from the Run dialog box that appears when you choose Start, Run.

5.6: Configure and Troubleshoot Accessibility Services

The Accessibility Options applet allows you to configure the system for use by individuals with physical disabilities. For example, if it is too difficult for a user to press multiple keys simultaneously (such as Ctrl, Shift, or Alt and another key), you can turn on StickyKeys -- a feature that allows the last key pressed to remain in memory (in other words, makes it sticky).

This dialog box offers configuration options related to the keyboard, mouse, display, and sound. Additionally, you can use options on the General tab to have accessibility features automatically shut off after a specified time (five minutes is the default), to apply the settings to all users or individual users, and so on.

The actual applet executable file is ACCESS.CPL. You can summon it from the command prompt or from the Run dialog box that appears when you choose Start, Run.

Utility Manager (Start, Programs, Accessories, Accessibility, Utility Manager) can be used to configure the accessibility options to start on each boot. This can also be used to configure the options to run when the Utility Manager starts.

Objective # 6: Implementing, Managing, and Troubleshooting Network Protocols and Services

6.1: Configure and Troubleshoot the TCP/IP Protocol

With the release of Windows 2000, TCP/IP has become the required networking protocol to use in the creation of your network. In previous versions, it was the default choice from among three possibilities (NWLink - IPX/SPX-compatible and NetBEUI being the other two), but it could always be deselected and not used. With Windows 2000, you can install any other protocol you want, but you must install TCP/IP; the check box for it cannot be deselected during installation and configuration. Much of the necessity of having TCP/IP installed is based upon Active Directory and its use of DNS.

Because of the importance of TCP/IP to Windows 2000, the next several sections examine this protocol and its primary aspects.

Configuring Windows 2000 Professional as a TCP/IP Client
Supported by most computer operating systems, TCP/IP is the protocol required for connectivity to the Internet. There are two methods by which you can configure TCP/IP information. The first is to do it manually. Manual configuration, as the name implies, requires you to walk to each machine separately and enter the key pieces of information. The problem with this is that it is very time consuming and leaves a great deal of room for error.

The alternative to manual configuration is to use a DHCP server, which issues configuration information to clients when they need it. We will look at both of these methods in turn.

Manual TCP/IP Configuration
When you manually configure a computer as a TCP/IP host, you must enter the appropriate settings, which are required for connectivity with your network. To reach the configuration tabs, choose the Network and Dial-Up Connections applet from the Control Panel, right-click on the network in question (typically named Local Area Connection), and choose Properties from the pop-up menu. On the General tab select Internet Protocol (TCP/IP) and click the Properties button. Click the Properties button for the protocol to access the configuration dialog box.

Here you configure the following network settings (the first two of which are required):

• IP Address. A logical 32-bit address used to identify a TCP/IP host. Each network adapter configured for TCP/IP must have a unique IP address, such as 192.14.200.4. IP address values are 1-223.0-255.0-255.0-255, with the exception of 127, which cannot be used in the first octet because it is a reserved address.
• Subnet Mask. A subnet is a division of a larger network environment, typically connected by routers. Whenever a TCP/IP host tries to communicate with another TCP/IP host, the subnet mask is used to determine whether the other TCP/IP host is on the same network or a different network. If the other TCP/IP host is on a different network, the message must be sent via a router that connects to the other network. A typical subnet mask is 255.255.255.0. All computers on a given subnet must have the same subnet mask value.
• Default Gateway (Router). This optional setting is the address of the router. The router controls communication with all other subnets. If the router's address is not specified, this TCP/IP host can communicate only with other TCP/IP hosts on its subnet. NOTE: The Default Gateway box must be left blank if you are connecting to the Internet through an Internet Service Provider (ISP). The ISP fills in that information upon connection.
• Domain Name System (DNS) Server Address. DNS is an industry standard distributed database that provides name resolution and a hierarchical naming system for identifying TCP/IP hosts on the Internet and on private networks. A DNS address must be specified to enable connectivity with the Internet or with UNIX TCP/IP hosts. You can specify more than one DNS address and the search order that specifies the order in which they should be used. NOTE: On a very small network, a static file named HOSTS can be used to translate host names to IP addresses in place of DNS.
• Windows Internet Name Service (WINS). Computers use IP addresses to identify one another. Users, however, generally find it easier to use other means, such as computer names. Therefore, some method must be used to provide name resolution-the process by which references to computer names are converted into the appropriate IP addresses. WINS provides name resolution for Microsoft networks. If your network uses WINS for name resolution, your computer needs to be configured with the IP address of a WINS server. (The IP address of a secondary WINS server can also be specified.) Name resolution is the process of translating user-friendly computer names to IP addresses. If the settings for the TCP/IP protocol are specified incorrectly, you will experience problems that keep your computer from establishing communications with other TCP/IP hosts in your network. In extreme cases, communications on your entire subnet can be disrupted. NOTE: Although host names (and thus DNS) are understood on all operating systems running TCP/IP, NetBIOS names (and thus WINS) is understood only in the world of Microsoft operating systems. Eventually, WINS will be completely phased out in favor of DNS.

Both DNS and WINS are services: They can run only on a server (as in Windows 2000 Server). Configuration of the service and server is covered on the Windows 2000 Server exams. For Windows 2000 Professional, which is a client operating system, you must know the tabs to perform the access on and the reasons why you would do so.

NOTE: On a very small network, you can use a static file named LMHOSTS to translate NetBIOS names to IP addresses in place of WINS. The ImportLMHOSTS button allows WINS to convert your static file to the WINS service.

Using DHCP for TCP/IP Configuration
Manual configuration of TCP/IP creates a lot of administrative work and is not very efficient. One way to avoid the possible problems of administrative overhead and incorrect settings for the TCP/IP protocol is to set up your network so that all your clients receive their TCP/IP configuration information automatically through Dynamic Host Configuration Protocol (DHCP) servers.

DHCP automatically centralizes and manages the allocation of the TCP/IP settings required for proper network functionality for computers that have been configured as DHCP clients. TCP/IP settings that the DHCP client receives from the DHCP server are only leased to it and must periodically be renewed. This lease and renewal sequence enables a network administrator to change client TCP/IP settings, if necessary.

To configure a computer as a DHCP client, all you must do is select the Obtain an IP Address Automatically option on the General tab of the TCP/IP properties box. If you are moving to DHCP after having used manual configuration, you must first empty the manual fields, or the information in them could override the DHCP entries.

To determine the network settings that a DHCP server has leased to your computer, type the following command at a command prompt:

IPCONFIG /all

Note that IPCONFIG (with the /ALL parameter) also gives you full details on the duration of your current lease. You can verify whether a DHCP client has connectivity to a DHCP server by releasing the client's IP address and then attempting to lease an IP address. You can conduct this test by typing the following sequence of commands from the DHCP client at a command prompt:

IPCONFIG /release
IPCONFIG /renew

NOTE: On Windows 95/98 machines, you can get this information from a graphical utility. Or, you can choose Start, Run and type WINIPCFG, which will show your IP configuration in an undocumented utility. Select the MORE INFO button to see additional information.

Troubleshooting TCP/IP
If you are only using TCP/IP, yet you want to utilize NetBIOS names, each client must know a WINS server address. This can be manually given, or issued through DHCP.

You can use a number of tools to help troubleshoot and isolate the source of TCP/IP problems. Each tool gives you a different view of the process used to resolve an IP address to a hardware address and then route the IP packet to the appropriate destination. As a general rule of thumb, however, the following statements apply to the tools listed here:

• If TCP/IP cannot communicate from a Microsoft host to a remote host system, the utilities discussed in this section will not work correctly.
• If the systems are on different subnets and cannot communicate, remember that TCP/IP requires routing to communicate between subnets.
• If the systems were able to communicate previously but can no longer communicate, suspect either your router(s) or changes in software configuration.

Of the tools described in the following sections, some are just troubleshooting tools, whereas others fall more into the category of applications. The applications can be used to signify that a problem exists or to check to see if the problem lies within one application and not within the connection.

After the sections describing the tools in detail, you'll find a section that lists the tools, tells which category each tool falls into, and gives Microsoft's recommended steps for approaching related problems.

ARP
After the name has been resolved to an IP address, your computer must resolve the IP address to a MAC address. This is handled by the Address Resolution Protocol (ARP). ARP, as a utility, can be used to see the entries in the Address Resolution table, which maps network card addresses (MAC addresses) to IP addresses. You can check to see if the IP addresses you believe should be in the table are there and if they are mapped to the computers they should be. Usually, you do not know the MAC addresses of the hosts on your network. However, if you cannot contact a host, or if a connection is made to an unexpected host, you can use the ARP command to check this table and begin isolating which host is actually assigned an IP address.

Event Viewer
The Event Viewer in Windows 2000 is used to examine events and errors that were written to log files. All critical system messages are stored in the System event log in Windows 2000 Professional-not just those related to TCP/IP. (Other log files include Application and Security.) With Windows 2000, the Event Viewer (formerly a standalone utility) has been moved into the Computer Management MMC snap-in.

Finger
The Finger command can return information about a remote host and the services and users on it.

FTP and TFTP
The File Transfer Protocol (FTP) is used to actively download or upload files from one host to another. A deviation of it-Trivial File Transfer Protocol (TFTP)-allows the operations to be in an unattended state.

HOSTNAME
One of the simplest utilities of all, HOSTNAME returns the name the current host is known as. This utility does not support any parameters.

IPCONFIG
As mentioned in conjunction with DHCP earlier in this section, IPCONFIG can display IP configuration data. This is one of the first tools to use when experiencing problems accessing resources, as it will show you whether an address has been issued to the machine or not. If the address displayed falls within the 169.254.x.x category, then the client was unable to reach the DHCP server and has defaulted to Automatic IP Addressing, which will prevent it from communicating outside of its subnet, if not altogether.

The command's /ALL parameter shows all data; the /RELEASE parameter gives up the DHCP lease; and the /RENEW parameter attempts to extend the life of the lease.

Windows 2000 offers the following new parameters for the IPCONFIG utility:

• /DISPLAYDNS -- Shows the contents of the DNS cache
• /FLUSHDNS -- Flushes the contents of the DNS cache
• /REGISTERDNS -- Renews all leases and DNS configuration
• /SETCLASSID -- Changes the DHCP class ID
• /SHOWCLASSID -- Shows the DHCP class ID for all adapters

  NOTE: Class IDs are outside the scope of the Windows 2000 Professional exam; you need only be aware that these parameters exist. For more information on class IDs, see the Windows 2000 Server Exam Guide.

NBTSTAT
NBTSTAT is a command-line utility that enables you to check the resolution of NetBIOS names to TCP/IP addresses. With NBTSTAT, you can check the status of current NetBIOS sessions. You can also add entries to the NetBIOS name cache from the LMHOSTS file, or check your registered NetBIOS name and the NetBIOS scope assigned to your computer, if any.

Whereas NETSTAT deals with all the connections between your system and other computers, NBTSTAT deals only with the NetBIOS connections. NBTSTAT also allows you to verify that name resolution is taking place by providing a method to view the name cache.

NETSTAT
NETSTAT is a command-line utility that enables you to check the status of current IP connections. Executing NETSTAT without switches displays protocol statistics and current TCP/IP connections.

When you have determined that your base-level communications are working, you will need to verify the services on your system. This involves looking at the services that are listening for incoming traffic and/or verifying that you are creating a session with a remote station. The NETSTAT command allows you to do this.

Netstat options include:

-a to see ALL connections and listening ports
-e shows Ethernet statistics
-n shows addresses and port numbers in numerical form instead of doing a name lookup
-p lets you specify a protocol - tcp, udp, icmp, or ip
-r shows the routing table
-s shows per-protocol statistics - you specify which protocols to look at with -p

NSLOOKUP
NSLOOKUP is a command-line utility that enables you to verify entries on a DNS server. You can use NSLOOKUP in two modes: interactive and non-interactive. In interactive mode, you start a session with the DNS server, in which you can make several requests. In non-interactive mode, you specify a command that makes a single query of the DNS server. If you want to make another query, you must type another non-interactive command. One of the key issues regarding the use of TCP/IP is the ability to resolve a host name to an IP address-an action usually performed by a DNS server.

PING
The PING command is one of the most useful commands in the TCP/IP protocol. It sends a series of packets to another system, which in turn sends back a response. This utility can be extremely useful for troubleshooting problems with remote hosts.

The PING command indicates whether the host can be reached and how long it took for the host to send a return packet. On a local area network, the time is indicated as less than 10 milliseconds. Across wide area network links, however, this value can be much greater.

The "R" Utilities
Windows 2000 includes support for three utilities that traditionally have existed only in the UNIX world:

• RCP (Remote Copy Protocol) is used to copy a file from one host to another. This utility is similar in some ways to FTP.
• REXEC remotely starts and runs on a process on a host.
• RSH (Remote Shell) allows you to run commands on a remote UNIX host.

ROUTE
The ROUTE command-line utility enables you to see the local routing table and add entries to it. Occasionally, it is necessary to see how a system will route packets on the network. Normally, your system will simply send all packets to the default gateway. However, sometimes (such as when you are having problems communicating with a group of computers) ROUTE may provide an answer.

Telnet
This utility allows you to turn your workstation into a dumb-client and establish a session with a remote host.
As simple as it may sound, for telnet to work, there must be a telnet client (Windows 2000 Professional) and a telnet server (such as Windows 2000 Server). Bear in mind that telnet sessions are always character-based.

TRACERT
TRACERT is a command-line utility that enables you to verify the route to a remote host. Execute the command TRACERT hostname, where hostname is the computer name or IP address of the computer whose route you want to trace. TRACERT returns the different IP addresses the packet was routed through to reach the final destination. The results also include the number of hops needed to reach the destination. If you execute the TRACERT command without any options, you see a help file that describes all the TRACERT switches.

The TRACERT utility determines the intermediary steps involved in communicating with another IP host. It provides a road map of all the routing an IP packet takes to get from host A to host B.

As with the PING command, TRACERT returns the amount of time required for each routing hop.

Troubleshooting Summary
As a general rule, the tools presented can be broken into the following categories and are presented in the order they are most likely to be used per task:

Microsoft recommends that you approach a possible connectivity problem by following these steps:

1. Run IPCONFIG to verify that there is a valid IP address (whether it's manually configured or supplied by DHCP).
2. Ping the loopback address (127.0.0.1). This will verify that the TCP/IP stack is functioning properly but will not go out across the wire.
3. Ping your own IP address. A success should show that duplicate addresses are not a problem.
4. Ping the default gateway.
5. Ping a remote host.

If all the steps are completed successfully, the problem lies in something other than with the TCP/IP protocol and connectivity.

6.2: Connect to Computers by Using Dial-Up Networking

Dial-Up Networking (DUN) enables you to extend your network to unlimited locations-another computer, a network, or the Internet. DUN clients can work with RAS (Remote Access Server) servers and enable remote clients to make connections to your LAN via either ordinary telephone lines or higher-speed techniques such as ISDN or X.25. When a connection is established, the remote client is able to work as though he were physically located on the network as another node.
With Windows 2000 Professional, the workstation can be used to dial out to servers or have other clients dial in (effectively making this workstation the remote access server).

The connections can be made via industry standard protocols: Point-to-Point Protocol (PPP), Point-to-Point Tunneling Protocol (PPTP), or Serial Line Internet Protocol (SLIP). In addition, the following authentication protocols are supported to make your connections as secure as possible:

• CHAP: Challenge Handshake Authentication Protocol
• EAP: Extensible Authentication Protocol
• MS-CHAP: Microsoft Challenge Handshake Authentication Protocol (requires the communication to be between a Microsoft client and a Microsoft server)
• MS-CHAPv2: Microsoft Challenge Handshake Authentication Protocol, version 2 (also requires the communication to be between a Microsoft client and a Microsoft server). The primary difference between MS-CHAP and MS-CHAPv2 is that the latter is no longer backward compatible for LAN Manager. Due to the backward compatibility issues, MS-CHAP only allowed for one-way authentication, whereas MS-CHAPv2 uses two-way (also known as mutual) authentication.
• PAP: Password Authentication Protocol (uses clear-text authentication)
• Smart cards: Certificate-based authentication
• SPAP: Shiva Password Authentication Protocol

Creating Dial-Up Connections
To create a dial-up connection to a remote access server, DUN must be installed. You can install Dial-Up Networking during the installation of Windows 2000 Professional or at any time afterward. To install DUN after installation, either click on the Network and Dial-Up Connections link in My Computer or click on the folder of the same name in Control Panel.

Next, choose the Make New Connection icon, and the Network Connection Wizard begins. When it's initialized, you must choose the connection type you want to establish.

Five choices are presented in radio-button format (signifying that only one can be selected):

• Dial-up to a private network. Connect to a remote access server.
• Dial-up to the Internet. Connect to an ISP (Internet Service Provider).
• Connect to a private network through the Internet. Create a VPN (virtual private network) by tunneling other protocols across TCP/IP.
• Accept incoming connections. Make this machine a remote access server.
• Connect directly to another computer. The first three choices imply connections via modem, ISDN, and so on, whereas this one allows you to create a dial-up connection on the LAN.

After you choose which type of dial-up connection to make, among the first three choices, the wizard prompts for telephone number information on the server you will be calling. The Use Dialing Rules check box allows you to specify different dialing sequences for dialing from different locations.

The next screen of the wizard asks if the connection you are creating will apply only for you or for all users. Following that, you can specify a name for the connection and whether you would like a shortcut icon for it. Upon successful completion, an icon appears under Network and Dial-Up Connections (which you can access by choosing Start, Settings, Network and Dial-Up Connections) and on the desktop, if you so chose.

Configuring Dial-Up Connections
After successfully creating a connection, you can configure it with a plethora of properties. Right-click on the icon and choose Properties from the pop-up menu for additional configuration options. The connection's Properties dialog box contains five tabs of options:

• General. The General tab allows you to choose the connection device (modem, and so on), the phone numbers to dial, including alternates if the first is busy, and the rules to use. (See "Dialing Rules" later in this article.)
• Options. The Options tab allows configuration of behavioral parameters (show progress, automatically redial, and so on).
• Security. The Security tab allows you to configure whether identity will be validated by unsecured password, secured password, or smart card. Additionally, you can specify whether encryption will also be used on the data (available only if the password is secured) and advanced options on password usage.
• Networking. The Networking tab allows you to specify components used by the connection. These choices differ based on the line protocol used. With SLIP, you must choose between Internet Protocol (TCP/IP), File and Printer Sharing for Microsoft Networks, and Client for Microsoft Networks. With PPP, you have the SLIP choices as well as NetBEUI, NWLink IPX/SPX/NetBIOS Compatible Transport, and Client Service for NetWare. Additionally, with PPP, you can click the Settings button to toggle on or off LCP (Link Control Protocol) extensions, which are used to determine framing, software compression, and multilink.
• Internet Connection Sharing. The Internet Connection Sharing tab allows you to configure a workstation so that other computers on the network can access the Internet through it. If this is configured, on-demand dialing can also be turned on to establish a connection. The Windows 2000 Professional workstation, in essence, becomes a proxy server.

Dialing Rules
Dialing rules allow you to specify that the system should use different parameters when you are calling from different locations. This is extremely handy when you are configuring a laptop that you will be using in different area codes. When you are at the workplace, you may need to dial 9 to get an outside line; when you are calling from a hotel, you need to use a calling card number; and so on.

Working with Multilink
When configuring the PPP parameters of the workstation, one of the parameters you can configure is that of multilink. This feature allows you to establish a number of connections to the remote access server via more than one modem. The speed of the networking session becomes equal to the speed of all the modem connections combined.

Windows 2000 Professional can dynamically monitor the bandwidth used and add or drop lines as needed. For multilink to work, the remote access server must also support this feature, and there can be no call-back assignments. Not only must the remote access server support multilink for it to work, but it must be enabled as well.

Connecting Through the Internet
To create an Internet connection, you use the same wizard as you would to create a connection to a remote access server. In this case, however, you choose the second radio button: Dial-Up to the Internet. The wizard then brings up the connection dialog box which lets you configure an account. When the account has been established, you must specify whether this connection will be made through a modem or across the LAN.
If you choose to go across the LAN, you must specify the proxy server to use. (You can do this manually or through automatic discovery.) If you choose to use a modem, you must configure the phone connections. On the last configuration screen, you also specify whether the connection should be dialed automatically.

Connecting Through VPNs
Web sites can be divided into three categories: Internet (where you want everyone to come), intranet (where you want only internal employees to come), and extranet (where you want only employees and vendors to come). An extranet utilizes security to ensure that those who access it are those you want to do so. To create an extranet, you use virtual private networks (VPNs).

To create a VPN client connection, choose the third option on the connection wizard: Connect to a Private Network Through the Internet. First, the wizard asks how you intend to reach the site. The network connections you have already established appear in the drop-down box as your choices.

Following this, you must specify the host name or IP address of the host you will be connecting to. Next, choose whether the VPN parameters will apply to all users or only you. Finally, you must give a name for the connection and choose whether you want a shortcut icon to appear on the desktop.

After the icon for the connection is created, you can right-click on it and choose Properties from the pop-up menu. Although this brings up the same five property tabs as for any dial-up connection, there are major differences on the Security and Networking tabs.

On the Security tab, the identity of the user must be authenticated. The only two choices are Require Secured Password and Use Smart Card. By default, the check box requiring data to be encrypted during the session is also checked (but can be unchecked if you are not truly security conscious).

The Network tab no longer offers the choices of PPP and SLIP. The line protocols now available use tunneling: PPTP (Point to Point Tunneling Protocol) and L2TP (Layer Two Tunneling Protocol). The default choice is Automatic, which means either protocol can be used.

PPTP is Microsoft's solution to tunneling (sending other protocols across the Internet by encapsulating them within TCP/IP), whereas L2TP comes from Cisco. Regardless of which you choose, you can click the Settings button to toggle on or off LCP (Link Control Protocol) extensions, which are used to determine framing, software compression, and multilink.

Maximizing Internet Connection Sharing
As mentioned earlier, you can configure any connection for Internet sharing by configuring the appropriate tab. The check box allows you to turn on the feature. The drop-down box displays the different networks the workstation is a member of. You can also specify whether the connection should be utilized if there is not a session present (on-demand dialing).

When ICS is turned on, the NIC within the machine MUST use the IP address of 192.168.0.1. The ICS machine also now functions as a non-configurable DHCP server, DNS server, and router. If the options within ICS are too limiting for your implementation, then you must bypass ICS and use Windows 2000 Server and NAT (Network Address Translation).

The Settings button at the bottom of the dialog box allows you to configure applications or services to be enabled for computers sharing the connection. Common applications and their default port numbers are listed here:

WWW 80
FTP 21
Telnet 23
SMTP 25

While much is made of TCP/IP, Windows 2000 supports more than one protocol. Binding two or more protocols to a single adapter is made possible through the support of NDIS (Network Driver Interface Specification).

6.3: Connect to Shared Resources on a Microsoft Network

Windows 2000 Professional offers different methods of working with network resources. Each of the methods offers different ways of determining what is available to you and the different types of connections you can make to those network resources.

Universal Naming Convention
The Universal Naming Convention (UNC) is a standardized way of specifying a share name on a specific computer. The share names can refer to folders or to printers. The UNC path takes the form of \\computer_name\share_name. Commonly, the share names (like computer names) are limited to 15 characters.
It is important to note that connections made via UNC paths are made immediately and do not require the use of a drive letter. It is also important to note that if a dollar sign ($) is placed at the end of a share name, it becomes "hidden." It does not show up in listings, but users can still access it by using the UNC name.
You can also use UNC connections to connect to network printers. For example, \\ACCTSERVER\ACCTPRINT is the UNC path to a printer named ACCTPRINT, on a server named ACCTSERVER.

NOTE: Many 16-bit applications do not work with UNC paths. If you need to work with a 16-bit application that doesn't work with UNC paths, you must map a drive letter to the shared folder or connect a port to the network printer.

The limitations on lengths for share names are not a reflection on limitations for long filenames. Rather, they are more a reality due to limitations on NetBIOS names, which can only be 15 characters long and cannot contain embedded blanks. The actual folder name under Windows 2000 can still be a long filename; only the share name needs to be short. For example, your MYDOCS$ share can be a folder on your desktop workstation named "My documents where I keep information on service contracts."

My Network Places
The My Network Places icon, formerly known as Network Neighborhood, appears on your desktop directly beneath My Computer. When you double-click on the icon, a list of all computers in your workgroup or domain appears, along with other icons.

Shares appear here, as do the following icons:

• Add Network Place allows you to connect to shares, whether they are folders, Web sites, or FTP sites.
• Computers Near Me shows workgroup computers.
• Entire Network shows everything that can be found-printers, workstations, servers, and so on.

When you double-click on the Entire Network icon, you can search or view all computers connected to your network. You can search for files and folders (resources), or for computers (names).

When searching, you can give a partial name, and matches will be found. For example, if you search for a computer name of "D_s_tech," you would get matches to the computers "D_s_tech0," "D_s_tech1," and so on. You can also view the currently shared resources from the command prompt by typing NET VIEW.

Net Use Command
You can assign network resources to drive letters from the command prompt by using the Net Use command and the UNC path of the resource. To connect drive letter X: to a share called Kristin on a server named SERVER1, for example, you would type the following command at a command prompt:

Net Use X: \\SERVER1\Kristin

You can also use the Net Use command to connect clients to network printers. If you want to connect port Lpt1: to a network printer named HP5 on a server named SERVER1, use the following command:

Net Use Lpt1: \\SERVER1\HP5

To disconnect the network resources, use the Delete parameter (/d). For the two preceding examples, you would disconnect by using the following two commands:

Net Use X: /d
Net Use Lpt1: /d

Other parameters for the Net Use command:

/HOME -- Connects a user to his or her home directory.
/PERSISTENT -- Controls the use of persistent network connections. The default is the setting used last.
/USER -- Specifies a different username with which the connection is made.

Objective #7: Implementing, Monitoring, and Troubleshooting Security

7.1: Encrypt Data on a Hard Disk by Using Encrypting File System (EFS)

The Encrypting File System (EFS) allows you to toggle an attribute for a file or folder just as you would any other, and it protects the contents. If the object you select is a folder, all contents of the folder-files, subfolders and so on-also become encrypted. Files that are pasted into an encrypted folder become encrypted as well, but files that are placed in the folder with drag-and-drop do not become encrypted automatically.

NOTE: In order to use EFS, the file system must be NTFS, and the files must not be compressed. Some files (system files in particular) cannot be compressed. If you move or copy an encrypted file to one of these partitions, it becomes unencrypted automatically.

From the time a file is encrypted, a digital code associated with the user (encryption certificate) is assigned to it. This allows the encrypting user to open and work with the file exactly as if it were unencrypted, but prevents anyone else from doing so. Because only the encrypting user can open the file, EFS is perfect for personal data but unusable for any data you want to share.

NOTE: You can use the Export command in the Certificates snap-in to copy your file encryption certificates to another location-such as a floppy drive. Doing so will allow you to unencrypt your files should a restore operation be necessary after a media failure (at which time you can use the Import command to bring them back from the floppy).

EFS is an integrated component of the NT kernel. To encrypt an entity, simply choose its properties and click the Advanced button to reach the Advanced Attributes dialog box. Check the box Encrypt Contents to Secure Data and click OK. Each encrypted file is given a unique encryption key. All keys are stored in non-paged memory for security purposes.

When you choose to encrypt a file, a dialog box appears asking if you want to encrypt only the one file or the file and its parent folder (the default action). A check box gives you the option of choosing to always encrypt only the file, preventing the dialog box from reappearing in the future.

7.2: Implement, Configure, Manage and Troubleshoot Local Security Policy

Local Policies are divided broken into three subsections: Audit Policy, User Rights Assignment, and Security Options. The Audit Policy determines whether event auditing (adding entries to a log file) is used or not. The default value for each option is "No auditing." However, valid options include "Success" and "Failure." When auditing is turned on for a particular event, the entries are logged in the Security Log file, which is viewed with Event Viewer.

The User Rights Assignment section contains the meat of the old System Policies. You can add additional groups and users to the list but you cannot remove them. That functionality is not needed. If you want to "remove" a user or group from the list, remove the check mark from the box granting it access.

The Security Options section contains a number of options, most of which are Registry keys. The default for each is "Not defined," but you can assign two other definitions (Enabled and Disabled) or a physical number (such as the number of previous logons to cache).

Security settings for the Professional workstation are located in the Local Security Policy shortcut within the Administrative Tools folder of the Control Panel. This includes settings for Account Policies (discussed earlier) and Local Policies. You can import and export policies by right-clicking on the Security Settings folder and choosing the action you want from the pop-up menu. Exporting can be done on either the Local Policy or the Effective Policy (if applicable).

7.3: Implement, Configure, Manage and Troubleshoot Local User Accounts

In Windows 2000, a user can be granted rights and permissions to resources in two ways:

• Individually. She is explicitly assigned a right or permission through her account.
• As a group. She is a member of a group that has a right or permission.

Each Windows 2000 user account has a unique identifier, which allows a user to log on to the network and access all resources to which he or she has access. A user's account/password combination identifies his or her access token-the container, if you will, that enables a user to gain access to resources. User and group accounts are created in the Local Users and Groups portion of the Computer Management snap-in or through the lusrmgr standalone snap-in.

Creating and Managing Users
To create a new account in Windows 2000 Professional, you must be a member of either the Administrators group or the Power Users group. With the Users folder expanded, right-click and choose New User from the pop-up menu that appears. A dialog box for the new user appears. The fields on the property box ask for the following information:

• User name. This is the name that each user will use to log on to the workstation and/or the network. This name must be unique in its scope: If the user will only log on locally, it only has to be unique on this machine. If the user will access the network, this name must be unique within the network. The name can have no more than 20 characters and cannot contain the characters " / \ [ ] : ; |= , + * ? < >.
• Full name. This displays the user's full name. You can use this as a sort setting by selecting Sort by Full Name from the View menu. This is not a required field and is provided only for convenience.
• Description. This setting is copied from account to account if used as a template. It is also used to further describe a user. The setting is not required; use it as it serves your needs.
• Password and Confirm Password. The password for the user can be up to 14 characters long. If the user is using a Windows Logon (versus a Client for Microsoft Networks logon), the password is also case sensitive. If the user is at a Windows 95 or lower system, the password is not case sensitive. Again, you are not required to put enter any value; the default action is that the user will need to change it at the next logon anyway.

  NOTE: Given the default actions, to add a user, you must supply only one value: User name. Of the five properties at the top of the dialog box, only the Description will be copied from account to account. All other settings must be re-entered for a copied user.

The lower settings in the User Properties dialog box relate to how passwords will be handled. Those settings are listed here:

• User Must Change Password at Next Logon. This approach forces the user to change his password when he logs on to the network next.
• User Cannot Change Password. This selection is used with higher security networks in which users are assigned passwords for their accounts.
• Password Never Expires. This setting overrides the account policy of password expiration and should be used only for service accounts in Windows 2000.
• Account Is Disabled. This setting prevents the user from using this account.

You should always disable an account versus deleting it. If a user quits and is replaced by another user who is to interact with the same files and at the same permission level then the easiest method of accomplishing this is to rename the existing user account to the new user. This cannot be done if the account has been deleted, and what could have been accomplished simply becomes a large chore.

You can change the value of any check box by clicking on it or pressing the spacebar. After you have completed the fields, click the Create button. This opens another blank form, allowing you to add multiple users at one time. The new accounts will not appear behind the dialog box until you choose the Close button to stop creating new accounts.

Working with Account Settings
Once an account exists, you can access its properties by double-clicking on it or by right-clicking it and choosing Properties from the pop-up menu. There are three tabs here:

The General tab holds the values supplied when the account was created-with one exception. A new check box has been added at the bottom of the choices: Account Is Locked Out. This box is checked automatically if the user has met the lockout requirements (given the wrong password five times within 30 minutes, for example). Only an administrator can uncheck the box and unlock the account; it is never available for you to lock, and you must use the Account Is Disabled check box if you want to manually prevent the user from logging on.

The Member Of properties are used to assign the user whose account you are modifying to various groups. You do this by clicking the Add button. Only local accounts exist in Windows 2000 Professional, which you should quickly recognize by the icon showing two users that appears next to each group name. (Global accounts would be marked with an icon showing users in front of a globe.)

The Profile tab is one of the main configuration pages. With these options, the administrator can configure the following items to be located centrally:Profile Path, Logon Script and Home Folder The main reason for locating these options centrally is that you can have all of these items stored on a central server. When users store their profiles and home directories centrally, the process of backing up their data is more manageable.

Profile Path
The profile path designates a specific location on a specified server where the user's profile is going to be stored. The profile contains the user portion of the Registry in the file NTUSER.DAT. If a user uses this profile path, her desktop and personal configuration settings follow her to whichever Windows 2000 computer she uses. The most common path for the user profile path is

\\{SERVER}\{PROFILESHARE}\%USERNAME%

where {SERVER} is replaced by the name of your server and {PROFILESHARE} by a the name of a folder for that user's profile. The %USERNAME% variable will expand to the name of the user, which makes it ideal for use in a template.

Logon Script
The logon script allows an administrator to configure common drive mappings, run central batch files, and configure the system. When you configure a login script, simply include the name of the *.bat or *.cmd file that you want to execute. By default, the logon scripts are stored in the following directory:
\%systemroot%\system32\repl\import\scripts

This directory is shared as the NETLOGON share. The main purpose of the logon script is to present a common network layout to all clients on the network.

Home Folder
The home folder setting (formerly known as "home directory" in previous versions) for the user's profile will create a personal directory in which the user can store his data on a network server. The most common method for creating home directories is to create a common share called USERS. Assuming this share has been created, you would enter the path for each home directory as \\COMPUTER\USERS\%USERNAME%.

Creating and Managing Groups
Local groups are the only groups that exist within Windows 2000 Professional (although other flavors of Windows 2000 have both local and global groups). When assigning local group permissions, the administrator should always consider whether an existing local group has the appropriate permissions. For example, suppose you want to grant a user the ability to create new users or change group memberships. The Power Users group already has these permissions, so there is no reason to create a new local group to perform this task.

By default, the following local groups are found on all Windows 2000 systems:

• Administrators
• Backup Operators
• Guests
• Replicator
• Users

The Administrators group can manage any and all aspects of the Windows 2000 system. The initial membership in the Administrators group is the pre-created Administrator account. Members of the Administrators group have the ability to change anything. One of the primary reasons for the existence of the Power Users and other groups is to limit those abilities and not give someone this much ability.

The Backup Operators local group's members have the right to back up and restore any file on the system. This right will supersede any permission assigned to these files and directories. Backup Operators can also shut down a system.

The Guests local group has the ability to grant access to specific resources to guests of the system. The initial membership in the Guests local group is the Guest user.

The Replicator group is used by the Directory Replicator service. Membership in this group allows a user to be involved in the process of maintaining a directory structure and its contents on domain controllers.

The Users local group is the default group to which all newly created users belong.

The Power Users group exists only on Windows 2000 Professional and can be thought of as a subset of the Administrators group. This group is used to share directories and printers. Initial membership is empty.

Adding Users to and Deleting Users from Groups
You can double-click on a group to bring up the properties for that group. You can also right-click on the group and choose Properties or Add to Group from the pop-up menu to arrive at the same dialog box.

Adding and Deleting Groups
To remove an existing group, highlight it in Computer Management and press Delete, or right-click on the group and choose Delete from the pop-up menu. To add a new group, right-click on Groups in the left pane of MMC or in a blank area on the right pane, and then choose New Group from the pop-up menu.

NOTE: The built-in users and groups cannot be deleted. Attempts to do so will return an error and inform you that this operation cannot be performed.

Choosing Primary Group Membership
The Users and Passwords applet that appears in the Control Panel of Windows 2000 offers two tabs: Users and Advanced. The Advanced tab allows you to configure Certificate Management, Boot Settings, and "Advanced User Management" -- the same interface that's available through the lusrmgr.msc snap-in.

The Users tab lets you add and remove users, as well as change their passwords. Click the Properties button and the dialog box appears.

The General tab of the Properties window merely shows the user name, full name, and description. The Group Membership tab allows you to quickly configure the user's permissions by choosing the option button that corresponds to the level of access you want to grant: Power User, User, or Other. If you choose the Other option button, you can select any group you want from a drop-down box that contains all known groups. By default, all new users are made members of the Power Users group.

In earlier versions of the operating system, every identified user was a member of the internal Everyone group. In Windows 2000, every identified user is a member of an internal group called Authenticated Users. You cannot assign permissions or users to this group; it exists automatically. The primary difference between Everyone and Authenticated Users is that the latter does not include guests or anonymous users.

Working with User Rights
In Windows 2000, User Rights Assignment has been placed in the Security Settings snap-in (secpol.msc). The easiest way to access this is to choose the Local Security Policy shortcut from within the Administrative Tools folder of the Control Panel. Beneath the Local Policies folder, User Rights Assignment expands into an alphabetical list of rights.

Other Objects
Double-click on any right to access the dialog box from which you can grant access (by checking the box), deny access (by unchecking the box), or add additional users or groups (by clicking the Add button). As with all other settings, if the system is on a domain and domain-level policies are used, the domain-level policies override the local policy.

7.4: Implement, Configure, Manage, and Troubleshoot Local User Authentication

Two types of user accounts are available in Windows 2000: local and domain. Domain accounts require the presence of a domain controller, which must be a server. If your Windows 2000 Professional workstation is connected to a server, that server can hold your account (domain) information and authenticate you to the network. If your workstation is not connected to a server, the only type of account available to you is local, and Windows 2000 Professional authenticates your logon locally.

When you use a domain account, authentication is done to the Active Directory, and Kerberos is used for authentication. When you use a local account, the SAM (Security Accounts Manager) database is used for verification.

It is possible -- but not recommended -- to log on locally, even though your workstation is connected to a domain, and still access domain resources. If you do so, however, you must provide a valid network user name and password every time you access a network resource, all of which is avoided if you log on using a domain account.

7.5: Implement, Configure, Manage, and Troubleshoot a Security Configuration

Security settings for the Professional workstation are located in the Local Security Policy shortcut within the Administrative Tools folder of the Control Panel. This includes settings for Account Policies (discussed earlier) and Local Policies. You can import and export policies by right-clicking on the Security Settings folder and choosing the action you want from the pop-up menu. Exporting can be done on either the Local Policy or the Effective Policy (if applicable).

The Local Policies folder contains three subfolders: Audit Policy, User Rights Assignment, and Security Options. The default setting for everything beneath is Not Defined, but typical options are Enabled and Disabled. If the option requires a value (such as Rename Administrator Account), the dialog box asks for the new value.

So There You Have It...
Here's the final three of the topic categories comprising the Microsoft Windows 2000 Professional (70-210) exam were examined in depth. Combined with the previous two articles in this series, this completes the coverage of what you need to know to pass this exam. Good luck!

More articles by Emmett Dulaney:

• Microsoft 'Second Shot' Gets Another Shot
  
• BCS Offers Green IT Certification
  
• Establishing a Security Framework
  
• Measuring Certification 'Hotness'