Chapter 15  User Accounts and Groups

Table of Contents

15.1  Viewing and definitions of user accounts
15.2  Local user accounts
15.3  Local user database: external authentication and import of accounts
15.4  User accounts in Active Directory — domain mapping
15.5  User groups

User accounts in WinRoute improve control of user access to the Internet from the local network. User accounts can be also used to access the WinRoute administration using the Administration Console or the Web Administration interface.

WinRoute supports several methods of user accounts and groups saving, combining them with various types of authentication, as follows:

Internal user database

User accounts and groups and their passwords are saved in WinRoute. During authentication, usernames are compared to the data in the internal database.

This method of saving accounts and user authentication is particularly adequate for networks without a proper domain, as well as for special administrator accounts (user can authenticate locally even if the network communication fails).

On the other hand, in case of networks with proper domains (Windows NT or Active Directory), local accounts in WinRoute may cause increased demands on administration since accounts and passwords must be maintained twice (at the domain and in WinRoute).

Internal user database with authentication within the domain

User accounts are stored in WinRoute. However, users are authenticated at Windows NT or Active Directory domain (i.e. password is not stored in the user account in WinRoute). Obviously, usernames in WinRoute must match with the usernames in the domain.

This method is not so demanding as far as the administration is concerned. When, for example, a user wants to change the password, it can be simply done at the domain and the change will be automatically applied to the account in WinRoute. In addition to this, it is not necessary to create user accounts in WinRoute by hand, as they can be imported from a corresponding domain.

Import of user accounts from Active Directory

If Active Directory (Windows 2000 Server or Windows Server 2003/2008) is used, automatic import of user accounts from it can be enabled. It is not necessary to define accounts in WinRoute, nor import them, since it is possible to configure templates by which specific parameters (such as access rights, content rules, transfer quotas, etc.) will be set for new WinRoute users. A corresponding user account will be automatically imported upon the first login of the user to WinRoute. Parameters set by using a template can be modified for individual accounts if necessary.

Note: This type of cooperation with Active Directory applies especially to older versions of WinRoute and makes these versions still compatible. In case of the first installation of WinRoute, it is recommended to apply transparent cooperation with Active Directory.

Transparent cooperation with Active Directory (Active Directory mapping)

WinRoute can use accounts and groups stored in Active Directory directly — no import to the local database is performed. Specific WinRoute parameters are added by the template of the corresponding account. These parameters can also be edited individually.

This type is the least demanding from the administrator's point of view (all user accounts and groups are managed in Active Directory) and it is the only one that allows using accounts from multiple Active Directory domains.

Note: In cases when users are authenticated at the domain (all described types excluding the first one), it is recommended to create at least one local account in WinRoute that has both read and write rights, or keep the original Admin account. This account provides connection to the WinRoute administration in case of the network or domain server failure.