CHAPTER 7
USER ACCOUNT ADMINISTRATION
Lesson 1:
Introduction to User Accounts
A user account provides a user with the ability to log on to the domain to gain access to the network
resources or to log on to a computer to gain access to resources on that computer.
Windows 2000 provides different types of user accounts: local user accounts, domain user accounts,
and built-in user accounts. With a local user account, a user logs on to a specific computer to gain
access to resources on that computer. With a domain user account, a user can log on to the domain
to gain access to network resources. Built-in user accounts are used to perform administrative tasks
or to gain access to network resources.
Local User Accounts
Local user accounts allow users to log on at and gain access to resources on only the computer
where you create the local user account.
Do not create local user accounts on computers that require access to domain resources, because
the domain does not recognize local user accounts.
Domain User Accounts
Domain user accounts allow user to log on to the domain and gain access to resources anywhere
on the network. The user provides his or her name and password during logon process. The
access token identifies the user to computers running Windows 2000 and pre-Windows 2000
computers on which the user tries to gain access to resources. Windows 2000 provides the
access token for the duration of the logon session.
The domain controller replicates the new user account information to all domain controllers in
the domain.
After Windows 2000 replicates the new user account information, all of the domain controllers
in the domain tree can authenticate the user during the logon process.
=====================================================================
winads7.html PAGE
2 2002/02/15
NOTE: If can take a few minutes to replicate the domain user account information to all of the
domain controllers. This delay might prevent a user from immediately logging on using the newly
created domain user account. By default, replication of directory information occurs every five
minutes.
Built-in User Accounts
Windows 2000 automatically creates accounts built-in accounts. Two commonly used built-in
accounts are Administrator and Guest.
Other Built-in accounts:
IUSR_computername. Automatically created when IIS is added to the computer. This
account is used for anonymous access to IIS.
IWAM_computername. Automatically created when IIS is added to the computer.
IWAM is an account for anonymous access to IIS out-of-process applications.
TsInternetUser. Is created automatically when Terminal Services are installed on the
domain controller. TsInernetUser is an account used by Terminal Service.
Administrator. Is a built-in account to manage the overall computer and domain
configuration for such tasks as creating and modifying user accounts and groups,
managing security policies, creating printers, and assigning permissions and rights to
user accounts to gain access to resources.
NOTE: You can rename the Administrator account, but you cannot delete it.
=====================================================================
winads7.html PAGE
3 2002/02/15
Guest. Use this built-in guest account to give occasional users the ability to log on and gain access
to resources.
NOTE: The guest Account is disabled by default. Enable the Guest account only in low-security
networks, and always assign it a password. You can rename and disable the Guest account, but
you cannot delete it. Leave it as is, disabled.
Lesson Summary:
With a domain user account, a user can log on to the domain to gain access to network
resources.
upon installation. The IUSR_computername and IWAM_computername are created
when IIS is installed. The TsInternetUser is created when terminal services is installed.
controllers in the domain.
Lesson 2:
Planning New User Accounts
Naming Conventions
The naming conventions establish how users are identified in the domain. A consistent naming
convention will help you and your users remember user logon names and locate them in lists.
** See the charts on
page 184-185 ***
Account Options
You should assess the hours when a user can log on to the network and the computers from
which a user can log on, and you should determine if temporary user accounts need to expire.
To determine account options, consider the following information:
Logon Hours. Set them to the work hours, and eliminate weekends and evenings.
Computers from which Users can log on. By default, users can log on to the
domain by using any computer in the domain. For security reasons, require users to
log on to the domain only from their computer. This prevents users from gaining
access to sensitive information that is stored on other computers.
Account Expiration. If this is a temporary employee, this may be necessary.
CAUTION: If you have disabled NetBIOS over TCP/IP, Windows 2000 is unable to
determine which computer you are logging on from and therefore you cannot restrict users
to specific computers.
=====================================================================
winads7.html PAGE
4 2002/02/15
Lesson Summary:
OU where you create the domain user account.
unique within the OU where you create the domain user account. Local user account
names can also be up to 20 characters in length and must be unique on the computer
where you create the local user account.
Lesson 3:
Creating User Accounts:
Local user accounts are created using the Local Users and Groups snap-in within the Computer
Management console. Domain user accounts are created in the Active Directory for Users and
Computers console.
Creating Local User Accounts:
Using the Local Users and Groups snap-in, you create, delete, or disable local user accounts on
the local computer in a workgroup. You cannot create local user accounts on a domain controller.
Creating Domain User Accounts:
Using the Active Directory Users and Computers console you create, delete, or disable domain
user accounts on the domain controller, or local user accounts on any computer in the domain.
When you create the domain user account, the user logon name defaults to the domain in which
you are creating the domain user account. However, you can select any domain in which you
have permissions to create the new account. You can create the domain user account in the
default Users container or in a container that you create to hold domain user accounts.
=====================================================================
winads7.html PAGE
5 2002/02/15
NOTE: In a live system environment, the Users container is merely a default container. Actual
users should be added to a custom OU rather than the Users container.
*** see the password
options page 192 and 193 ****
NOTE: Always require new users to change their passwords the first time that they log on. This
prevents a user account from existing without a password, and once the user logs on and changes
his or her password, only the user knows the password.
TIP: For added security on networks, create unrelated initial passwords for all new user accounts
by using a random combination of letters and numbers. Creating an unrelated initial password will
help keep the user account secure.
User Account Properties
A set of default properties is associated with each user account that you create. After you create
a user account you can configure personal and account properties, logon options and dial-in settings.
For domain users, these account properties equate to object attributes.
Setting Logon Hours:
By default, Windows 2000 permits access for all hours on all days. You might want to allow users
to log on only during working hours. Setting logon hours reduces the amount of time that the account
is open to unauthorized access.
NOTE: The days and hours for which you have allows access are now shown in blue.
Setting the Computers from which Users can log on
Setting logon options for a domain user account allows you to control the computers from which a
user can log on to the domain. By default, each user can log on from all computers in the domain.
Setting the computers from which a user can log on prevents users from accessing another user’s
data that is stored on that user’s computer.
NOTE: To control the computers from which a user can log on to a domain, NetBIOS must be
enabled over TCP/IP.
=====================================================================
winads7.html PAGE
6 2002/02/15
Configuring Dial-In Settings
Configuring Dial-in settings for a user account permits you to control how a user can make a dial-in
connection to the network from a remote location.
NOTE: In addition to configuring dial-in settings and having RAS on the server to which the user is
dialing in, you must also set up a dial-up connection for the server on the client computer. Set up a
dial-up connection by using the Network Connection Wizard, which you can access from Network
Connections in My Computer.
Lesson Summary:
accounts are created using the Active Directory Users and Computers console.
Lesson 4:
Creating User Profiles
A user profile is a collection of folders and data that stores the user’s current desktop environment,
application settings, and personal data. A user profile also contains all of the network connections
that are established when a user logs on to a computer, such as Start menu items and mapped drives
to network servers.
User Profiles
On computers running Windows 2000, user profiles automatically create and maintain the desktop
settings for each user’s work environment on the local computer.
User profiles provide several advantages to users:
when they logged off.
running Windows NT 4.0 or Widows 2000 on the network.
=====================================================================
winads7.html PAGE
7 2002/02/15
Profile Types
There are three types of user profiles:
and is stored on a server.
settings for individuals or an entire group of users.
Some settings contained in a user profile:
***** Review the charts
page 208 and 209 ** Do not memorize
Contents of a User Profile
Local user profiles are stored in C:\Documents and Settings\user_logon_name folder, where C:\ is the
name of your system drive and user_logon_name is the name the user enters when logging on to the
system.
Local User Profiles
The local user profile is stored in the C:\Documents and Settings\user_logon_name folder, where C:\
is the name of your system drive and user_logon_name is the name the user enters when logging on
to the system.
Roaming User Profile
To support users who work at multiple computers, you can set up roaming user profiles. A roaming
user profile is a user profile that you set up on a network server so that the profile is available to the user
no matter where the user log on in the domain.
=====================================================================
winads7.html PAGE
8 2002/02/15
Standard Roaming User Profiles
You use standard roaming user profiles for the following reasons:
To provide a standard desktop environment for multiple users with similar job responsibilities. These
users require the same network resources. To provide users with the work environment that they
need to perform their jobs and to remove connections and applications that they do not require.
To simplify troubleshooting. Technical support would now the exact baseline setup of the desktops
and could easily find a deviation or a problems.
Creating Roaming User Profiles
You should create roaming user profiles on a file server that you frequently back up, so that you
have copies of the latest roaming user profiles.
NOTE: To successfully create roaming user profiles and assign home directories for user accounts,
you must have permissions to administer the object in which the user accounts reside.
Mandatory User Profiles
A mandatory user profile is read-only user profile. Users can modify the desktop settings of the
computer while whey are logged on, but none of these changes is saved when they log on.
Creating a Mandatory User Profile
A hidden file in the profile (for example, \\SERVER1\shar\user_logon_name) called NTUSER.DAT
contains the section of the Windows 2000 system settings that applies to the individual user account
and contains the user environment settings, such as desktop appearance. This is the file that you make
read-only by changing its name to NTUSER.MAN.
Lesson Summary:
user logs on to a computer, such as Start menu items and mapped drives to network
servers.
=====================================================================
winads7.html PAGE
9 2002/02/15
Lesson 5:
Creating Home Directories
A home directory is an additional folder that you can provide for users to store personal documents,
and for older applications, it is sometimes that default folder for saving documents.
Storing all home directories on a file server provides the following advantages:
Users can gain access to their home directories from any client computer on the network.
The backup and administration of user documents is centralized.
The home directories are accessible from a client computer running any Microsoft operating system
(including MS-DOS, Windows 95, Windows 98 and Windows 2000).
NOTE: You should store home directories on a Windows NT file system (NTFS) volume so that
you can use NTFS permissions to secure user documents. If you store home directories on a file
allocation table (FAT) volume, you can only restrict home directory access by using shared folder
permissions.
\\server_name\Users\%username%
Lesson Summary:
Storing all home directories on a file server provides several advantages. The first advantage is
that user can gain access to their home directories from any client computer on the network.
Lesson 6:
Maintaining User Accounts
does not need an account for an extended period, but will need it again.
=====================================================================
winads7.html PAGE
10 2002/02/15
rights, permissions, and group memberships for the users account and reassign it to
a different user.
and you are not going to rename the user account.
NOTE: If a user account is enabled, the Action menu displays the Disable Account command.
If a user account is disabled, the Action menu displays the Enable Account command.
Lesson Summary:
but will need it again. You enable the account when it is needed again.