User Accounts and Group Management – CompTIA Server+ Guide
User Accounts and Group Management
Why Is This Important?
User accounts and group management form the foundation of access control and security in any server environment. Without proper account and group policies, organizations risk unauthorized access, data breaches, privilege escalation, and regulatory non-compliance. For the CompTIA Server+ exam, understanding how user accounts and groups are created, maintained, and secured is essential because it directly ties into broader topics such as disaster recovery, security hardening, and the principle of least privilege.
Every server administrator must be able to manage who has access to what resources, ensure that permissions are correctly assigned, and audit activity to detect anomalies. Poorly managed accounts — such as orphaned accounts, shared accounts, or accounts with excessive privileges — are among the most common attack vectors exploited by malicious actors.
What Are User Accounts and Groups?
User Accounts
A user account is a unique identity assigned to an individual (or service) that enables authentication and authorization on a server or network. Each account typically includes:
- A username (unique identifier)
- A password or other authentication credential
- A Security Identifier (SID) or User ID (UID) depending on the operating system
- Account properties such as home directory, shell, login hours, and account expiration
Common types of user accounts include:
- Local accounts: Exist on a single server and authenticate only to that server.
- Domain/Directory accounts: Exist within a centralized directory service (e.g., Active Directory, LDAP) and can authenticate across multiple servers and resources.
- Service accounts: Used by applications and services rather than human users. These require special attention because they often have elevated privileges.
- Built-in/Default accounts: Accounts such as Administrator (Windows) or root (Linux) that are created during OS installation. These should be renamed, disabled, or secured according to best practices.
- Guest accounts: Provide minimal access and should generally be disabled on servers.
Groups
A group is a collection of user accounts that share common access requirements. Groups simplify permission management because administrators assign permissions to a group rather than to individual users. When a user is added to a group, they inherit the permissions of that group.
Common types of groups include:
- Local groups: Defined on a single server.
- Domain groups: Defined in a directory service and applicable across the domain.
- Security groups: Used to assign permissions to resources.
- Distribution groups: Used primarily for email distribution lists (not for permissions).
In Windows Active Directory, groups are further categorized by scope:
- Domain Local groups: Used to assign permissions to resources within a single domain.
- Global groups: Contain users from a single domain and can be granted permissions in any domain.
- Universal groups: Can contain users from any domain and be granted permissions in any domain within a forest.
In Linux, groups are managed through /etc/group and each user has a primary group and can belong to supplementary groups.
How It Works
Account Lifecycle Management
Effective user account management follows a lifecycle:
1. Provisioning: Creating the account when a user joins the organization or a service is deployed. This includes assigning a username, initial password, group memberships, and appropriate permissions.
2. Maintenance: Ongoing tasks such as password resets, group membership changes, permission adjustments, and account modifications as roles change.
3. Review/Audit: Periodically reviewing accounts and group memberships to ensure they remain appropriate. This includes checking for orphaned accounts, excessive privileges, and compliance with security policies.
4. Deprovisioning: Disabling or deleting accounts when users leave the organization or services are retired. Failure to deprovision accounts is a significant security risk.
The Principle of Least Privilege
This is a core security concept that states every user and service should have only the minimum level of access necessary to perform their function. This principle is enforced through careful group management and permission assignment. Server administrators should:
- Avoid assigning users to administrator or root groups unless absolutely necessary.
- Use role-based access control (RBAC) to map job functions to groups with specific permissions.
- Regularly review and prune group memberships.
Password Policies and Account Security
Strong account security relies on robust password and account policies:
- Password complexity: Requiring a mix of uppercase, lowercase, numbers, and special characters.
- Password length: Enforcing minimum lengths (typically 8–14+ characters).
- Password expiration: Requiring periodic password changes (e.g., every 60–90 days).
- Password history: Preventing reuse of previous passwords.
- Account lockout: Locking an account after a specified number of failed login attempts to prevent brute-force attacks.
- Multi-factor authentication (MFA): Adding additional authentication factors beyond passwords.
Centralized vs. Decentralized Management
- Centralized management uses a directory service such as Active Directory (AD), LDAP, or FreeIPA to manage all accounts and groups from a single point. This simplifies administration, improves consistency, and enhances security auditing.
- Decentralized management involves managing accounts locally on each server. This is harder to maintain and audit, and increases the risk of inconsistencies.
For enterprise environments, centralized management is strongly preferred.
Group Nesting and Permission Inheritance
In Active Directory environments, a common best practice is the AGDLP (or AGUDLP) strategy:
- Accounts are placed in Global groups
- Global groups are placed in Domain Local groups
- Domain Local groups are assigned Permissions
This approach provides scalability and simplifies permission management across complex environments.
Auditing and Monitoring
Administrators should enable auditing of account-related events, including:
- Successful and failed logon attempts
- Account creation, modification, and deletion
- Group membership changes
- Privilege escalation events
Audit logs should be reviewed regularly and forwarded to a centralized logging solution (SIEM) for analysis.
Key Tools and Commands
Windows Server:
- Active Directory Users and Computers (ADUC): GUI tool for managing AD accounts and groups.
- net user / net localgroup: Command-line tools for local account and group management.
- PowerShell cmdlets: New-ADUser, Add-ADGroupMember, Get-ADUser, Set-ADUser, Remove-ADUser, etc.
- Group Policy (GPO): Used to enforce password policies, account lockout policies, and user rights assignments across the domain.
Linux:
- useradd / adduser: Create user accounts.
- usermod: Modify user accounts (e.g., add to groups with usermod -aG groupname username).
- userdel: Delete user accounts.
- groupadd / groupdel / groupmod: Manage groups.
- passwd: Set or change passwords.
- /etc/passwd, /etc/shadow, /etc/group: Critical configuration files for user and group information.
- chage: Manage password aging policies.
- sudo / sudoers: Control elevated privilege access.
Security Considerations and Disaster Recovery
User accounts and groups are critical to disaster recovery planning:
- Backup directory services: Ensure Active Directory or LDAP databases are backed up regularly. A corrupted or lost directory can prevent all users from authenticating.
- Document account structures: Maintain documentation of group structures, permissions, and account policies so they can be rebuilt if necessary.
- Emergency accounts: Maintain secure break-glass or emergency administrator accounts that can be used during a disaster when normal authentication may be unavailable.
- Test recovery procedures: Regularly test the ability to restore user accounts and directory services from backup.
- Separation of duties: Ensure no single account has unchecked power — use multiple administrator accounts with divided responsibilities.
Common Vulnerabilities Related to Accounts and Groups
- Orphaned accounts: Accounts belonging to former employees that were never disabled or deleted.
- Shared accounts: Multiple users sharing a single account, making auditing impossible.
- Excessive privileges: Users with more access than their role requires.
- Default credentials: Failing to change default passwords on built-in or service accounts.
- Stale group memberships: Users remaining in groups after role changes.
- Weak password policies: Allowing short, simple, or non-expiring passwords.
Exam Tips: Answering Questions on User Accounts and Group Management
1. Always think Least Privilege first. If a question asks about the best way to grant access, choose the option that provides the minimum necessary permissions. Never assign administrative rights when standard user rights will suffice.
2. Know the difference between local and domain accounts/groups. Exam questions may test your understanding of when to use local accounts versus centralized directory accounts. For enterprise environments, centralized management (Active Directory, LDAP) is almost always the preferred answer.
3. Understand the AGDLP model. If a question asks about the best practice for assigning permissions in an Active Directory environment, remember: Accounts go into Global groups, Global groups go into Domain Local groups, and Domain Local groups receive Permissions.
4. Recognize service accounts as a special case. Questions about service accounts often focus on ensuring they have limited permissions, use strong passwords, and are audited. Never use a regular user's account as a service account.
5. Account lockout and password policies are common question topics. Know the standard components: complexity requirements, minimum length, history, expiration, and lockout thresholds. Be prepared to identify which policy setting addresses a specific scenario (e.g., preventing brute force = account lockout).
6. Deprovisioning is a key security concept. When a question describes an employee leaving the organization, the correct answer typically involves immediately disabling (not necessarily deleting) the account and reviewing group memberships. Disabling is preferred over deletion initially because it preserves audit trails and allows for data recovery if needed.
7. Watch for questions about default and guest accounts. Best practice is to rename or disable built-in administrator accounts and always disable guest accounts on servers.
8. Audit-related questions are common. Understand that successful and failed logon events should both be audited. Know that centralized logging (SIEM) is the best practice for monitoring account activity across multiple servers.
9. Read questions carefully for scope. Determine whether the question is asking about a single server (local accounts/groups) or an entire network/domain (directory service accounts/groups). This distinction often determines the correct answer.
10. Group-based access control is always preferred over individual assignments. If a question presents a choice between assigning permissions to individual users versus creating a group and assigning permissions to the group, always choose the group-based approach for scalability and manageability.
11. Know Linux and Windows equivalents. The exam may reference both platforms. Be comfortable with basic commands on both (e.g., useradd on Linux vs. New-ADUser in PowerShell on Windows).
12. For disaster recovery questions involving accounts: Focus on answers that emphasize backing up directory services, maintaining documentation, and having emergency/break-glass accounts available.
13. Eliminate obviously insecure options. Answers that suggest sharing accounts, using default passwords, granting everyone administrator access, or skipping account reviews are almost always wrong.
By mastering these concepts and keeping these tips in mind, you will be well-prepared to answer any CompTIA Server+ exam question related to user accounts and group management.
