Module 2: Setting up User Accounts
There are two types of user accounts
- User Created Accounts
- Built-in Accounts - Guest, and Administrator
- The guest account is disabled by default.
- This account gives the user the ability to log on and
access resources on the local computer
- Where Accounts are created:
- In the Master Directory Database on the PDC in a
Domain:
- With User Manager for Domains. Once the account is created
on the PDC, the users can logon to the domain from any computer in the network.
- To manually synchronize the database on all domain
controllers, use Server manager, or at a command prompt type net accounts /sync.
- A copy of the directory database is stored on all BDC's.
- In the Local Directory Database on the local
computer:
- Local User account are created on a member server or a
computer running Windows NT workstation, with User Manager. The account will be a local
account and only be in the LOCAL Directory database.
Note: Installing the Windows NT Server Administrating
Tools from the Windows NT Server CD-ROM on a NT workstation or a Windows 95 client,
enables you to create User accounts with User Manager for Domains.
Planning New User Accounts |
Account Naming Conventions |
- User account names must be unique. They can contain 20
characters,
- not any of the following
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
< > |
/ \ |
[ ] |
; : |
= + |
, . |
| ? |
* |
- Domain account names must be unique to the domain.
- Local account names must be unique to the computer.
- Suggest you use only alpha (A-Z), numeric (0-9) and
underscore to be safe
- A home folder is a user's private folder for storing files.
It is used as the default folder for the File Open and Save As dialog boxes,
when the command prompt is started, and for opening or saving a file in programs that do
not supply a default working folder. The home folder can be stored locally or on a network
server. A few considerations for the location are:
- Backup and restore -- Better on the server
- Space on the domain controllers -- NT doesn't limit space
fro user's home folders so watch out!
- Space on the user's computer -- if it's there it will take
pressure off server, but what about backups?
- Performance -- less network traffic if home folder in on
client computer
NOTE:
To assign home folders to multiple accounts at one time using
the %username% variable, in the User Manager for domains window, select all accounts that
you need. Then on the User menu click properties to open the user dialog box. |
Creating User Accounts
- When creating a new user with User Manager for domains, the
"User must change password at next logon" checkbox is marked (default).
- The "Password never expires" option, overrules
the " User must change password at next logon".
- Difference between
- Account Disabled --> Administrator locks someone out
- Account Locked Out --> system locks you out (e.g. for
too many password attempts)
- When to use "User Cannot Change Password" ?
- when there's more than one person using the account
("Guest" for example)
- when administrator maintains control over user passwords
- When to use "Password Never Expires" ?
- when you have a account used by services to log on, such as
the Replicator service
- Use Account button to
- enter an account expiry date
- choose account type
- to create a Local Account for a user from an
untrusted domain who needs access to a resource in your domain.
- MORE ON LOCAL ACCOUNTS: Local Accounts can access resources
computers running NT Workstation or Server over the network, can be granted access
privileges and user rights. BUT, local accounts cannot be used to log on interactively.
Local Accounts created in one domain can't be used in trusting domains and don't appear in
the Add Users and Groups dialog boxes of the trusting domains.
- A user that is connected to a network resource on the
domain is NOT disconnected when the user's logon hours run out. The user will not
be able to make any new connections.
- To limit the user to certain workstations enter the
workstation names in the Logon Workstations dialog box (only 8 total are possible to
enter)
- By default each new user account can access all computers
in the domain.
Passwords, Logon Hours, Workstation Restrictions
Guidelines
- always assign a password to the Administrator account
- who controls the password? - Administrator or user - on
most networks, the user
- set password to expire on temporary employee accounts (when
employee's contract ends)
- Passwords can be up to 14 characters in length
The Screens
The Groups button brings up the Group Membership
Dialog Box:
The Profile button brings up the User
Environment Profile Dialog Box:
The Hours button brings up the Logon Hours
Dialog Box:
The Logon to button brings up the Logon
Workstations Dialog Box:
The Account button brings up the Account
Information Dialog Box:
The Dialin button brings up the Dialin
Information Dialog Box:
Deleting or Renaming an Account
- delete an account when it is no longer needed
- Rename when you want to retain all rights, permissions, and
group memberships for the account of a different user.
Granting Dial-In Permission
- Before a user can log on to the network using RAS, they
must have dial-in permission assigned to their user name (New User dialog box, click
Dialin). Three options dialin options are:
- No callback
- Set by caller
- user specifies number, RAS server will call back and incur
cost
- Preset to
- specifies phone # to call back to
- this reduces the risk of an unauthorized person calling
because the user must be at the specified number
- The Administrator and Guest account cannot be deleted.
Managing the User Work Environment |
There are two ways to do this:
- Logon Scripts
- User Profiles
- Logon scripts are for users who log on from
non-Windows NT based clients such as MS-DOS, WfW, LAN Manager clients.
- A logon script can be used to configure the user's network
and printer connections. They cannot be used to define the appearance of the user's
desktop environment or hardware settings, such as video display resolution. The logon
script is a batch file (.bat or .cmd) or an .exe that runs automatically when a user logs
on to the network.
- User Profiles define such things as the appearance of
- desktop environments
- Network connections
- printer connections
- In short it hold ALL user specific settings
- User Profile can also be used to restrict what is available
to the user, for example, the administrator can remove the Administrative Tools Folder to
prevent a user from changing a configuration.
- All user-specific settings are saved in the Profiles
folder within the system root folder (C:\Winnt\Profiles)
- Here are the folder where the info is stores
Roaming User Profiles
- roaming user profiles are stored centrally on a network
server.
- A roaming user profile can be specified for each user
account to provide the user with the same working environment, no matter where the user
logs on to the domain. There are two types of roaming user profiles:
- Roaming mandatory profiles. This is pre-configured
and the user is not able to change any settings that will last longer than his current
session. One mandatory profile can be used for multiple user accounts. Use this for
users that REQUIRE identical desktop configurations.
- Roaming personal user profile. Is changeable by the
user, when the user logs off the profile is updated with any changes made by the user.
Users should be assigned their own profile.
Note: Windows NT user profiles are not compatible
with Windows 95 user profiles, so Windows 95 user profiles should be created on a Windows
95 computer.
Defining a User's Environment |
- Within the User Environment Profile tab you can specify the
location of a user profile, logon scripts and home folder (don't forget to provide the
full path).
- Use the "%username% instruction in the user profile
box to specify the location of personal user profiles (the variable will be
replaced with the user account name.
- Use a "profile_name" instruction in the user
profile box to specify the location of mandatory user profiles.
- More notes on Home Directories
- can be used only on an NT Server or Workstation
- when the command prompt is opened, this will be the default
place to start
- cannot be implemented on a FAT volume ( you have to go
create the directories manually, and then specify them in the User Environment box.
BIG NOTE: |
Before you can specify a network location, either
- the \winntroot\Profiles or
- where you are going to keep the user profiles,
make sure that the folder you
point to exists and is shared. |
- You can increase protection of new user-accounts by
specifying "must change password at next logon", because it will force users to
protect their account.
|