This is week 2 of Course III (week 14) of the Google Professional IT Cert course on coursera.org.
This week is all about users, groups, permissions and how to alter them in Windows PowerShell and in Linux BASh.
TL/DR some great material this week if you need some practice with file permissions and configuring user security groups, etc. Once again, the assessment vm system for the Windows exercises is maddening to sign into, but I think I have finally cracked it: Download the RDP file, then change the sign-in options to “student” and use the provided password. Maybe this kind of almost-broken process is good practice for working in IT. Or maybe nobody tested the system before rolling it out for $50/month.
Also, no word on the financial aid that was supposed to make this course free back in February. Maybe it went to “Phoebe,” whose identity I may have assumed in the coursera-verse.
. . .
Users and Groups
Users, Administrators, and Groups, Oh My!
Now we’re going to learn how to setup and maintain computers with multiple user accounts. There are two types of user accounts, standard users and administrator or admin. Standard users have restricted permissions when it comes to adding or removing software or files, and administrators have total control over a machine.
Home computers can have multiple administrator accounts, but computers used in organizations or in public the administrator is someone who maintains the computer. This is often an IT person. Makes sense!
Organizations will assign users to groups that will give them software and access needed to perform certain tasks. Admins can assign different access permissions and software to different groups.
Let’s go learn some good stuff about groups.
Windows: View User and Group Information
Windows has a tool called Computer Management, which is where we’ll start controlling our accounts and groups. In an enterprise machine, the Computer Management application will allow control over an entire Windows Domain, which is a network of computers, users, and files that are added to a single database.
Computer Management has several different menus.
System Tools Menu:
- Task Scheduler: allows automation of certain functions, like shutting down the machine at a certain time every day.
- Event Viewer: This is where system logs are stored and consulted. More on Event Viewer coming soon.
- Shared Folders: Shows the folders being shared between users.
- Local Users and Groups: Where user and group management is done. (I think this only appears after a machine has been added to a domain. I don’t see it on my home computer.)
- Performance: Where to monitor resources like CPU and RAM.
- Device Manager: Where hardware is monitored.
- Disk Management: This will be discussed later.
Services and Applications Menu: Where all services are managed within Windows.
Getting back to the Local Users and Groups menu. Under the Users menu, we see the account named Administrator. This account is disabled by default, because it can be dangerous to have that level of full control logged into.
If we double-click on a user account, we’ll open a Properties window.
Under the General tab, there is some info about the account and some options. There is a check box to force the user to change their password at their next login. There is a check box to disallow the user from changing their password. An option to set the password to never expire, and an option to disable the account. There is also an option to “lock out” the account, meaning the user will not be able to log in.
In the Member Of tab we can see which groups the user is part of. If the user is a member of the Administrators group, as they are in the example in the video, it is important to note that instead of always being logged into an Adminstrator account, something called User Access Control (UAC) allows you to enter a password to enable admin changes to the system. UAC ensures that only administrators can make changes to the system.
In the Profile tab you can change certain settings about a user profile, such as location of Home Folder.
Switching to the Groups menu in the sidebar, we see that it looks like the Members tab, and shows what groups are available and who belongs to those groups.
Windows: View User and Group Information Using CLI
As with most things, using the CLI is much faster when you need to find user and group info. Use the command Get-LocalUser to see information about accounts on that machine:
PS C:\Users\Username> Get-LocalUser Name Enabled Description ---- ------- ----------- Administrator False Built-in account for administering the computer/domain DefaultAccount False A user account managed by the system. Guest False Built-in account for guest access to the computer/domain MyUserName True WDAGUtilityAccount False A user account managed and used by the system for Windows Defender Application Guard scen...
And the command Get-LocalGroup will show all the groups on that machine. There may be a lot of groups on your computer, but there are already a lot built in to windows. Possibly the most important group is the Administrators group, as that grants complete control to the machine.
In order to see who belongs to a group, use the Get-LocalGroupMember command, followed by the Group name:
PS C:\Users\Username> Get-LocalGroupMember Administrators
This shows me that I have one account called Administrator and once with my username added to that group.
(Note that the above is only pertaining to local accounts, not to a system in a domain being managed by Active Directory.)
Linux: Users, Superuser and Beyond
Linux has a similar setup for users and privileges, although some of the names are different. There are standard users, administrators, and a very special user called the root user. The root user is the first user that is created when the Linux OS is installed. This user has all control over the system, and is called the superuser. Technically, there is only one root user, or superuser, but other users can be given superuser permissions and can be referred to as such.
Because it is a bad idea to be logged in as root at all times, when you need to do something that requires root user-level permission there is a special command called sudo (“superuser do”) which allows root control for one specific task, such as viewing a restricted file.
If you are logged in as a user you may switch to root with the switch user command, and exit using the exit command:
user@user-computer:~$ sudo su root@user-computer:~# exit logout user@user-computer:~$
You can view who has access to sudo by viewing the /etc/group file, and see who is in which groups.
user@user-computer:~$ cat /etc/group
This returns a long list, and each line represents a different group.
The first field is the group name, then the group password (x means it is an encrypted password), then the group ID used by the system processes, then the names of users in the group.
To view information about users on a machine, run the command
user@user-computer:~$ cat /etc/passwd
This will display a long list of user accounts, most of which are created and used by the system for certain processes. The root account line may look like this:
The first field is the username, the second field is, again, indicating that the password is encrypted and in another file, and the third field is the User ID, or UID. The user ID is how the system refers to user accounts.
Passwords must be kept secret in order to guarantee security. Only the user should know the password. To reset a passwords in the GUi, open up the Computer Management app again, and go to Local Users and Groups.
Right-click on the desired username and click on Properties. Check the box that says “User must change password at next log on.” This will prompt them to create a new password the next time they try to login.
You can also set the password for them, by right-clicking their username and selecting “Set Password.”
In the CLI, there are two ways to reset a password. There is a PowerShell command but it is slightly more complicated, and we don’t know scripting yet, so we are going to use the old DOS command net.
PS C:\Users\username> net user jimmy ‘password’
But this is a non-secure method. If you enter an asterisk
PS C:\Users\username> net user jimmy *
The command will pause and prompt you to enter a password. While this eliminates someone else from seeing the password, you will still know the user’s password, which is not a secure practice. Instead, we can force the user to enter a new password on next log on:
PS C:\Users\username> net user jimmy /logonpasswordchg:yes
Supplemental Reading for Windows Passwords
Very Exciting Reading!
Use the passwd command to change a password in Linux.
user@user-computer:~$ passwd jimbo changing password for jimbo. (current) UNIX password: Enter New UNIX password: Retype new UNIX password: Passwd: password updated successfully user@user-computer:~$
When a password is set, it is “scrambled” (I think they mean encrypted) and then stored in a file called /etc/shadow. This file is only viewable to a root user, but the passwords are all still “scrambled.”
You can expire another user’s password using the -e or expire flag, which will require them to set a new password on next login.
user@user-computer:~$ sudo passwd -e jimbo passwd: password expiry information changed user@user-computer:~$
Windows: Adding and Removing Users
First, the GUI:
Go to the Computer Management tool, and under Users and Groups right-click to select New User. This will open a window where you enter a username, full name and password. A best practice here is to set a default password that is then changed by the user when they first login. Check that box. Then click Create.
To remove a user, right-click the name and click Delete. This will warn you that even if you re-create another user with the same name they won’t be able to access their old information.
Now, the CLI:
There is a PowerShell command, New-LocalUser, but that requires some scripting, which we are not covering now. Using the net command, we can use the /add parameter, and use the asterisk.
PS C:\Users\username> net user jimmy * /add Type a password for the user: Retype the password to confirm: The command completed successfully. PS C:\Users\username>
This has the same problem as before, where we know the password. There is another parameter we can use to force the user to change their password when they first login.
PS C:\Users\username> net user jimmy /logonpasswordchg:yes The command completed successfully. PS C:\Users\username>
And these commands can be combined, so that there is a new user created with a prompt to change their password when they first log in:
PS C:\Users\username> net user jimmy password /add /logonpasswordchg:yes The command completed successfully. PS C:\Users\username>
Here’s how to remove a user with the net command:
PS C:\Users\username> net user jimmy /del The command completed successfully. PS C:\Users\username>
Or you can use the remove-localUser command:
PS C:\Users\username> Remove-LocalUser jimbo PS C:\Users\username>
Both types of commands follow patters, which are going to be important to start paying attention to as we continue learning CLI.
Linux: Adding and Removing Users
This command creates a basic user account and creates a home directory:
user@user-computer:~$ sudo useradd alberto user@user-computer:~$
Then you can just as easily delete a user:
user@user-computer:~$ sudo userdel alberto user@user-computer:~$
Ben Life as a CIO
Let’s see what this guy has to say about being the CIO of Google…
He goes to a lot of meetings… talks to customers… tries to improve stuff… leaders try to help people… putting in effort is good…
Windows: File Permissions
File permissions are a fundamental part of security. Windows uses a system called Access Control Lists (ACLs) to manage file permissions.
We are going to specifically study Discretionary Access Control Lists (DACLs). There is also a system called System Access Control Lists (SACLs) which are used to manage event logs when users access files or folders. This is in the next reading.
A DACL is like a note that says who can do what with a file. Every file has an owner and at least one DACL.
By opening Properties for the Desktop folder, we can view the Security tab and see that there are groups, users, and permissions. The different permissions are as follows:
Read: Allows a user to see that a file exists, and the contents are viewable, or allows the user to read files and directories within a directory.
Read & Execute: Allows a user to read files and execute files if it is an executable file.
List Folder Contents: This is an alias of Read & Execute for a directory. Granting one grants the other. This means that you can read and execute files in the directory.
Write: This allows users to change a file. In a slight surprise, you can have permission to write to a file without having permission to read a file. Write also allows the user to create directories and write to files within that directory.
Modify: This is an “umbrella” permission, allowing Read, Write, and Execute permissions.
Full Control: This permission allows a user or group to do anything to a file or directory. It includes all the Modify permissions and adds that the user can take ownership of a file and change the ACLs.
To view ACLs, we use a program called Improved Change ACLs, or ICACLs.
PS C:\Users\username> icacls c:\Users\jimbo\Desktop\
This returns a list of confusing letters, along with the username, and more info can be found in icacls help:
PS C:\Users\username> icacls /? N : No access F : Full access (same as “full control” in the GUI) M : Modify access OI : object inherit (New objects inside Desktop, in this example, will inherit DACLs from the directory in which they were created. CI : container inherit
Supplemental Reading for Windows ACL
The reading on Access Control Lists.
All the way to the end, now, kids.
Linux: File Permissions
Linux has three permissions for files and folders
Read: Users can read files and folders
Write: Users can write information to files and folders
Execute: Users can execute a program.
We can view permissions using the ls command – use the -l command to make the output long and readable:
jimbo@jimbo-computer:~$ ls -l ~/myfile -rwxrw-r - - 1 jimbo cool_group 0 Oct 9 17:55 /home/jimbo/my-file jimbo@jimbo-computer:~$
The first item is the 10-bit “-rwxrw-r – -“. The first “-“ indicates that this is a regular file, not a directory, which is indicated here with a “d”. Then follows 9 bits in three “trios” of three bits. These are the actual permissions.
First trio: permission of the owner of the file. rwx refers to jimbo
Second trio: permission of the group that the file belongs to. rw- refers to cool_group
Third trio: permission of all other users. r – – refers to all other users and groups.
r=readable w=writable x=executable -=disabled
Windows: Modifying Permissions
In this example, we’re going to grant permission to another user to view a folder. Right-click the folder and click Properties for which we are changing permissions, then click the Security tab and click Edit to change file permissions button. Click the Add button, and in the new window click the Check Names button to verify the user. Then click OK, and the specified user is now in the list of Users and Groups in the Security tab. Now you can highlight the user and check the Allow boxes corresponding to the desired permissions.
While the Allow button grants access, the Deny button specifically denies a user by name, even if they belong to a group that has been allowed that permission.
In PowerShell, we are going to the icacls program. Because it is an old program, the parameters use special characters that are not recognized by PowerShell, so we will have to surround the parameters in single quotation marks. If you are using icacls in cmd.exe, remove the quotation marks.
PS C:\Windows\system32> icacls ‘c:\Vacation Pictures\’ /grant ‘Everyone: (OI)(CI)(R)’
CMD C:\Windows\system32> icacls “C:\vacation pictures” /grant Everyone:(OI)(CI)(R)
So in this example, we gave our pal Modify access and OI/CI permissions.
What if we want to give any user on the computer access to view the files but not add or remove files?
PS C:\Windows\system32> icacls ‘C:\vacation pictures’ /grant ‘Everyone:(OI)(CI)(R)
The Everyone user includes all users as well as Guest Users, which is a special type of user allowed to sign in without a password. Guest users are disabled by default.
Instead of everyone, what if we want to only allow Authenticated Users?
PS C:\Windows\system32> icacls ‘C:\vacation pictures’ /grant ‘Authenticated Users:(OI)(CI)(R)
And, let’s remove the permissions for the “Everyone” group.
PS C:\Windows\system32> icacls ‘C:\vacation pictures’ /remove Everyone
Then, verify the ACL for the folder:
PS C:\Windows\system32> icacls ‘C:\vacation pictures’
Linux: Modifying Permissions
Linux has a Change Mode command, or chmod, to change permissions. This is used in conjunction with:
u = users / g = group / o = other users, and the permission (r/w/x) joined by “add” +, or “remove” -.
This command grants executable permission, x, to the owner, u:
jimbo@jimbo-computer:~$ chmod u+x my_file
And this command takes it away:
jimbo@jimbo-computer:~$ chmod u-x my_file
And add multiple permissions:
jimbo@jimbo-computer:~$ chmod u+rx my_file
Now, you can also do this for multiple permission sets:
jimbo@jimbo-computer:~$ chmod ugo+r my_file
This format of ugo+rwx is known as Symbolic format. There is also a Numeric format, which is faster and simpler.
rwx can be represented numerically as 4 (r) 2 and 1 (x).
jimbo@jimbo-computer:~$ chmod 754 my_file
Each of the (754) numbers represents one of the trios, of ugo. So 7 = rwx (4+2+1) for users, 5= rx (4+1) for groups, and 4 = read (4) for other users.
Use the Change Owner command, or chown:
jimbo@jimbo-computer:~$ sudo chown jeff my_file
And change the group a file belongs to with chgrp:
jimbo@jimbo-computer:~$ sudo chgrp great_group my_file
Make sure to practice changing permissions, as this is an extremely important part of IT.
Windows: Special Permissions
So far, we have only covered Simple Permissions, but there are also Special Permissions. Simple permissions are actually sets of specific permissions.
If we navigate again to the Security tab in Properties of a file or Folder, you can click a username and then the Advanced button to view all the special permissions for that user. If you select Read, you can see that it is really a long list of specific permissions. These can be modified just like simple permissions.
In the CLI, use the icacls command. Let’s say we don’t want to give users access to delete each other’s files. We want to let users WD: Create/write data, AD: Create folders/append data, and S: Synchronize. So we can see there is a special user in the DACL called “creator owner” which allows special permissions to be set for the creator/owner of a file or folder.
PS C:\Windows\system32> icacls C:\Windows\Temp
Use the redirector >> to create a file with the output of icacls
Rewatch the end of this video… I’m not sure the narrative makes sense…
Supplemental Reading for Special Permissions in Windows
The reading on file and folder permissions.
Linux: SetUID, SetGID, Sticky Bit
Linux also allows special permissions. A use for this could be if you want a user to be allowed to do something with root privileges but you don’t want to grant root privileges.
Remember that passwords are stored in /etc/shadow, which is owned by root. We can’t view this file, and we shouldn’t be allowed to write to it, because we don’t have root permissions. This is because of a special permission called setUID. This can be verified by viewing the permissions for the passwd command: -rwsr-xr-x
The “s” indicated that the setUID has been granted. SetUID allow a file to be run as the owner of the file, meaning the passwd program has read/write/setUID permissions for the users. SetUID uses symbolic format with an “s” or a numeric format with a 4 added before the standard numeric permissions:
jimbo@jimbo-computer:~$ sudo chmod 4755 my_file
Similar to setUID, you can also run files using group permissions by using setGID, or “set group ID.” This will allow you to run a file as a member of the file group. Just like setUID, setGID uses a symbolic character (g) or a numerical format with the number 2:
jimbo@jimbo-computer:~$ sudo chmod g+s my_file jimbo@jimbo-computer:~$ sudo chmod 2755 my_file
There is also something called the Sticky Bit, which places a file or folder in a directory and can be read and written to, but not deleted by anyone except root. This is represented by “t” in permissions, such as “drwxrwxrwt”:
jimbo@jimbo-computer:~$ sudo chmod t my_file/
or with the number 1
jimbo@jimbo-computer:~$ sudo chmod 1755 my_file/
I feel like this is going to require a lot more study and practice.
Once again, signing into the “Qwiklab” VM assessment didn’t work the first day that I tried. It seems, after emailing the support people (who are very polite, thank you, team), I have to select the “Download RDP” and select different credentials from the Windows dialog box that comes up. Not through the regular sign-in in the “built-into-Chrome” RDP sign-on window. What a stupid system.
The assessment was good practice using ICACLS in PowerShell and the similar commands in Linux, chmod, chown, and the numerical permissions commands.
Looks like next week is going to be all about software. See you there.
Homer's Odyssey | Translated by Norbert A.D. Albertson | Paperback
WD 2TB Elements Portable External Hard Drive - USB 3.0
Live Work Work Work Work Die | by Corey Pein
HTML and CSS: Design and Build Websites 1st Edition | by Jon Duckett
The Hapless Rube's Apocalypse Survival Guide | by Jack Barker | Paperback
One thought on “Google IT Cert – Week 14 – Users and Permissions”