User Management

User Registration Policy

The issues of creation and management often clash in distributed organisationsCentral creation and managementCentral creation, delegated managementDelegated creation and management. The

need to provide privileged access is a security weakness

No universal standard method of creating or maintaining usernames/passwords

Local and Network Accounts

In networked environment user may access many hosts & needs user account on several machines

Local user accounts and Networked user accounts may be different things Local accounts are unique to each host. Changes to an

account (eg new password) on one host do not effect similar accounts on other hosts

A networked account is a single user shared amongst many hosts. Changes globally effect all other hosts

NIS and DCE are standard based network user systems

Unix Accounts

Local usernames only (except NIS)Unique username, UID# and passwordStore user details in system password

database (/etc/passwd, /etc/group)Create login directory for user (ie home)Specify user initial shell programSetup some standard initialisation files

(eg .cshrc, .profile, etc)Often done using adduser command

Windows NT/2000 Accounts

Local or Domain usersnet user username password /ADD /domain

Batch user creation with addusers.exe

Only a single kind of shell availableUser directory can be shared. eg H:Domain users may have initialisation

scripts and automatic drive mapping

Groups of Users

Collections of existing usersUsed to allocate process or file

permissions to groups of usersIndividual users may be members of

several groups

User Account Policy

Rules or standards for account management

For example….Standard for username creationStandards for password (prevent weak pwd)Disk quotaLogging and accountingInternet protocols and Quota

Login EnvironmentUsername/Password, Home directory,

Quota, proxy settings, desktop settings, searchlist, etc

All expected to work when new user logs inOften carried out by Login scripts

Unix - .login, .profile, .cshrcNetware - login scriptDOS - autoexec.batWindows – Registry and Setup folder

Scripts often copied from default file

User Support HelpDesk

Non-privileged users often need support forHardware/software upgradeBug/Error resolution and correctionTuition Helpdesk

May involves tracking tools (HEAT, Gnats, NetLog)

Or remote control software (VNC, PCAnywhere)

Support services should suit the enterprise and may need to be tailored to provide required action

Managing User Resources

Variety of usage patterns requires balance of demand by passive and active users

Disk space quotasCPU usage & Process count limitsGarbage collection – deleting temporary and

unused files – needs a careful definition!

Terminating orphan/run-away processesMoving and removing users

Ethics and Responsibilities

Administrators have a responsibility to care for health and well-being of users. Ultimately, happy users will cooperate well

Ergonomic standards protect user healthEtiquette – Dealing with user politely to

minimise offence and maximise harmonyEthics – Power must be wielded wisely or

it will be denied (or circumvented!)See SAGE code of ethics at http://www.sage.org