Windows 2000 Professional Control Panel • •
• • • • •
• •
• • •
• • •
• •
•
• •
Accessibility - Five tabs are keyboard, sound (Can have visible sound indications), display, mouse(Can move the mouse with the keyboard), and general (alternatives to keyboard and mouse). Add/Remove Hardware - Can add and remove hardware device drivers for display devices, CDROM and DVD drives, I/O devices (Keyboard, mouse, USB devices and more), Mobile computer hardware, modems, multimedia, and network cards. A device driver is a software3 program that allows the system to interact with hardware. If the driver is signed, it has a digital signature from its creator verifying its authenticity. Add/Remove Programs - Allows programs to be installed or removed from the system including optional Windows 2000 components. Vendor programs must be written to use this applet. Administrative Tools - Only the members of the Administrators group can use these tools. Console - Allows settings for MS-DOS console. Uses four tabs which are options (for cursor size, command history, and display options), font, layout, and colors tabs. Date/Time Display - Tabs are Background, Screen Saver, Appearance, Web, Effects, and Settings( Sets the video mode). The Screen saver allows power settings to be adjusted along with selection of the screen saver. Appearance tab adjusts the Windows color schemes. The Web tab allows a specific web page to be displayed all the time on the desktop. The effects tab allows desktop icons to be changed. The Settings tab allows screen size and colors to be changed. Fax - Is used to configure Fax information and access theFax Service Management Console which allows a Fax to be setup to receive or send faxes. It is also accessed using "Start", "Programs", "Accessories", "Communications", and "Fax". Folder Options - Allows the way files and folders are displayed to be modified. It includes the tabs "General", "View", "File Types", and "Offline Files". The View tab allows settings to specify whether the whole path is displayed, and whether hidden files are shown. The File Types tab specifies the application to be used to open files with extensions of specific types. The Offline Files tab allows setting of whether offline files are displayed and worked on. Once changed these files may be placed back into the online source. The default setting is on for Windows Professional and off for Windows Servers. Fonts - Allows viewing of current fonts and installation of new fonts. It is a shortcut to the fonts folder. Game Controllers- Allows configuration of joysticks and gamepads. Internet Options - These are options for Internet Explorer. They can be accessed from the Tools menu of IE. Tabs include General (Control of temporary files, history, and home page), Security (Allows trusted site settings, cookie settings, JavaScript settings and more), Content (Allows certificates, and storage of private information), Connections, Programs (Specification of programs for e-mail, HTML editing, newsgroups, and more), and Advanced tabs(JavaScript debugging options, HTML versions and more). Keyboard - Includes Speed, Input Locales (assign hotkeys), and Hardware (physical type of keyboard) tabs. Mouse and mouse pointer settings including mouse speed - Tabs include, Buttons (to set right or leeft handed mouse), Motion (speed), Pointers (Selection of mouse icons for normal, waiting, and other states), and Hardware (Sets up the mouse type such as PS2 Intellimouse and options available in the Device Manager). Network and Dial-up Connection - Can change computer name, and set to workgroup or domain. bindings are set here with the first one on the list to be the first one tried when services are attempted to be used. Also used to install NIC drivers. Tabs are: o Identification - computer name and domain or workgroup name o Services - Can add, or remove services and check their properties. o protocols - Can add or remove protocols or check their setup (properties). o Adapters - Add or remove NIC adapter drivers. o bindings - Where the binding priority may be set for various services. Phone and Modem Options - Modem properties and dialing rules are configured here. Power Options - Settings for how long hard drives and the monitor stays on are configured here. Tabs are "Power Schema", "Advanced", "Hibernate", "APM", and "UPS". The Power Schema tab controls how long of a period of inactivity to wait before turning off the monitor and hard drives. The Advanced Power Management (APM) tab controls older power management for laptops. The UPS tab is used to configure commands to execute when a UPS event occurs. Printers - Allows addition and deletion of printers. Right clicking and selection properties for a specific printer, opens a properties window with General (Driver Selection, Separator page, print processor [RAW, text], print test page), ports, Scheduling (priority, When printing starts relative to spooling, Hours of availability), Sharing, Security, and About tabs. Regional Options - Set up regional and language settings for NT. Select General, Numbers, Currency, Time, Date, or Input Locales tabs. The Regional Options tab is used to add additional language support. Scanners and Cameras - Digital cameras and scanners may be installed and configured here.
1
• • •
• • • • •
Scheduled Tasks - Also called the "Task Scheduler", it is used to schedule programs or scripts to run at specific times. An "Add Scheduled Task" icon is in this folder. Sounds and Multimedia - Used to setup sound schemes and sounds to play for specific events. Tabs are "Sounds", "Audio", and "Hardware". The Sounds tab is used to associate events and sounds. The Audio tab allows the device to use for playing and recording sound to be set. The Hardware tab is used to configure and view multimedia devices. System o General - Describes the name and version of the system, who it is registered to and the hardware it is running on. o Network Identification - Allows the changing of the computer name, workgroup, or domain. o Hardware - Allows selection of hardware profiles and what to do if the system cannot determine which profile to use. Includes Hardware Wizard, Device Manager, and Hardware Profiles sections. The Hardware Profiles section allows additional hardware profiles to be created. The Device Manager section includes a Device Manager and a Driver Signing button. The Device signing allows configuration of what to do when system files are not digitally signed. Options are Ignore, Warn, or Block. Sigverif command line utility is used to find unsigned files on the computer. Sfc.exe command line utility is used to replace any unsigned files with the original Microsoft version from the SystemRoot\System32\Dllcache directory. The device manager includes the ability to configure: Computer - Used to configure for multiple processors. Disk drives Display adapters DVD/CD-ROM drives Floppy disk controllers Floppy disk drives IDE ATA/ATAPI controllers Imaging devices Infared devices Keyboards Mice and other pointing devices Modems Monitors Network adapters PCMCIA adapters - (Card Services) Ports (COM & LPT) Sound, video and game controllers System devices Universal Serial Bus controllers o User Profiles - Allows user profiles to be added and changed which will affect desktop settings. Roaming profiles may be set using this tab. o Advanced - Used to set: Environment variables - Used to set environment variables. If the path is modified to include applications run on Win95, these applications can be run when using a dual boot system or migrating from Windows 95. Performance options- Allows performance to be optimized for applications or background services (all programs with equal priority). Also allows configuration of page files. Startup and shutdown options - Allows default selection of system to boot and amount of delay before timeout. Allows selection of what to do when a stop error occurs. More than one choice may be selected. Write an event to the system log Send an administrative alert Automatically reboot Write debugging information (selection of none, small, kernel dump, and complete memory dump) to a specified file (default is Memory.dmp). Users and Passwords (Only on 2000 Professional) - Manage user access and passwords on this computer. Wireless Link - Configuration of infared devices. Tabs include "File Transfer", "Image Transfer", and "Hardware". ports - Allows configuration of serial and parallel ports. SCSI Adapters - SCSI adapters may be added or removed here. They are not configured here but may be configured at boot time using the manufacturer bIOS. Server - Tells who is connected, see shared resources, directory replication. o Users - Shows users logged onto the domain and where they are logged on from. (NT Server ONLY) o Shares - Shows resource name and path along with connected users.
2
o o o
•
In Use - Shows resources being used and the associated permissions. Replication - Allows setup of directory replication. Alerts - Controls where administrative alerts are sent Services - Can start or stop services or set them to automatically start when the system is booted. Description entries include: o Service - The name of the service. o Status - Whether the service is running. o Startup - Manual or automatic. buttons include:
o o o o o o
Start Stop pause Continue - Restart a service that is paused. Startup - Set the service to be started by selecting one ot the radio buttons automatic, manual or disabled. Can also select one of two radio buttons called "System Account" or "This Account". HW profiles - Allows selection of the hardware profile the service is being configured for.
There is also a "Startup parameters" text box used to configure special startup parameters for the service.
• • •
Sounds- Alignment of sound (.wav) files to system events. Tape Devices - This is where tape device drivers are added to allow the system to perform backups. They can be added using the detect button or using the drivers tab. Telephony - Used to configure part of RAS. The TApI (telephony application programming interface) and unimodem service provider are automaticllly installed. Unimodem works for modems on com ports and TApI is used for telephony applications.
UpS - Configure the UpS. UpS command configuration is configured here so the systems may receive information from the UpS unit. Commands can be programmed here to execute when a UpS event occurs.
Windows 2000 Server Control Panel This section only describes control panel applets and features not described for Windows 2000 Professional.
• • • • • • • • • •
Licensing - Allows setting of per server or per seat licensing. Licensing - Allows software package licenses to be added. Mail - Microsoft Mail client control. Microsoft Mail postoffice - Setup and control of the messaging server Microsoft mail post office. ODbC - ODbC database information routing control. Need database software or IIS ti be installed for this applet to be visible. MacFile - Allows setup of AppleShare services for Macintosh clients. Services for Macintosh must be installed for this applet to appear. GSNW - Gateway services for NetWare. Services for Netware must be installed for this applet to appear. Monitoring Agent - Network monitor tools and agent must be installed for this to appear. RAS - One of modem, ISDN, or X.25 must be installed to use this applet. The modems applet is used to install modems, ISDN, or X.25. Server - Tells who is connected, see shared resources, directory replication. This applet is included with NTWS but can be used to control users and shares on the domain so it is noteworthy here. o Users - Shows users logged onto the domain and where they are logged on from. o Shares - Shows resource name and path along with connected users. o In Use - Shows resources being used and the associated permissions. o Replication - Allows setup of directory replication. o Alerts - Controls where administrative alerts are sent
The Windows Registry is a database which stores settings and options for Microsoft Windows operating systems. It contains information and settings for all the hardware, operating system software, most non-operating system software, and per-user settings. The 3
registry also provides a window into the operation of the kernel, exposing runtime information such as performance counters and currently active hardware.
Hives The Registry is split into a number of logical sections, or "hives"[3] (the reason the word hive was used is an injoke[4]) Hives are generally named by their Windows API definitions, which all begin "HKEY". They are abbreviated to a three- or four-letter short name starting with "HK" (e.g. HKCU and HKLM). The HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER nodes have a similar structure to each other; applications typically look up their settings by first checking for them in "HKEY_CURRENT_USER\Software\Vendor's name\Application's name\Version\Setting name", and if the setting is not found look instead in the same location under the HKEY_LOCAL_MACHINE key. When writing settings back, the reverse approach is used — HKEY_LOCAL_MACHINE is written first, but if that cannot be written to (which is usually the case if the logged-in user is not an administrator), the setting is stored in HKEY_CURRENT_USER instead.
[edit] HKEY_CLASSES_ROOT (HKCR) Abbreviated HKCR, HKEY_CLASSES_ROOT stores information about registered applications, such as file associations and OLE Object Class IDs tying them to the applications used to handle these items. On Windows 2000 and above, HKCR is a compilation of HKCU\Software\Classes and HKLM\Software\Classes. If a given value exists in both of the subkeys above, the one in HKCU\Software\Classes is used.[5]
[edit] HKEY_CURRENT_USER (HKCU) Abbreviated HKCU, HKEY_CURRENT_USER stores settings that are specific to the currently logged-in user. The HKCU key is a link to the subkey of HKEY_USERS that corresponds to the user; the same information is reflected in both locations. On Windows-NT based systems, each user's settings are stored in their own files called NTUSER.DAT and USRCLASS.DAT inside their own Documents and Settings subfolder (or their own Users subfolder in Windows Vista). Settings in this hive follow users with a roaming profile from machine to machine.
[edit] HKEY_LOCAL_MACHINE (HKLM) Abbreviated HKLM, HKEY_LOCAL_MACHINE stores settings that are general to all users on the computer. On NTbased versions of Windows, HKLM contains four subkeys, SAM, SECURITY, SOFTWARE and SYSTEM, that are found within their respective files located in the %SystemRoot%\System32\config folder. A fifth subkey, HARDWARE, is volatile and is created dynamically, and as such is not stored in a file. Information about system hardware drivers and services are located under the SYSTEM subkey, while the SOFTWARE subkey contains software and Windows settings.
[edit] HKEY_USERS (HKU) Abbreviated HKU, HKEY_USERS contains subkeys corresponding to the HKEY_CURRENT_USER keys for each user profile actively loaded on the machine, though user hives are usually only loaded for currently logged-in users.
[edit] HKEY_CURRENT_CONFIG Abbreviated HKCC, HKEY_CURRENT_CONFIG contains information gathered at runtime; information stored in this key is not permanently stored on disk, but rather regenerated at the boot time.
[edit] HKEY_PERFORMANCE_DATA This key provides runtime information into performance data provided by either the NT kernel itself or other programs that provide performance data. This key is not displayed in the Registry Editor, but it is visible through the registry functions in the Windows API.
4
[edit] HKEY_DYN_DATA This key is used only on Windows 95, Windows 98 and Windows Me. [6] It contains information about hardware devices, including Plug-and-Play and network performance statistics. The information in this hive is also not stored on the hard drive. The Plug and Play information is gathered and configured at startup and is stored in memory. [7]
[edit] Symbolic Links In Windows NT based systems Symbolic Links between registry keys are supported through REG_LINK value type. Registry links work similarly to file shortcuts or filesystem Symbolic links. As such they can span across different hives, however only those visible in Native API namespace, that is \Registry\Machine and \Registry\User. Other hives like HKEY_DYN_DATA are only virtual objects in Win32 API and thus not linkable. Links are used in Windows rather scarcely, only by CurrentControlSet and Hardware Profiles\Current. Windows 2000 has 2 Group Types - Security and Distribution. Security groups are used to assign permissions for access to network resources. Distribution groups are used to group users together for Email distribution lists. Security groups can be used as a Distribution Group, but Distribution Groups cannot be used as Security Groups. Proper planning of group structure affects maintainability in the future, especially in the enterprise environment where multiple domains are involved. Win2K groups (both security and distribution) are classified into one of three group scopes - Domain Local, Global and Universal. Below you can see how these groups are used. Although Local Groups are not considered part of the Win2k group scope, they are included for your information. Group Scope Local Groups (or machine local groups) - For backward compatibility with NT, there are local groups. Also called Builtin Local Groups. They are the only type of local group available in a Windows 2000 mixed-mode domain. Local groups can have members from anywhere in the forest, from trusted domains in other forests, and from trusted down-level domains. A local group has only machine-wide scope. It can be used to grant resource permission only on the machine on which it exists. However, the local groups on a domain controller are available on every domain controller in that domain. Domain Local groups – assign access permissions to domain global groups for local domain resources. Available only in native mode (not mixed-mode) domains if you want to use them as anything other than machine local groups on DCs only. Can have members from anywhere in the forest, from trusted domains in other forests, and from trusted down-level domains. They have domain-wide scope, can be used to grant resource permission on any Win2K machine within the domain in which it exists, but not beyond. Used as a resource group. Domain Global groups – provide access to resources in other trusted domains. Exist in both mixed-mode and native-mode domains. Can have members from within their own domain only. Can be made a member of machine local or domain local groups or granted permission in any domain (including trusting domains in other forests and down-level domains). Use global groups to collect users or computers that are in the same domain and share the same job, role or function. In a Native Mode domain only, Global groups can contain other Global groups. Universal groups – grant access to resources in all trusted domains. Only in native-mode domains. Can have members from any Win2K domain in the forest. If you scroll up and look at the Add new group image above, you can see "Universal" is grayed out. That's because this domain is a Mixed-Mode Domain. Universal groups can be granted permissions in any domain, including in domains in other forests with which a trust exists. These groups can help you represent and consolidate groups that span domains, and perform common functions across the enterprise. A useful guideline is to designate widely used groups that seldom change, as universal groups. Universal groups and their members are listed in the global catalog, and if changes are made, the entire group membership must be replicated to all global catalogs in the domain tree or forest. Domain Local and Domain Global groups can be converted to Universal groups. This can only be done in a Native Mode domain, and only if the groups do not contain groups of the same scope. For example, a Global group that contains another Global group cannot be converted to a Universal group. Notes: Groups having global or domain local scope are also listed in the global catalog, but the individual members of the group are not. Using these groups will reduce the size of the global catalog and replication traffic. Microsoft advises against using Domain Local groups when filtering Group Policy objects. See this KB article for more info: http://support.microsoft.com/default.aspx?scid=kb;[LN];309172 Native Mode Domains
5
Group Scope
Allowable Objects Native Mode
Replication
Domain Local
Computer accounts, users, global groups and universal groups from any domain. Domain Local groups from the same domain. Nest in other Domain Local groups in same domain.
Group object and its membership are replicated only to DCs within the same domain; not included in GC (Global Catalog) replication to other domains.
Domain Global
Only users, computers and global groups from same domain. Nest in other Global (in same domain), Domain Local, or Universal groups.
Group object is replicated to all DCs in the same domain and to all GCs in the forest. Membership is replicated only to DCs within the domain.
Universal
Universal groups, global groups, users and computers from any domain in the forest. Nest in Global, Domain Local or Universal groups.
Group object and its membership are replicated to all GC servers in the forest.
Mixed Mode Domains Group Scope
Allowable Objects Mixed Mode
Replication
Domain Local
Computer accounts, users, global groups from any domain. Cannot be nested.
Same as Native Mode
Domain Global
Only users and computers from same domain. Cannot be nested.
Same as Native Mode
Universal
Not Available.
Not Available.
Built-In Groups - There is another category of groups that you will see if you open Active Directory Users and Computers. It is called Builtin. The Built-in groups are groups that Windows 2000 creates for you. They have a predetermined set of user rights and group membership, and can be used to assign permissions to network resources. You can find Built-in groups in the Builtin folder and in the Users folder.
Using Groups The official Microsoft-sanctioned method for using groups in a domain setting is known as the A-G-DL-P method. (A) Take the user Account and place it in a (G) Global group, then take the global group and place it into a (DL) Domain Local group, after which you assign (P) Permissions to the domain local group. Of course, always following this method is not practical. You have to use common sense and judgment when assigning groups to permissions. The above is just an official Microsoft guideline.
Special Identities There are also some special groups, referred to as Identities, because they are managed by the system and not by administrators. They are also automatically installed on all Windows 2000 computers. However, they do not appear in Active Directory Users and Computers, or in the Computer Management Tool. Here are the special identities: Everyone: Represents all current network users, including guests and users from other domains. Whenever a user logs on to the network, they are automatically added to the Everyone group. Network: Represents users currently accessing a given resource over the network (as opposed to users who access a resource by logging on locally at the computer where the resource is located). Whenever a user accesses a given resource over the network, they are automatically added to the Network group.
6
Interactive: Represents all users currently logged on to a particular computer and accessing a given resource located on that computer (as opposed to users who access the resource over the network). Whenever a user accesses a given resource on the computer to which they are currently logged on, they are automatically added to the Interactive group. Anonymous Login: The Anonymous Login group refers to any user who is using Windows 2000 resources, but that didn’t go through the authentication process. Authenticated User: The Authenticated User group includes all users who are authenticated into the network by using a valid user account. When assigning permissions, you can use the Authenticated User group in place of the Everyone group to prevent anonymous access to resources. Creator Owner: The Creator Owner group refers to the user who created or took ownership of the resource that you’re assigning permissions to. For example, if the User Jack created a resource, but the Administrator took ownership of it, then the Creator Owner would be the Administrator. Dialup: The Dialup group includes anyone who’s currently connected to the network through a dialup connection. These groups can be assigned permissions to network resources, although caution should be used when assigning some of these groups to permissions. Members of these groups are not necessarily users who have been authenticated to the domain. For instance, if you assign full permissions to a share for the Everyone Group, users connecting from other domains will have access to the share.
Adding Groups/Users to Resource Permissions Domain Computers and Member Servers can add the following users/groups to the ACLs of their local resources: In a Mixed Mode Domain
In a Native Mode Domain
Domain Users Global Groups Local Groups Local Users
Domain Users Domain Local Groups Global Groups Universal Groups Local Groups Local Users
Domain Controllers can add the following users/groups to the ACLs of their local resources: In a Mixed Mode Domain
In a Native Mode Domain
Domain Users Global Groups Built-In Local Groups Domain Local Groups
Domain Users Global Groups Universal Groups Built-In Local Groups Domain Local Groups
Profile shows an organization exactly how good they are and what areas they can focus on to enable further improvements and productivity gains Profile opens up new possibilities for the development of your organisation and it’s performance. Though it is still based on the same 3 principles as the Standard - Plan, Do and Review - it goes beyond the current scope of the Standard.
7