To launch the Domain Account Manager, select Tools»Security»Domain Account Manager from the pull-down menu in the project manager. In the Domain Account Manager, shown in Figure 1, right-click the My Computer icon and select New Local Domain from the shortcut menu. If a local domain already exists on the computer, you will not be able to create another one without first destroying the existing local domain. From the General tab, enter a domain name and press Ok. You will be prompted to create an Administrator password. The Administrator is the default user that can add or remove users and user groups, change user permissions, modify user passwords, and so on. This functionality is limited to the Administrator and any users in the Administrators group. The other default groups include Operators and Guests.
Figure 1. Main Window of the Domain Account Manager
The Domain Account Manager has many security features, such as encryption, that increase the security of the computer on which it is deployed. The Domain Account Manager uses a challenge and response protocol to transmit passwords over the network. Because no clear text password is transmitted through the network, malicious eavesdropping techniques do not reveal the user’s password. The Domain Account Manager also uses a one-way hash function to store passwords. Using this type of storage, applications can validate passwords with the Domain Account Manager, but these applications cannot determine the actual password.
To increase security, you can control access to the Domain Account Manager by assigning permissions to both individual computers and subnets. By denying access to the Domain Account Manager you are effectively denying access to any of the resources that use the Domain for user authentication. If a computer or subnet cannot access the Domain Account Manager, the requested resource cannot determine the necessary permissions.
You can use both individual computer names and IP addresses to control access to the Domain Account Manager. You can also use the "*" wildcard to control access by a range of computers or IP addresses. For example, granting access by "*.ni.com" specifies that all computers whose name ends with "ni.com" can access the Domain Account Manager. Conversely, denying access by "10.0.0.*" specifies that no computer on the 10.0.0 subnet can access the Domain Account Manager. Figure 2 shows these settings of the Domain Properties window. You access this window by launching the Domain Account Manager, selecting Edit»Properties from the pull-down menu, and clicking the Access Control tab.
Figure 2. Domain Properties Windows/Access Control Tab