CHAPTER 10

                      SETTING UP AND MANAGING USERS

 

 

 

Lesson 1:  Understanding User Accounts

 

There are three different types of user accounts:

 

• Local user accounts.
• Domain user accounts
• Built-in user accounts.

 

 

 

Local User Accounts

 

Local User accounts allows a user to log on to a specific computer to gain access to the resources

only on the computer where you create the local user account.

 

When the account information is created locally, it is not replicated to any other computer.  

The security information is also only stored locally.

 

 

Local User accounts provide:

 

Provide access to resources on the local computer

Are created only on computer that are not in a domain

Are created in the local security database

 

If you have a workgroup that consists of  5 computers running Windows 2000 P and you create a

local user account User1.  If you need to be able to log on as User 1, you must physically go to

each of the other 4 computers and set up an account.

 

NOTE:  To not create user accounts on computers running Windows 2000  that are part of a

domain because the domain doesn’t recognize local user accounts.  Therefore, the user is unable

to gain access to resources in the domain and the domain administrator is unable to administer the

local user account properties or assign access permissions for domain resources.

 

 

Domain User Accounts

 

 

Domain user account allows a user to log on to the domain to gain access to network resources.

 

 

 

 

 

=======================================================================

 

winpro10.html                                                 PAGE 2                                                        2001/12/07

 

 

 

Domain user accounts allow users to log on to the domain and gain access to resources anywhere

on the network.  The user provides his or her password and user name during the logon process. 

Each user who logs on gains an access token that contains information about the user and security

settings.  You must have a domain to have domain user accounts.

 

You create a domain user account in the copy of the Active Directory database on a domain

controller.   The domain controller replicates the new user account information to all domain

controllers in the domain.

 

 

Domain User Accounts provide:

 

• Provide access to network resources
• Provide the access token for authentication
• Are created in Active Directory directory services on a domain controller.

 

 

 

Built-in User Accounts

 

Built-in user account allows a user to perform administrative tasks or to gain access to local or network

resources.

 

Two commonly used built-in accounts are Administrator and Guest.

 

 

Administrator

 

Use the built-in Administrator account to manage the overall computer.    Log on by using the

Administrator account only when you perform administrative tasks.

 

You should have a renamed administrator account, for non-administrative types of duties.

 

You cannot delete the Administrators account. 

 

 

 

=======================================================================

 

winpro10.html                                                 PAGE 3                                                        2001/12/07

 

 

 

Guest

 

Use the built-in Guest account to give occasional users the ability to log on and gain access to

resources.  The Guest account is disabled by default.  Enable the Guest account only in log-security

networks and always assign it a password.  You can rename the Guest account, but you cannot

delete it.

 

 

Lesson Summary:

 

•   With built-in user accounts, you can perform administrative tasks or gain access to resources.
•   With a domain user account, a user can log on to the domain to gain access to network resources.
•   When you create a domain user account Windows 2000 creates the account in the copy of the

Active Directory database on a domain controller.

•   The domain controller then replicates the new user account information to all domain controllers

in the domain, simplifying user account administration.

 

 

 

Lesson 2:  Planning New User Accounts

 

 

Naming Conventions

 

The naming conventions establishes how users are identified in a domain.

 

• Logon name must be unique.
• Logon name, 20 characters maximum.
• Avoid invalid characters “ /\[]:;|=,+*?<>
• Accommodate users with same name JohnS & JohnSm
• Identify special users, for example TEMP.

 

 

Password Consideration

 

• Always assign passwords
• Passwords are case-sensitive.
• Use hard to guess passwords
• Passwords can be up to 127 characters, a min of 8.
• Use Upper and Lower case to make them more complicated.

 

 

 

 

=======================================================================

 

winpro10.html                                                 PAGE 4                                                        2001/12/07

 

 

 

Lesson Summary:

 

Domain user accounts can be up to 20 characters, and unique within the OU.

Make up guidelines and standards before, do not implement as you go, not very professional.

 

 

Lesson 3: Creating User Accounts

 

The Computer Management snap-in is the tool you use to create local user accounts:

 

Start/Programs/Administrative Tools/computer Management/in the Console panel, click

Local Users and Groups.

 

Right Click Users and click New User.

 

 

 

Local User Account Options

 

=====================================================================

Option                         Description

=====================================================================

User Name                 Required field.

 

Full Name                   You can have the last name and the middle name too.

 

Description                 Optional field, describes the user.

 

Password                    The password that is used to authenticate the user.

 

Confirm Password      Type a second time to confirm.

 

User Must change     When the user logs on at the first time, they will be

Password at Next       prompted to enter their own password.

Logon                          By default this check box is selected.

 

User Cannot               Select this box if you have more than one person using

Change password       the same user account (such as Guest) or to maintain

                                    Control over user account passwords.

 

Password Never         Select the check box if you never want the password to

Expires                       expire, for example the user account that will be used by

                                    A program or a Windows 2000 Service.

 

 

Account is Disabled               Prevents use of this user account for example, for a

                                                New employee who hasn’t started yet.

 

 

=======================================================================

 

winpro10.html                                                 PAGE 5                                                        2001/12/07

 

 

 

Local User Account Options

 

 

NOTE:  Always require new users to change their passwords the first time they log on.  This will

 

 

 

Lesson Summary:

 

1)         Computer Management snap-in is used to create a new local user account.  When you create

a local user account, it is only created in the local security database of that computer.

 

2)         You can also configure password options such as whether users must change their passwords

at the next logon,  whether users can ever change their passwords, and whether the passwords

expire.

 

 

Lesson 4:  Setting Properties for User Accounts

 

A set of default properties is associated with each local user account that you create.  After you create

a local user account, you can configure these account properties.  The user’s Properties dialog box has

three tabs that contain information about each user account:  The General tab, the Member of Tab and

the Profile tab.

 

General Tab

 

Allows you to set or edit all the fields from the New User dialog box, except for User Name, Password,

and Confirm Password.  It also provides one additional check box, Account is disabled.

 

You can select the Account is Locked Out check box because it is unavailable when the account is

active and not locked out of the system.

 

 

 

 

=======================================================================

 

winpro10.html                                                 PAGE 6                                                        2001/12/07

 

 

 

 

Member of Tab

 

Allows you to add the user account or remove the user account from a group.

 

 

Profile Tab

 

Allows you to select a path for the user profile, logon script, and home folder.

 

 

User Profile

 

A user profile is a collection of folders and data that stores the user’s current desktop environment

and application settings, as well as personal data.  A user profile also contains all of the network

connections that are established when a user logs on to a computer, such as Start-menu items and

mapped drives to network servers.

 

 

Windows 2000 creates a user profile the first time a user logs on at a computer.  After the user

logs on for the first time, Windows 2000 stores the user profile on that computer.  The user profile

is also known as the local user profile.

 

User profiles operate in the following manner:

 

 

•   When a user logs on to a client computer running Windows 2000, the user always

 receives his or her individual desktop settings and connection, regardless of how

many users share the same client computer.

•   The first time the user logs onto a Windows 2000 computer, a default user profile

is created.

•   A user profile contains the My Documents folder, which provides a place for

users to store personal files.  My documents, Windows 2000 creates a My

Documents icon on the user’s desktop.

•   A user can change his or her own profile by changing desktop settings.

 

 

By opening the System/Control Panel/ User Profiles tab, an administrator can easily copy, delete,

or change the type of a user profile.  A hidden file called ntuser.dat contains the section of the

Windows 2000 system settings that applies to the individual user account and contains the user

environment settings.

 

 

=======================================================================

 

winpro10.html                                                 PAGE 7                                                        2001/12/07

 

 

 

 

A roaming user profile is especially helpful in a domain environment, because it follows the user

around, setting up the same desktop environment for the user no matter what computer the user

logs on to in the domain.

 

Mandatory user profile, which is a read only roaming profile.  You can create a mandatory user

profile for a specific user to be used with a group of users.   You make the profile a mandatory

roaming user profile by changing its name to ntuser.man.  You can then copy this file to apply the

mandatory user profile to any other user or group.

 

 

Home folder

 

In addition to the My Documents folder, Windows 2000 provides you with the means to create

another location for users to store their personal documents.  You can user the %username% to

accomplish this.

 

 

Lesson Summary

 

1)         A set of default properties is associated with each local user account that you create.

2)         These properties include whether users can change their own passwords, whether users are

 required to change their password at the next logon, and whether  the account is disabled.