Introduction to User and Group Management

---

1. Server system version introduction

  Windows server system: win2000 , win2003 , win2008 , win2012 , the most common ones on the market arewin2003 and win2008.
  Linux server system: Redhat , Centos . The two belong to the same company, and Redhat pays for it, but it should be noted that it does not pay for the source code, but for the service. In other words, if there are any problems during the use of the system, someone will come to the door or provide remote service to help solve them. Centos is free, so if there are any problems during use, no service assistance will be provided.
  Some friends may say: Isn't Linux open source and free?

  pay attention,Open source does not mean free, open source is open source. The opposite is closed source, such as Windows system is closed source, not open source. We can use Windows features, but don't know the source code for them. Therefore, in the traditional sense, Linux system vulnerabilities are much lower than Windows. The source code of Windows system can only be viewed and maintained by Microsoft employees. It can be seen that vulnerabilities can be maintained and modified, so due to open source, there are fewer vulnerabilities and fewer attack surfaces. Therefore, many companies like to use the Linux system as a server, which is safe and cheap, but the disadvantages are also obvious, and it can only be operated by commands. Although Windows is expensive and closed source, but the graphical interface is well done, users can operate through the graphical interface without having to memorize too many cumbersome commands, so there are also a large number of loyal fans.

2. User Management

1. User Overview

• After logging in to the system, each user has different operation rights .
• Each account has its own unique SID (Security Identifier), which is similar to that everyone has their own unique ID number.
• User SID: S-1-5-21-426206823-2579496042-14852678-500
• System SID: S-1-5-21-426206823-2579496042-14852678
  注意：上面的一串数字中最后一个横杠后面的数字500是用户UID，前面的数字是电脑系统的，每个电脑的系统SID绝对是不一样的。好比身份证号码组成：前面的是所在省份地址信息，后面的才是个人信息

The UID of the Windows system administrator administrator is 500, and
the UID of ordinary users is 1000.

  illustrate:Granting permissions is actually granting permissions to the user's SID, If you accidentally delete a user, and then create a new user with the same user name, the user does not have the authority of the original user, because although the name is the same, the SID number is different. For example, Zhang San has a graduation certificate from Tsinghua University, so if I name him Zhang San, do I have a Tsinghua graduation certificate? That is definitely not the case, because the certificate is actually issued to Zhang San with the ID number xxx, and the ID number is the only identification of a person.

• Account password storage location: C:\Windows\System32\config\SAM
    Note: Account password refers to the user name and password of our computer, and the above path is the place where the user name and password are stored. But you can’t read it after opening it. The reason is that the data is encrypted and irreversible. Windows has no way to unlock it. The algorithm is a hash algorithm (hash). Even if your data size is 1T, use this algorithm. The result after encryption will only generate a string of 4-byte values, which are used to verify data integrity . The characteristics of this algorithm are:If it is exactly the same data, the value after encryption is absolutely the same. But even if the data is a little bit different, the result after encryption will be very different, and it will never be the same. How does Windows verify that the user name and password we entered are correct? First of all, after we set up the user name and password for the first time, the system will encrypt the user name and password we entered into irregular values ​​​​with hash and store them in the SAM file. Then, each time the user logs in to the system, enter the user name and password, and then return At the moment of the car, the system will also encrypt the entered user name and password using hash, and compare the result with the result stored in the SAM file. If they are completely consistent, the authentication is successful.
• On the Windows system, the longest validity period of the default password is 42 days.
    Note: This refers to the server system. Personal systems generally do not have mandatory restrictions, so our users do not feel it. The default password validity period of the server system is 42 days. Of course, this time can be changed, or it can be longer. Once the time is up, the password must be changed, otherwise the login will not be possible. Because the server system is related to many key data of users and core data of company operations, it must be changed regularly to prevent remote cracking and so on. There will also be special documents in the security field, which are used for security reinforcement. Different security levels use different password validity periods, and the security of the unit needs to be strengthened according to the corresponding values.

2. Built-in account

  The built-in account is the account that comes with the Windows system after it is installed. There are a total of 5 accounts , which are divided into two categories.

• Accounts used by people:
    administrator     #Administrator account (very high authority, can format, delete files, etc.)
    guest     #Guest account (extremely low authority, such as formatting, deleting files, etc., even things downloaded from the Internet For example, the public computers in the school library use guest accounts, and the permissions are extremely low mainly to prevent users from doing some harmful operations)
• System accounts related to computer service components:
    system     #system account (authority is supreme)
    local service     #local service account (authority is equal to ordinary account)
    network service     #network service account (authority is equal to ordinary account)
    Description: These three system accounts, the user is Those that cannot be logged in or used are for system use. For example, when we log in to the computer, after entering the user name and password, the system will help us encrypt the input data and then compare and verify whether it is correct. Here, the system account is actually working, and its authority is the highest, even higher than that of the administrator account . For example, if we format the drive letter, other drive letters are fine, but the C drive cannot be formatted, because the C drive is the system drive. If you can log in with the system account, then the C drive can also be formatted, which is too cruel. The permissions of local services and network services are relatively low, one is the local service account and the other is the network service account. When the computer is turned on, there will be a circle at the beginning, then it will enter the welcome interface, and finally the login interface. In fact, before the login interface, the local service account and network service account in Windows are started. These two accounts start all the services required in the system, such as network card service, sound card service, etc., which have nothing to do with the network. All services are enabled by local service accounts, such as sound cards, graphics cards, etc. All services related to Internet access are enabled by network service accounts. And each service in the system is managed by the corresponding account, as shown in the figure below: As
  
    can be seen from the figure, in addition to our own administrator account (administrator), there are other accounts that are not ours. Created by the system.

  Here comes the question: Why does the system have to set up so many accounts? Wouldn't it be enough to use an administrator account?

  Assuming that my computer is now a server, providing users with ftp download services, what is the result? If a hacker accidentally finds a web service vulnerability and breaks it, then the account authority corresponding to the service will be obtained. However, the account corresponding to the ftp service has ordinary account permissions, and even if it is broken, it will not cause much harm to my computer. And if all services are set to be managed by an administrator account, then if one of them is broken, my computer will be finished, and he can directly do any processing on the data on my computer. Therefore, we need to set up many service-related accounts and give different accounts different permissions, that is, to prevent major system security incidents.
  Note: The five built-in account permissions from high to low are: system > administrator > local service = network service > guest . The system account has the highest authority, the guest account has the lowest authority, and the local service account has the same authority as the network service account.

3. Configuration file

  It is called configuration file in Windows system, and it is called home in Linux system. In other words, when each user logs in to a computer for the first time, the computer will create a home directory for the user, which contains your private files, such as your favorites, desktop, documents, and so on. This means that if two different users log in to the same computer, their respective desktops will be different after entering.
  In the win7/win2008/win10 system, the configuration file is the home directory location: C:\Users\ , as shown in the figure below.

  After opening my account configuration file, you can see that it is all my private data as shown in the figure below.

  In winXP and win2003 systems, the configuration file is the home directory location: C:\Documents and Settings\

4. User Management Commands

net user     lists the accounts of the current computer

net user user name     view specified user details

net user username and password     to change the account password (this command can only be used by administrators, the advantage is that one command can be modified without the original password)

net user user name password /add     new account

net user username /del     delete account

net user username/active:yes/no     activate or disable account

注意：命令"net user 用户名 /active:"后面跟no表示禁用，yes表示激活。

3. Group management

  If a company has hundreds of people, each employee has an account, and each person has one authority. As a system operation and maintenance personnel, if you grant or delete certain specific permissions one by one, the workload will be very heavy. But there must be some people who have the same authority, and some people have another common authority. You can create a group and put accounts with the same permissions into this group, and then when granting permissions, you don’t need to grant them one by one, you can just give the group once, then all members of the group will have this permission. Similarly, if you want to delete a certain permission, you don't need to delete each user, you can directly delete the group permission once. (Personal experience: If it is in a company, it is generally grouped by departments)

1. Group overview

  The role of the group: Simplify the granting of permissions.
  Authorization method:

1. User → Group → Authorization (Put the user into the group, and then assign the permission to the group, the user also has the permission)
2. User → grant permissions (directly assign permissions to users)

2. Built-in groups (groups that come with the system)

  The permissions of built-in groups have been granted by the system by default. Artificially created groups are empty, have no permissions, and have no members, but built-in groups have been given permissions. For example, the following are common system built-in groups:

1. Administrators     # administrator group
2. Guests     # guest group
3. Users     # Ordinary user group, all newly created users belong to this group by default
4. Network Configuration Operators     # network configuration group
5. Print Operators     # Printer group
6. Remote Desktop Users     # Remote Desktop Group

3. Group Management Commands

net localgroup     to view a list of all groups

net localgroup group name     to view all members of the group

net localgroup group name username/add     add a user to the specified group

net localgroup group name username /del     delete a user from the specified group

net localgroup group name/add to     create a new group

  Note: Adding ordinary users to the administrator group is called privilege escalation , and deleting from the administrator group is called privilege demotion .