CHAPTER 2
SETTING UP USER ACCOUNTS
Lesson 1: Introduction to User Accounts
36
Lesson 2: Planning New User Accounts
. 40
Lesson 3: Creating User Accounts
. 48
Lesson 4: Creating User Profiles
65
Best Practices
74
Review
75
Lesson 1:
Introduction to User Accounts
Windows NT Security is based on the concept of user accounts. A user account is the users
unique credential that allows the user to access resources. With user accounts, you can control
how a user gains access to the domain or a local computer. For example, you can limit the
number of hours a user can log on to the domain.
Types of User Accounts
There are three user accounts. One is the type that you can create, and two are built-in users
accounts, are created automatically when Windows NT Server or Windows NT Workstation
are installed. The two built-in accounts are the Guest Account and the Administrator account.
=====================================================================
Account Description
=====================================================================
Accounts that User accounts can log on to the local domain. User
You create accounts contain information about the user, including the
users name and password.
Guest The built-in Guest account is used to give occasional
Users the ability to log on and gain access to resources on
the local computer.
Administrator The built-in Administrator account is used to manage the
Overall computer and domain configuration and resources.
This account is used to perform administrative tasks, such as
Creating or modifying user and group accounts, managing
Security policies, creating printers, and assigning
Permissions and rights to user accounts to access
Resources.
=======================================================================
wntadm2.html PAGE 2 2001/10/22
Where Accounts are Created
The computers operating system determines the type of accounts that you can create and manage,
as well as the tool that you use to create and manage them:
1) Computers running Windows NT Workstation, the account management
Tool is User Manager. It is used to manage accounts of that computer only. Accounts
created with User Manager are local accounts.
2) Computers running Windows NT Server, the account management tool is User manager for
Domains. Manages accounts on the local domain, or any on any computer, member server, or
other domains to which you have access. Accounts created with User Manager for Domains
can be local accounts or domain accounts.
Domain User Account
A domain user account contains information that defines a user to the domain. With a domain user
account, a user can log on to the domain and gain access to domain resources from any computer
on the network using a single user account and password.
A Domain user account is always created in User Manager for Domains.
The account is always created in the Master Directory Database on the PDC, or Primary Domain
Controller.
The BDC (backup domain controller) has a copy of the Master Directory Database. The copy is
automatically synchronized every five minutes with a master directory database on the primary
domain controller. The BDC does not just sit idle, it can validate users. The BDC can be prompted
by the PDC. There is usually 1 BDC for every 200 users. But if there are too many BDCs it will
slow down the system. The limit the BDCs is 2000 according to Microsoft.
If you have 1000 users, you may need 5 BDCs. SAM is 40,000 or 40MG is the Largest.
NOTE You can install User Manager for Domains on a computer running Windows NT Workstation
or Windows 95 by installing the Windows NT Server client-based administration tools.
=======================================================================
wntadm2.html PAGE 3 2001/10/22
Local User Account
A local user account contains information that defines a user to the local computer. With a local
user account, a user can log on to the access local resources. To access resources on another
computer, the user must have a separate user account on the other computer.
Although User Manager for Domains allows you to create accounts for the domain and for local
computers, User Manager only allows you to create an account for the local computer.
Local user accounts should only be created within a workgroup, see page 38.
Lesson 2:
Planning New User Accounts
Determine the following when setting up New User Accounts:
1) Naming Convention. Use a convention that ensures unique but consistent user account
names.
2) Password requirements. Select your password enforcement options, including whether a user
can, or must change his or her own password.
3) Logon hours. Determine the hours that each user is allowed to log on.
4) Workstation restrictions. Determine the computer names of the Windows NT computers
that the user is permitted to work from. You can limit the choices. By default, the user
can use any workstation.
5) Home folder location. Determine location of home folders on the local computer or on a
server for centralized backup and administration.
Naming Convention
To decide on your naming convention, consider the following:
accounts must be unique to the local computer.
special characters: / \ ()?}{*&^%$#@! Etc.
=======================================================================
wntadm2.html PAGE 4 2001/10/22
employees with duplicate names. Two suggestions for handling duplicate names are:
1. Use the first name and the last initial, and then add additional letters from the last name to
accommodate duplicate names. EG, if you have two Eric Langs, use EricL as one and
EricLa as the other.
2. Add numbers to the user name. EricL1 and Eric L2.
employees can be set-up as T-EricL.
Password Requirements
The next element in planning new user accounts is identifying the password requirements. Every user
requires a password to protect the domain access. It is especially important in networks with a
medium to high level of security or in networks that are part of the Internet.
Consider the following guidelines for passwords:
the account.
control to administrators.
time they log on. This way, the account is always protected and only individual
users will know their passwords. This gives control to the user.
accounts to expire when their contract or work assignments ends.
hackers. Follow these guidelines:
=======================================================================
wntadm2.html PAGE 5 2001/10/22
Logon Hours
By default, users can connect to a server 24/7. In a high security network, restrict the hours
when a user can log on to the network. You may consider restricting the hours in the following
way:
network.
during their working hours.
Workstation Restrictions
By default, any user with a valid account can log on to the network from any computer running
Windows NT. Only let authorized users log onto high security type computers.
Home Folder Location
A home folder is a users folder for storing files and programs. A home folder is useful because
it provides a central location for a users files, making it easy to locate files to back up or delete to
clean up the hard disk. Each user should be assigned his or her own home folder.
If you create a home folder for a user, the home folder becomes the default folder whenever the
user performs any of the following tasks within Windows NT or a program:
If you do not assign a home folder to a user, the default folder is Users/Default on the local computer.
A home folder can be stored on a network server or on a users local computer.
Storing Home Folders on a Server
The following are considerations for storing home folders on a server.
=======================================================================
wntadm2.html PAGE 6 2001/10/22
Backup and restore. Preventing the loss of data is your primary responsibility. It is much easier
to ensure files are backed up when they are located in a central location on a server. If users home
folders are located on their local computers, you would need to perform regular backups on each
computer.
Space on the server. Is there enough hard disk space on the server to store users data? Windows
NT does not provide the ability to limit the amount of hard disk space used by each user.
Security. In any network with sensitive data, it is easier to maintain security on data if it is in a central
location.
Use RAS or share computers. If users connect to the network using RAS, or if they share their
computers, having a home folder on a server makes the users data available from any location or
computer.
Storing Home Folders on Users Computers
If it is not important for you to have a central location for maintaining data, you can create a home
folder for each user on his or her local computer. Having a home folder give the user a familiar and
central place for storing data. The following considerations for storing home folders on a users
computer.
Storing on the users computers. If users have space on their computers and it is not important to
have centralized backup, locate home folders on users computers.
Performance. There is less network traffic if each users home folder is located on the users local
computer.
**** Review the
scenario Page 44 ****
Lesson 3:
Creating User Accounts
User accounts are created using User Manager or User Manager for Domains. To use either tool,
you must have administrator privileges.
User Manager vs. User Manager for Domains
User Manager and User Manager for Domains are very similar. In User Manager, you create, delete,
or disable local user accounts on the local computer in a workgroup. In User Manager for Domains,
you create, delete, or disable domain user accounts on the primary domain controller (PDC) or local
user accounts on any computer in the domain.
=======================================================================
wntadm2.html PAGE 7 2001/10/22
All user account options appear in User Manager, except for Select Domain. The Select Domain
option allows an administrator to select a different domain or computer in which to create or manage
user accounts.
The following table describes the user name and password options in User Manager and User
Manager for Domains.
======================================================================
In this box Type
======================================================================
Username A unique name based on your naming convention.
This is the only required option.
Full Name The complete name of the user, to determine which
person belongs to an account. This is optional.
Description A description that is useful for identifying users.
It can be a job classification, a department, or an
office location. This is optional.
Password An initial password for the account. In medium-
security to high-security networks, you should
always assign an initial password to keep the
account secure. By default, when the user logs
on for the first time, he or she must change the
password.
Confirm Password The password a second time to make sure that you
typed the password correctly. This is required if
you assign the password.
=======================================================================
wntadm2.html PAGE 8 2001/10/22
Setting Password Options
When you set up a new user you must always assign a password, and they must change the password.
========================================================================
Select This check box If you
========================================================================
User Must Change Password Want users to change their password the first
At Next Logon (selected by time they log on. This ensures that the user is
Default) the only person who knows his or password.
Even if you do not assign an initial password,
You should require that users do this.
User Cannot Change Password Have more than one person using the same
account (such as Guest) or want to maintain
control over user passwords.
Password Never Expires Have a user account for which you never
want the password to change. For example,
user accounts that will be used by Windows
NT services (such as the Replicator
service).
This option overrides the selection of User
must Change Password at Next Login.
Account Disabled Want to temporarily prevent user of this
account. For example use when an
employee takes a leave of absence.
=====================================================================
Creating a Home Folder
To create home folders for users, you specify the name of the computer where the home folders
will be located and names for the home folders.
folders. This task only needs to be done once.
This task only needs to be done once.
Dialog Box.
If you use %Username% in place of the home folder name, Windows NT
will substitute %Username% with the user account name.
=======================================================================
wntadm2.html PAGE 9 2001/10/22
Home folder automatically when the user logs on.
Connect to Z To: \\Server\Users\%Username% See P52)
NOTE: In a workgroup, you must specify the home folder for a local user account while witting at
the local computer. In the Local Path box, enter the local path; for example, type c:\folder_name
and Windows NT creates the folder that you specify.
To create user accounts
In User Manager for Domains, you create the accounts that you planned in the hand-on procedure
in the previous chapter.
1. Log on as Administrator
2. Click the Start button, point to Programs, point to Administrative Tools, and
then click User Manager for Domains.
3. On the User menu, click New User.
The New User dialog box appears.
4. Configure the following options:
User name
Full Name
Description
Password (leave blank)
Confirm Password
5.
Select the appropriate password options, and then
click Add.
The New User dialog box reappears and is cleared so that you can add
Another User.
6. Create the remaining user accounts.
7. When you have created all the accounts on the User Accounts Planning
Worksheet, click Close to return to the user Manager Window.
=======================================================================
wntadm2.html PAGE 10 2001/10/22
To create home folder
The User Properties dialog box appears.
The User Environment Profile dialog box appears.
Notice that Z: appears in the Connect Box. This is the drive letter that you will
use to connect the user to the home folder upon logon.
name is the name of your computer).
To Assign home folders to multiple accounts at one time:
Setting Logon Hours
Setting logon hours lets you control when a user can log on to the domain. Restricting logon
hours limits the hours that users can explore the network, or the times that someone can try to
break into the network.
NOTE: A user who is connected to a network resource on the domain is not disconnected when
he users logon hours run out. However, the user will be unable to make any new connections.
To specify Logon Hours
=======================================================================
wntadm2.html PAGE 11 2001/10/22
NOTE: If is a good idea to test the logon hours, log on as a user, at blacked out times and see
if you can logon.
Setting Workstation Restrictions
To set workstation restrictions, you can specify up to 8 computer names from which a user can
log on. Setting workstation access allows you to control which computers a user can use to log
on to the domain. This prevents users from accessing another users local data and can be used
to require users to log on to workstations that are in an observed location.
To specify the workstation from which a user can log on
In User Manager/Properties/ Logon To/Logon Workstation/User may Log on to These Workstations.
In the first box type Temp1/OK/ User Properties/OK.
Log on to your computer as the user account that you created
for the temporary employee.
Testing Restrictions
If prompted, change the password, to student.
You were restricted from logging on to the computer, because the temporary employee can only
log on to a computer named Temp1.
Setting Account Options
Account Expires. Use this to set a date when the account will be automatically disabled. To specify
when a user account expires, type the date of expiration. This is useful for temporary accounts for
contractors or part-time employees.
Account Type. Use this to create a local account for a user from an untrusted domain who needs
access to a network resource in your domain. A local account can be used to connect to a resource
over the network. It cannot be used to log on from a computer in the domain where it was created.
=======================================================================
wntadm2.html PAGE 12 2001/10/22
You only use the Local Account for users from untrusted domains option under Account Type if you
want to assign permission to a user who has an account in a domain that does not have the
appropriate trust relationship to your domain.
To Set the account Restriction
You can configure a Temporary employee user account to expire in 30 days.
Granting Dial-in Permission
Windows NT dial-up networking client software gives a user access to server-based dial-in packages,
such as Windows NT Server Remote Access or RAS.
Once the connection is made from the RAS client to the RAS Server, users at remote sites can use the
network as if their computers were directly connected to the network.
You must assign RAS dial-in permissions.
NOTE: The RAS must already be installed and configured on the server, and the client must already
be configured for dial-up networking.
You can specify an option for the RAS server to call the dial-in user back. The RAS server can dial
the number specified by the user so that the company is billed for the call. Or, the RAS server can
dial a number that you specify, which restricts the user to a specific dial-in location.
=======================================================================
wntadm2.html PAGE 13 2001/10/22
======================================================================
Option Description
======================================================================
No Call Back When selected, the RAS server will not call back the user,
And the user will incur the telephone charges for the
Session. This is the default.
Set By Caller Lets the user specify a telephone number so that the RAS
Server can call the user back. This means that the organiza-
tion that owns the RAS server will incur the telephone
charges for the session.
Preset To Lets you specify a telephone number that the RAS server
will use to call back the user. This reduces the risk of an
unauthorized person using the users account, because the
user must be at the specified phone number in order to
connect to the RAS server. In high-security networks,
use this option and restrict users to dialing in from
only one telephone number, usually a home number.
To Grant Dial-in Permission
Grant dial-in permission to the Accounting Manager who requires dial-in privileges from home.
· User Manager Window/User Properties/Dailin
· Grant Dial-in Permission to user.
· OK
Deleting and Renaming User Accounts
In Windows NT every account is assigned a unique security identifier (SID) when the account
is first created. A SID is unique number that identifies the account.
Deleting an account permanently removes the account and the permissions and rights associated
with it. For example, if you create an account, delete it, and then create an account with the
same name, the new account will not have the rights or permissions previously granted to the
old account because the accounts have different SID numbers.
Renaming an account retains the permissions and rights associated with it because the SID
was not delete.
=======================================================================
wntadm2.html PAGE 14 2001/10/22
=====================================================================
Do this When
=====================================================================
Rename an You want to retain all rights, permissions, and group
Account memberships for the account for a different user. For
example, when a new employee replaces another employee,
rename the user account and have the new employee
change his or her password when he or she first logs on.
Delete an The account is no longer needed. When an account
Account is deleted, all of the account information is lost. This
Information included account properties, rights,
Permissions,
and group memberships. The Administrator
And Guest
accounts cannot be deleted.
======================================================================
To Rename a user Account
· Create a new user account named Temp2
· In the User Manager window, select Temp2.
· On the User menu, click Rename
· In the Change to, type temp3/OK
· The User Manager window is updated immediately.
To delete a user account
· In the User Manager window, select Temp3.
· Press the DELETE key
· A message will appear warning you.
· OK
· Click Yes and the user account is deleted.
**** Classroom Notes
**** MAY BE ON TEST ****
SAM or Security Access Manager is a database of security information such as user account names
and passwords, and the security policy settings. For Windows NT Workstation, the directory
database is managed by using User Manager. For a Windows NT Server domain, it is managed
by using User Manager for Domains. Other Windows NT documents may refer to the directory
database as the Security Accounts Manager or SAM.
SAM holds login information if a peer-to-peer network, each machine has its own SAM.
=======================================================================
wntadm2.html PAGE 15 2001/10/22
SID or Security ID is a unique name that identifies a logged-on user to the security system.
Security Ids SIDs can identify one user or a group of users.
Advantages of Groups on Windows NT:
· File Backup
· Easier to administer
· Work as a partner, must log on
· Multi-task, multithreading
· Internet Explorer, built-in
· Messaging
· Peer Web (see notes)
What is HAL?
HAL is the Hardware Abstraction List. HAL is the program that views all the hardware, to
determine the compatibility factor.
For NT or 2000, check HAL is compatible for the software.
RAS (Remote Access Server)
RAS is a type of Web Server, multiprotocol router or a redirector or a shell.
RAS has some limits for dial-in users, a limit of 256 inbound, but each group can be considered
a one dial-in, so really can have 256 inbound groups.
What to think about when creating User Accounts:
· Think about naming convention
· Password Policy (every company requires one)
· Long-on Hours
· Home folders
· Name 20 characters
· Rename Administrator account for security purposes
· Make dummy Administrator account (use a back door incase you get
· Logged out
· Always have a password on the Administrators account for security
purposes, and have a complicated one.
=======================================================================
wntadm2.html PAGE 16 2001/10/22
Great Windows NT Security Features:
· Can restrict the users on their access time on the server
· Can disable their account by data, if for example a temp worker.
· Can limit their access to only specified workstations.
NOTE: Roaming profiles use up a lot of space, therefore a lot of bandwidth
On a mandatory profile you cannot change anything.
The User Environment = the PATH, you can change the default
Windows NT Server Files:
Config.nt versus config.sys
Autoexec.bat versus autoexec.bat
Lesson 4:
Creating User Profiles
User profiles are useful for configuring or managing a users desktop environment. In Windows
NT, a users computing environment is determined primarily by the user profile. Windows NT
security requires a user profile for each account that has access to the system.
The user profile contains all user-definable settings for the work environment of a computer
running Windows NT, including display, regional, mouse, and sounds settings, and network and
printer connections.
When a user logs on for the first time from a Windows NT-based client, a default user profile is
created for that user. All user-specific settings are automatically saved into the Profiles folder
within the system root folder (typically C:\Winnt\Profiles\user_name)
A user profile can also be customized to restrict what users see in their interface and what tools
they have available to use when they log on. For example, an administrator can remove the
Administrator Tools folder to prevent a user from changing a configuration.
=======================================================================
wntadm2.html PAGE 17 2001/10/22
========================================================================
Source Parameters
saved
========================================================================
Windows NT Explorer All user-definable settings for Windows NT explorer
Taskbar All personal program groups and their properties, all ]
program items and their properties, and all Taskbar settings.
Printer Settings Network Printer connections.
Control Panel All user-defined settings made in Control Panel.
Accessories All user-specific program settings affecting the
Users Windows NT environment, including
Calculator, clock, notepad, paint, and HyperTerminal
among others.
Windows NT-based Any program written specifically for Windows can
Programs be designed so that it tracks program settings on a
per-user basis. If this information exists, it is saved
in the user profile.
Online Help bookmarks Any bookmarks placed in the Windows NT Help
System.
====================================================================
NOTE: User profiles cannot be set for users who log on form LAN Manager, MS-DOS,
Windows for Workgroups, or Windows 3.X clients. For these clients, you can write a logon
script to configure the users network and printer connections.
Roaming User Profiles
Unlike default user profile, roaming user profiles provide users with the same working environment,
no matter which Windows NT-based computer a user logs on to. A roaming profile is stored
centrally on a network server rather on a users local computer.
There are two types of Roaming Profiles:
Roaming personal user profile. This is a user profile that a user can change. It is updated to
include any changes made by the user when the user logs off.
Roaming personal user profiles are name Ntuser.dat
=======================================================================
wntadm2.html PAGE 18 2001/10/22
Roaming mandatory user profile. This a preconfigured user profile that users cannot change.
One mandatory profile can be assigned to many users. This means that by changing one profile,
you can change several desktop environments. You use this type of profile to assign common
settings for all users who require identical desktop configurations, for example bank tellers.
Mandatory user profiles require an .man extension. You can make a personal profile mandatory
by renaming it, for example, Ntuser.man.
Creating Roaming User Profiles:
use the profile. There are no short-cuts for this, you need to do each separately, even if there
are 20 users. Specify the path to the profile for the user account in the User Environment
How to Create a template user profile:
logon box.
Copying the Profile to a Network Server:
Select User Profiles tab, of the System Properties dialog box, and the defaults from the last logon
will appear.
=======================================================================
wntadm2.html PAGE 19 2001/10/22
Important If you were to make the Template Profile mandatory, in the COPY profile to box,
you would type \\student4\profiles (do not specify the user name)
To specify the users who are permitted to use the Profile:
NOTE: If you were to make the Template Profile mandatory, you would rename the Ntuser.dat file
to Ntuser.man. If you did not specify a user name, this file would be located in the Profiles folder.
To delete the Template Profile User Profile:
Specifying the Path to the Roaming Profile:
After you copy the roaming profile to a network server, specify the path to the profile for a user
account in the User Environment Profile dialog box in User
Manager for Domains.
In the User Profile Path, specify the server location of the user profile.
profiles folder. %username%
Profiles folder, and the actual profile name. For example: \\Server1\Profiles\Ntuser.man
=======================================================================
wntadm2.html PAGE 20 2001/10/22
To specify a path to the roaming profile:
To test the roaming profile:
To test the roaming profile from another computer:
To determine that type of profile assigned to a user: