CHAPTER 4
ADMINISTERING USER AND GROUP ACCOUNTS
Lesson 1:
Introduction to Administering Accounts ……………….. 131
Lesson 2:
Implementing an Account Policy ……………………….. 139
Lesson 3:
Modifying Multiple User Accounts…………………….. 150
Lesson 4:
Maintaining Domain Controllers……………………….. 153
Lesson 5: Troubleshooting Logon Problems ………………………. 164
Lesson 1: Introduction to Administering
Accounts
There are several tools available that an administrator can use in efficiently administering a
network:
Creating Template. Creating templates for adding new user accounts streamlines the work.
Modifying Accounts. Making changes to multiple user accounts at one time, lightens the load.
Planning Policies. Planning an implementing and account policy helps to keep the network secure.
Maintaining Domain Controllers. This means that user accounts can always be successfully validated.
Troubleshooting. Solving problems associated with user accounts ensures that user can log on.
Distributing Administrative Tasks
To distribute some of administrative tasks, you can grant administrative privileges to a user account
by adding the user to one of the following groups”
Administrators. Members have full administrative capabilities. They are responsible for planning
and maintaining network security.
Account Operators. These members can create, delete, and modify user accounts, global groups
and local groups and they can set account policies.
List the Inherent rights given to the Account Operator. They are:
======================================================================
wntadm4.html PAGE 2 2001/10/27
Using Templates:
A user account template is a standard user account that you create with the properties that apply to
users who have common needs. User account templates are useful administrative tools for
creating new user accounts. For example, if all sales personnel require membership in the Sales
group, you can create a template that includes membership to that group.
Sales Template User
7
Description = Sales Personnel Description = Sales Personnel
Password never expires Password Never expires
COPY
Home Directory = %username% Home Directory = User7
Member of the Sales Group Member of the Sales Group
Here are some suggestions for creating templates:
Make a template for each classification of employee, such as sales, accountants, managers
and so on. If you commonly have short-term or temporary network users, create a template
with limited logon hours, workstation specifications and other necessary restrictions.
Use an _ at the beginning of the template name, for example _Sales Template
This way when they are displayed on the screen they will be sorted at the top, they
are easy to pick out, this way.
NOTE: Rights and permissions granted to an individual user account are not copied.
To create a user account using a template:
======================================================================
wntadm4.html PAGE 3 2001/10/27
To determine which account options are copied:
In the User Manager window, double-click the user account that you created using the night
shift employee template. Compare the following account options with those in the template
account. In the following list, mark the check boxes next to those options that were copied:
Lesson 2:
Implementing and Account Policy
The account policy determines how passwords must be used by all user accounts for a computer or
domain and also determines the account lockout policy.
Setting an Account Policy
The account policy sets the requirements for:
Changes that you make to the account policy go into effect for users at one of the following two times:
password length does not apply to existing passwords, but it will apply the next time a user
changes his or her password.
Planning an Account Policy:
more difficult it is to guess.
user after five failed logon attempts.
out a user account after three failed logon attempts.
======================================================================
wntadm4.html PAGE 4
2001/10/27
an unauthorized person gaining access to the network.
hours.
Setting Password Options
Account Policy screen is set and it is applied to all the users, that log on. You do not have a special
screen for each user, this would be too much work to set up etc.
======================================================================
Option Description
======================================================================
Maximum The period of time that a password can be used before the
Password Age user is required to change it. 1-999 days (default 42)
Minimum The period of time that a password must be kept before the
Password Age user changes it. 1-999 days (default allow changes
Immediately.
Minimum Range 1-14 characters (default = 8 characters)
Password Length
Password The number of new passwords that must be used by a
Uniqueness user before the old password can be reused. Range
1-24 passwords. (default = Do not keep password
history.
Users must log on If selected, users cannot change their own expired passwords.
in order to change If cleared, users can change their own expired passwords.
password
======================================================================
Important: If the Password Never Expires check box is selected in the New User or User Properties
dialog box for an individual user account, that setting overrides the Maximum Password Age setting.
======================================================================
wntadm4.html PAGE 5
2001/10/27
Account Lockout Options:
=======================================================================
Option Description
=====================================================================
Account Lockout If you click Account Lockout, the next three options are
Available.
Lockout After The number of incorrect logon attempts that will
The account to locked. (range 1-999)
Reset Count After This is the max. number of minutes that can elapse
between any two bad logon attempts before lockout
Occurs.
Lockout Duration Forever option: causes locked accounts to remain
Locked until an administrator unlocks them.
Duration: causes the account to remain locked for the
Specified number of minutes. (range 1-99,999 minutes)
Forcibly disconnect If selected the user is disconnected from any server in
Remote users from the domain.
Server when logon hours If cleared, the user account is not automatically dis-
Expire. Connected, but no new connections are allowed.
====================================================================
Lesson 3:
Modifying Multiple User Accounts
Windows NT provides a shortcut for making modifications to multiple user accounts at one time.
This is especially useful for moving user home folders to a different server or volume.
You can easily modify multiple users accounts at one time by selecting multiple user accounts and then
modifying the properties. Use this procedure when you need to modify multiple user accounts in the
same manner, when you need to move home folders to another server or volume, or set the login
hours for 100 users.
This is done in User Manager for Domains by highlighting the user with the Shift key and then
applying the properties.
Lesson 4:
Maintaining Domain Controllers
Maintaining Domain Controllers means making sure that the primary domain controller or PDC is always
online and that all copies of the directory database are current.
======================================================================
wntadm4.html PAGE 6
2001/10/27
If your PCD goes offline for any reason, you need to perform a series of tasks to be sure that your security
account database is maintained. The PDC maintains the master copy of the domain’s directory
database.
If the PDC goes offline, users can still log on, but you can no longer administer accounts. Maintaining domain
controllers means making sure that a primary domain controller (PDC) is always online and that all copies
of the directory database are current.
Every domain has only one PDC. The PDC maintains the master copy of the domain’s directory database. The
directory database is automatically replicated to all the BDC in the domain every five minutes.
If the PDC goes offline for any reason, users will still be able to log on and be validated by the BDC. But you will
no longer be able to do any account administration.
Server Manager
Server Manager is a Windows NT Server tool that you can use to maintain domain controllers. Using Server
Manager, you can promote a backup domain controller to become the primary domain controller,
synchronize servers with the PDC, and add computers to and remove computers from the domain.
Start/Programs/Administrative Tools/Server Manager.
When the PDC Needs to be taken Offline
You need to do the following to demote the PDC:
a BDC. When you promote a BDC, and up-to-date copy of the domain directory database is
replicated from the old PDC to the new one. The original PDC is automatically demoted
to a BDC.
temporary PDC to demote itself to a BDC.
When a PDC goes Offline Unexpectedly
This will force the temporary PDC to become a PDC
======================================================================
wntadm4.html PAGE 7
2001/10/27
Restoring the Original Domain Controller Roles
If your PDC goes offline and you promote a BDC to be the PDC you may want to restore the original
PDC. To do this, you will need to demote the current PDC.
You can also promote a BDC to a PDC after the PDC has gone offline, but the PDC will not
automatically be demoted. Also, because the PDC is offline, no automatic replication of the
accounts database can occur between the two PDCs.
When the original PDC is brought back online, there is already a PDC in the domain, so its Net Logon
service will fail to start. You will need to restore the original PDC.
If any administration, such as adding user accounts or changing passwords was done while the
original PDC was down, this automatic synchronization of the directory database ensures that these
changes are not lost.
Synchronizing Domain Controllers
Synchronizing Domain Controllers ensures that all directory databases in the domain are up-to-date. By
default, Windows NT synchronized domain controllers every few minutes. You may want to synchronize
domain controllers manually after you make changes to account database, to apply the changes
immediately.
Why you would manually synchronize the BDC and the PDC:?
The greater the number of BDCs the longer it takes to synchronize them. You can manually synchronize
domain’s directory database immediately.
for new passwords to be distributed automatically to all the BDCs in a large domain.
To Synchronize a BDC with a PDC:
NOTE: If there are multiple BDCs in the domain, you can synchronize all of them
by clicking Synchronize Entire Domain.
======================================================================
wntadm4.html PAGE 8
2001/10/27
Verifying the Synchronization
You can determine if a Synchronization is successful by using Event Viewer to view the system log for
Net Logon events.
NOTE: The Server Manager Simulation does not generate any system log events, so you will not be
able to view the Net Logon service events resulting from the previous procedures.
About Windows NT Services
Most of functionality of Windows NT is implemented as a service. For example, the Workstation
service must be running before you can connect to resources on other computers; the Server service
must be running before you can share resources. On domain controllers, the Net Logon service must be
running before user logon attempts can be validated.
Some services are dependent on other services. For example, the Server service must be started before
the Net Logon service can start.
You can determine which services are running by typing Net Start from a command prompt, by
starting the Services program in Control Panel, or in Server manager by clicking Services on the
Computer
menu.