Windows NT Server 4.0 Administration Notes


Module 4: Administering User and Group Accounts

Creating User Account Templates

If you use a template in order to create new user accounts, the following options will be copied to the new account:
 

  • Description
  • Profile
  • User must change password
  • Hours (domain controller only)
  • User cannot change password
  • Logon to (domain controller only)
  • Password never expires
  • Account (domain controller only)
  • Groups
  • Dialin

    Note:

    • Individual rights and permissions are not copied.
    • If you start the template name with a non-alphabetic character (like "_"), it will always appear at the top of the list in the User Manager window.
    • To copy a User Account, select user --> click Copy in User Menu --> type new user name --> click add.
Planning an Account Policy

Default user must change their password the first time they log on. Consider the following:

    • Never allow blank passwords
    • Require a minimum length for all passwords
      1. Medium security network 6-8 characters
      2. High security network 8-14 characters
  • Require users to change their password frequently
    1. Medium security network 45-90 days
    2. High security network 14-45 days
  • Require users to use different password each time they change it
    1. Medium security network 8-12 different passwords
    2. High security network 12-24 different passwords
  • Lock out accounts after multiple failed logon attempts
    1. Medium security network 5 times
    2. High security network 3 times
  • Require administrator to unlock all locked accounts
  • Require that users with restricted logon hours are disconnected from the network during off hours.
Maintaining Domain Controllers
  • This means making sure that a PDC is always online and that all copies of the directory database are current.
  • PDC maintains the master copy of the domains directory database.
  • The directory database is automatically replicated to all BDCs in the domain every 5 minutes.
  • If PDC goes off-line for any reason, users will still be able to log on and be validated by the BDC, but you will no longer be able to do any account administration.
  • When a PDC needs to be taken off-line, you need to perform the following steps:
  1. Promote BDC to PDC. This will force the PDC to become BDC.
  2. When original PDC is brought back online, promote it back to a PDC, which forces the temporary PDC to demote itself to a BDC.
  • When a PDC goes offline unexpectedly, you need to perform the following steps:
  1. Promote BDC to take the place of the PDC.
  2. Original PDC is fixed and brought back online, demote it to a BDC. This will force the temporary PDC to become a BDC.
  3. Promote the original PDC.
  • Resuming Domain Controllers:

You can also promote a BDC to a PDC after the PDC has gone offline, but the PDC will not automatically be demoted. Also, since the PDC is offline, no automatic replication of the account database can occur between the two PDC’s.

When the original PDC is brought back online, there is already a PDC in the domain, so it's Net Logon service will fail to start. You will need to restore the original PDC.

  • Synchronizing Domain Controllers:
  • You can manually synchronize domain controllers:
    • To apply changes made to the domain's directory database immediately.
    • To solve problems related to password mismatches
  • To synchronize a specific BDC
  • select BDC
  • Computer Menu, Synchronize with PDC
  • To synchronize with ALL domain controllers
  • select PDC
  • Computer Menu, Synchronize Entire Domain
  • You can do the same from the command line
    • net accounts  /sync  /domain

      /sync

      • from PDC, synchronizes the entire domain form PDC
      • from BDC, synchronizes the BDC with PDC

      /domain

      • synchronizes entire domain
      • usually used when executing from workstation or Member Server. (This has the same effect as using /sync from PDC)

E-mail Me! Comments and suggestions? E-mail me at grantwil@sk.sympatico.ca
Last Updated: Wednesday, March 10, 1999 Grant Wilson, Tisdale, SK. Canada