Module
2: Setting up User Accounts
There are two types of user accounts
- User Created Accounts
- Built-in Accounts - Guest, and Administrator
- The guest account is disabled by default.
- This account gives the user the ability to
log on and access resources on the local computer
- Where Accounts are created:
- In the Master Directory Database on
the PDC in a Domain:
- With User Manager for Domains. Once the
account is created on the PDC, the users can logon to the domain from
any computer in the network.
- To manually synchronize the database on
all domain controllers, use Server manager, or at a command prompt type
net accounts /sync.
- A copy of the directory database is stored
on all BDC's.
- In the Local Directory Database on
the local computer:
- Local User account are created on a member
server or a computer running Windows NT workstation, with User Manager.
The account will be a local account and only be in the LOCAL Directory
database.
Note: Installing the Windows NT Server Administrating Tools from the Windows
NT Server CD-ROM on a NT workstation or a Windows 95 client, enables you
to create User accounts with User Manager for Domains.
| Planning New User Accounts |
| Account Naming Conventions |
- User account names must be unique. They can
contain 20 characters,
- not any of the following
| 1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
| < > |
/ \ |
[ ] |
; : |
= + |
, . |
| ? |
* |
- Domain account names must be unique to the
domain.
- Local account names must be unique to the
computer.
- Suggest you use only alpha (A-Z), numeric
(0-9) and underscore to be safe
- A home folder is a user's private folder for
storing files. It is used as the default folder for the File Open and
Save As dialog boxes, when the command prompt is started, and for opening
or saving a file in programs that do not supply a default working folder.
The home folder can be stored locally or on a network server. A few considerations
for the location are:
- Backup and restore -- Better on the server
- Space on the domain controllers -- NT doesn't
limit space fro user's home folders so watch out!
- Space on the user's computer -- if it's there
it will take pressure off server, but what about backups?
- Performance -- less network traffic if home
folder in on client computer
NOTE:
To assign home folders to multiple accounts
at one time using the %username% variable, in the User Manager for domains
window, select all accounts that you need. Then on the User menu click properties
to open the user dialog box. |
Creating User Accounts
- When creating a new user with User Manager
for domains, the "User must change password at next logon" checkbox
is marked (default).
- The "Password never expires" option,
overrules the " User must change password at next logon".
- Difference between
- Account Disabled --> Administrator locks
someone out
- Account Locked Out --> system locks you
out (e.g. for too many password attempts)
- When to use "User Cannot Change Password"
?
- when there's more than one person using the
account ("Guest" for example)
- when administrator maintains control over
user passwords
- When to use "Password Never Expires"
?
- when you have a account used by services
to log on, such as the Replicator service
- Use Account button to
- enter an account expiry date
- choose account type
- to create a Local Account for a
user from an untrusted domain who needs access to a resource in your domain.
- MORE ON LOCAL ACCOUNTS: Local Accounts
can access resources computers running NT Workstation or Server over the
network, can be granted access privileges and user rights. BUT, local
accounts cannot be used to log on interactively. Local Accounts created
in one domain can't be used in trusting domains and don't appear in the
Add Users and Groups dialog boxes of the trusting domains.
- A user that is connected to a network resource
on the domain is NOT disconnected when the user's logon hours run out.
The user will not be able to make any new connections.
- To limit the user to certain workstations enter
the workstation names in the Logon Workstations dialog box (only 8 total are
possible to enter)
- By default each new user account can access
all computers in the domain.
Passwords, Logon Hours, Workstation Restrictions
Guidelines
- always assign a password to the Administrator
account
- who controls the password? - Administrator
or user - on most networks, the user
- set password to expire on temporary employee
accounts (when employee's contract ends)
- Passwords can be up to 14 characters in length
The Screens
The Groups button brings up the Group
Membership Dialog Box:
The Profile button brings up the User
Environment Profile Dialog Box:
The Hours button brings up the Logon
Hours Dialog Box:
The Logon to button brings up the Logon
Workstations Dialog Box:
The Account button brings up the Account
Information Dialog Box:
The Dialin button brings up the Dialin
Information Dialog Box:
Deleting or Renaming an Account
- delete an account when it is no longer needed
- Rename when you want to retain all rights,
permissions, and group memberships for the account of a different user.
Granting Dial-In Permission
- Before a user can log on to the network using
RAS, they must have dial-in permission assigned to their user name (New
User dialog box, click Dialin). Three options dialin options are:
- No callback
- Set by caller
- user specifies number, RAS server will
call back and incur cost
- Preset to
- specifies phone # to call back to
- this reduces the risk of an unauthorized
person calling because the user must be at the specified number
- The Administrator and Guest account cannot
be deleted.
| Managing the User Work Environment |
There are two ways to do this:
- Logon Scripts
- User Profiles
- Logon scripts are for users who log
on from non-Windows NT based clients such as MS-DOS, WfW, LAN Manager clients.
- A logon script can be used to configure the
user's network and printer connections. They cannot be used to define the
appearance of the user's desktop environment or hardware settings, such as
video display resolution. The logon script is a batch file (.bat or .cmd)
or an .exe that runs automatically when a user logs on to the network.
- User Profiles define such things as the appearance
of
- desktop environments
- Network connections
- printer connections
- In short it hold ALL user specific settings
- User Profile can also be used to restrict what
is available to the user, for example, the administrator can remove the Administrative
Tools Folder to prevent a user from changing a configuration.
- All user-specific settings are saved in the
Profiles folder within the system root folder (C:\Winnt\Profiles)
- Here are the folder where the info is stores
Roaming User Profiles
- roaming user profiles are stored centrally
on a network server.
- A roaming user profile can be specified for
each user account to provide the user with the same working environment, no
matter where the user logs on to the domain. There are two types of
roaming user profiles:
- Roaming mandatory profiles. This is
pre-configured and the user is not able to change any settings that will
last longer than his current session. One mandatory profile can be
used for multiple user accounts. Use this for users that REQUIRE identical
desktop configurations.
- Roaming personal user profile. Is
changeable by the user, when the user logs off the profile is updated with
any changes made by the user. Users should be assigned their own profile.
Note: Windows NT user profiles are not compatible with Windows 95
user profiles, so Windows 95 user profiles should be created on a Windows
95 computer.
| Defining a User's Environment |
- Within the User Environment Profile tab you
can specify the location of a user profile, logon scripts and home folder
(don't forget to provide the full path).
- Use the "%username% instruction in the
user profile box to specify the location of personal user profiles
(the variable will be replaced with the user account name.
- Use a "profile_name" instruction
in the user profile box to specify the location of mandatory user
profiles.
- More notes on Home Directories
- can be used only on an NT Server or Workstation
- when the command prompt is opened, this will
be the default place to start
- cannot be implemented on a FAT volume ( you
have to go create the directories manually, and then specify them in the
User Environment box.
| BIG NOTE: |
Before you can specify a network location,
either
- the \winntroot\Profiles or
- where you are going to keep the user
profiles,
make sure that
the folder you point to exists and is shared.
|
- You can increase protection of new user-accounts
by specifying "must change password at next logon", because it will
force users to protect their account.
Comments and suggestions? E-mail me at
grantwilson21@yahoo.com
I'm sorry, but I can't answer specific network-related, or exam-related questions. |
| Last Updated: August 6, 2001 |
Grant Wilson, Edmonton, AB
Canada |
