CHAPTER 4

      ADMINISTERING USER AND GROUP ACCOUNTS

 

 

Lesson 1:  Introduction to Administering Accounts ………………..                      131

Lesson 2:  Implementing an Account Policy ………………………..                      139

Lesson 3:  Modifying Multiple User Accounts……………………..                      150

Lesson 4:  Maintaining Domain Controllers………………………..                      153

Lesson 5:  Troubleshooting Logon Problems ……………………….                     164

 

 

Lesson 1: Introduction to Administering Accounts

 

There are several tools available that an administrator can use in efficiently administering a

network:

 

Creating Template.    Creating templates for adding new user accounts streamlines the work.

Modifying Accounts.  Making changes to multiple user accounts at one time, lightens the load.

Planning Policies.  Planning an implementing and account policy helps to keep the network secure.

Maintaining Domain Controllers.  This means that user accounts can always be successfully validated.

Troubleshooting.  Solving problems associated with user accounts ensures that user can log on.

 

 

Distributing Administrative Tasks

 

To distribute some of administrative tasks, you can grant administrative privileges to a user account

by adding the user to one of the following groups”

 

Administrators.  Members have full administrative capabilities.  They are responsible for planning

and maintaining network security.

Account Operators. These members can create, delete, and modify user accounts, global groups

and local groups and they can set account policies.

 

 

List the Inherent rights given to the Account Operator.  They are:

 

• Log on locally
• Shut Down the system.

 

 

 

======================================================================

 

wntadm4.html                                                PAGE 2                                                      2001/10/27

 

 

 

Using Templates:

 

A user account template is a standard user account that you create with the properties that apply to

users who have common needs.  User account templates are useful administrative tools for

creating new user accounts.  For example, if all sales personnel require membership in the Sales

group, you can create a template that includes membership to that group.

 

 

 

Sales Template                                              User 7

 

Description = Sales Personnel                    Description = Sales Personnel

 

Password never expires                                Password Never expires

                                              COPY

Home Directory = %username%                Home Directory = User7

 

Member of the Sales Group                         Member of the Sales Group

 

 

Here are some suggestions for creating templates:

 

Make a template for each classification of employee, such as sales, accountants, managers

and so on.  If you commonly have short-term or temporary network users, create a template

with limited logon hours, workstation specifications and other necessary restrictions.

Use an _ at the beginning of the template name, for example _Sales Template

This way when they are displayed on the screen they will be sorted at the top, they

are easy to pick out, this way.

 

NOTE:  Rights and permissions granted to an individual user account are not copied.

 

 

To create a user account using a template:

 

1. In the User Manager window, under Username, select one of your templates.
2. On the User menu, click copy.
3. Type the Username, Full name, and Password for the user, and then click. Add.
4. Repeat this procedure using the other template that you created.

 

 

 

 

 

======================================================================

 

wntadm4.html                                                PAGE 3                                                      2001/10/27

 

 

 

To determine which account options are copied:

 

In the User Manager window, double-click the user account that you created using the night

shift employee template.  Compare the following account options with those in the template

account.  In the following list, mark the check boxes next to those options that were copied:

 

• Username
• Full Name
• Password and Confirm Password
• Account Disabled

 

 

Lesson 2:  Implementing and Account Policy

 

The account policy determines how passwords must be used by all user accounts for a computer or

domain and also determines the account lockout policy. 

 

 

Setting an Account Policy

 

The account policy sets the requirements for:

 

• Password minimum and maximum ages
• Password minimum length
• Password uniqueness
• Account lockout options

 

Changes that you make to the account policy go into effect for users at one of the following two times:

 

•  The next time the user logs on.
•  The next time the user makes a change covered by the policy.  For example, the minimum

password length does not apply to existing passwords, but it will apply the next time a user

changes his or her password.

 

Planning an Account Policy:

 

•  Never allow blank passwords
•  Require a minimum length for all passwords.  The long the password, the

more difficult it is to guess.

•  Medium security requires 6-8 characters, 45-90 days, 8-12 different passwords, lock out a 

user after five failed logon attempts.

•  High security requires 8-14 characters, 14-45 days, 12-24 different passwords, lock

out a user account after three failed logon attempts.

 

 

 

======================================================================

 

wntadm4.html                                                PAGE 4                                                     2001/10/27

 

 

•  Users change the passwords frequently.
•  Encourage different passwords each time, and do not toggle between passwords.
•  Lock out accounts after multiple failed logon attempts.  This reduces the change of

an unauthorized person gaining access to the network.

•  Require all locked out accounts to be unlocked by the Administrator.
•  Require all users with restricted logon hours are disconnected from the network during off

hours. 

•  This will prevent the users from dialing in to the network.

 

 

Setting Password Options

 

Account Policy screen is set and it is applied to all the users, that log on.  You do not have a special

screen for each user, this would be too much work to set up etc.

 

======================================================================

Option                         Description

======================================================================

 

Maximum                   The period of time that a password can be used before the

Password Age             user is required to change it.  1-999 days (default 42)

 

Minimum                    The period of time that a password must be kept before the

Password Age             user changes it.  1-999 days (default allow changes

                                    Immediately.

 

Minimum                    Range 1-14 characters (default = 8 characters)

Password Length

 

Password                    The number of new passwords that must be used by a

Uniqueness                 user before the old password can be reused.  Range

                                    1-24 passwords. (default = Do not keep password

                                    history.

 

Users must log on      If selected, users cannot change their own expired passwords.

in order to change      If cleared, users can change their own expired passwords.

password

 

======================================================================

 

 

Important:  If the Password Never Expires check box is selected in the New User or User Properties

dialog box for an individual user account, that setting overrides the Maximum Password Age setting.

 

 

 

======================================================================

 

wntadm4.html                                                PAGE 5                                                      2001/10/27

 

 

Account Lockout Options:

 

=======================================================================

Option                         Description

=====================================================================

Account Lockout                    If you click Account Lockout, the next three options are

                                                Available.

Lockout After                         The number of incorrect logon attempts that will 

                                                The account to locked.  (range 1-999)

Reset Count After                 This is the max. number of minutes that can elapse

                                                between any two bad logon attempts before lockout

                                                Occurs.

Lockout Duration                   Forever option:  causes locked accounts to remain

                                                Locked until an administrator unlocks them.

                                                Duration:  causes the account to remain locked for the

                                                Specified number of minutes. (range 1-99,999 minutes)

Forcibly disconnect                If selected the user is disconnected from any server in

Remote users from                the domain.

Server when logon hours       If cleared, the user account is not automatically dis-

Expire.                                    Connected, but no new connections are allowed.

 

====================================================================

 

 

Lesson 3:  Modifying Multiple User Accounts

 

 

Windows NT provides a shortcut for making modifications to multiple user accounts at one time. 

This is especially useful for moving user home folders to a different server or volume.

 

You can easily modify multiple users accounts at one time by selecting multiple user accounts and then

modifying the properties.  Use this procedure when you need to modify multiple user accounts in the

same manner, when you need to move home folders to another server or volume, or set the login

hours for 100 users.

 

This is done in User Manager for Domains by highlighting the user with the Shift key and then

applying the properties.

 

 

 

  

Lesson 4:  Maintaining Domain Controllers

 

Maintaining Domain Controllers means making sure that the primary domain controller or PDC is always

online and that all copies of the directory database are current.

 

 

======================================================================

 

wntadm4.html                                                PAGE 6                                                     2001/10/27

 

 

If your PCD goes offline for any reason, you need to perform a series of tasks to be sure that your security

account database is maintained.   The PDC maintains the master copy of the domain’s directory

database.

 

If the PDC goes offline, users can still log on, but you can no longer administer accounts.  Maintaining domain

controllers means making sure that a primary domain controller (PDC) is always online and that all copies

of the directory database are current.

 

Every domain has only one PDC. The PDC maintains the master copy of the domain’s directory database.  The

directory database is automatically replicated to all the BDC in the domain every five minutes.

 

If the PDC goes offline for any reason, users will still be able to log on and be validated by the BDC.  But you will

no longer be able to do any account administration.

 

 

Server Manager

 

Server Manager is a Windows NT Server tool that you can use to maintain domain controllers.  Using Server

Manager, you can promote a backup domain controller to become the primary domain controller,

synchronize servers with the PDC, and add computers to and remove computers from the domain.

Start/Programs/Administrative Tools/Server Manager. 

 

 

When the PDC Needs to be taken Offline

 

You need to do the following to demote the PDC:

 

•   Promote the BDC to take the place of the PDC while its offline.  This will force the PDC to become

a BDC.  When you promote a BDC, and up-to-date copy of the domain directory database is

replicated from the old PDC to the new one.  The original PDC is automatically demoted

to a BDC.

•  When the original PDC is brought back online, promote it back to a PDC, which forces the

temporary PDC to demote itself to a BDC.

 

 

When a PDC goes Offline Unexpectedly

 

•  Promote a PDC to take the place of the PDC
•   Once the original PDC is fixed and brought back online, demote it to a BDC.

This will force the temporary PDC to become a PDC

•   Promote the original PDC again.

 

 

 

======================================================================

 

wntadm4.html                                                PAGE 7                                                      2001/10/27

 

 

 

Restoring the Original Domain Controller Roles

 

If your PDC goes offline and you promote a BDC to be the PDC you may want to restore the original

PDC.  To do this, you will need to demote the current PDC.

 

You can also promote a BDC to a PDC after the PDC has gone offline, but the PDC will not

automatically be demoted.  Also, because the PDC is offline, no automatic replication of the

accounts database can occur between the two PDCs.

 

When the original PDC is brought back online, there is already a PDC in the domain, so its Net Logon

service will fail to start.  You will need to restore the original PDC.

 

If any administration, such as adding user accounts or changing passwords was done while the

original PDC was down, this automatic synchronization of the directory database ensures that these

changes are not lost.

 

 

Synchronizing Domain Controllers

 

Synchronizing Domain Controllers ensures that all directory databases in the domain are up-to-date.  By

default, Windows NT synchronized domain controllers every few minutes.  You may want to synchronize

domain controllers manually after you make changes to account database, to apply the changes

immediately.

 

 

Why you would manually synchronize the BDC and the PDC:?

 

The greater the number of BDCs the longer it takes to synchronize them.  You can manually synchronize

domain’s directory database immediately.

 

•  To apply changes made to the domain’s directory database immediately.
•  To solve problems related to password mismatches.  If users change their passwords, it takes time

for new passwords to be distributed automatically to all the BDCs in a large domain.

 

 

To Synchronize a BDC with a PDC:

 

1. In the Server Manager simulation, click synchronizing domain controllers.
2. Select BDC/computer/synchronize with PDC, (message a few minutes).

 

NOTE:  If there are multiple BDCs in the domain, you can synchronize all of them

              by clicking Synchronize Entire Domain.

3. Yes
4. OK
5. Computer/Exit
6. Exit

 

 

======================================================================

 

wntadm4.html                                                PAGE 8                                                      2001/10/27

 

 

Verifying the Synchronization

 

You can determine if a Synchronization is successful by using Event Viewer to view the system log for

Net Logon events.

 

NOTE:  The Server Manager Simulation does not generate any system log events, so you will not be

able to view the Net Logon service events resulting from the previous procedures.

 

 

About Windows NT Services

 

Most of functionality of Windows NT is implemented as a service.  For example, the Workstation

service must be running before you can connect to resources on other computers; the Server service

must be running before you can share resources.  On domain controllers, the Net Logon service must be

running before user logon attempts can be validated.

 

Some services are dependent on other services.  For example, the Server service must be started before

the Net Logon service can start.

 

You can determine which services are running by typing Net Start from a command prompt, by

starting the Services program in Control Panel, or in Server manager by clicking Services on the

Computer menu.