Windows NT Server 4.0 Administration Notes


Module 2: Setting up User Accounts

There are two types of user accounts

  • User Created Accounts
  • Built-in Accounts - Guest, and Administrator
    • The guest account is disabled by default.
    • This account gives the user the ability to log on and access resources on the local computer
  • Where Accounts are created:
  • In the Master Directory Database on the PDC in a Domain:
    • With User Manager for Domains. Once the account is created on the PDC, the users can logon to the domain from any computer in the network.
    • To manually synchronize the database on all domain controllers, use Server manager, or at a command prompt type net accounts /sync.
    • A copy of the directory database is stored on all BDC's.
  • In the Local Directory Database on the local computer:
    • Local User account are created on a member server or a computer running Windows NT workstation, with User Manager. The account will be a local account and only be in the LOCAL Directory database.

Note: Installing the Windows NT Server Administrating Tools from the Windows NT Server CD-ROM on a NT workstation or a Windows 95 client, enables you to create User accounts with User Manager for Domains.

Planning New User Accounts
Account Naming Conventions
    • User account names must be unique. They can contain 20 characters,
    • not any of the following
1 2 3 4 5 6 7 8
< > /  \ [  ] ;   : =   + ,   . |   ? *
    • Domain account names must be unique to the domain.
    • Local account names must be unique to the computer.
    • Suggest you use only alpha (A-Z), numeric (0-9) and underscore to be safe
Home Folder Location
  • A home folder is a user's private folder for storing files. It is used as the default folder for the File Open and Save As dialog boxes, when the command prompt is started, and for opening or saving a file in programs that do not supply a default working folder. The home folder can be stored locally or on a network server. A few considerations for the location are:
    • Backup and restore -- Better on the server
    • Space on the domain controllers -- NT doesn't limit space fro user's home folders so watch out!
    • Space on the user's computer -- if it's there it will take pressure off server, but what about backups?
    • Performance -- less network traffic if home folder in on client computer
NOTE:
To assign home folders to multiple accounts at one time using the %username% variable, in the User Manager for domains window, select all accounts that you need. Then on the User menu click properties to open the user dialog box.

Creating User Accounts

  • When creating a new user with User Manager for domains, the "User must change password at next logon" checkbox is marked (default).
  • The "Password never expires" option, overrules the " User must change password at next logon".
  • Difference between
    • Account Disabled --> Administrator locks someone out
    • Account Locked Out --> system locks you out (e.g. for too many password attempts)
  • When to use "User Cannot Change Password" ?
    • when there's more than one person using the account ("Guest" for example)
    • when administrator maintains control over user passwords
  • When to use "Password Never Expires" ?
    • when you have a account used by services to log on, such as the Replicator service
  • Use Account button to
    • enter an account expiry date
    • choose account type
      • to create a Local Account for a user from an untrusted domain who needs access to a resource in your domain.
      • MORE ON LOCAL ACCOUNTS: Local Accounts can access resources computers running NT Workstation or Server over the network, can be granted access privileges and user rights. BUT, local accounts cannot be used to log on interactively. Local Accounts created in one domain can't be used in trusting domains and don't appear in the Add Users and Groups dialog boxes of the trusting domains.
  • A user that is connected to a network resource on the domain is NOT disconnected when the user's logon hours run out. The user will not be able to make any new connections.
  • To limit the user to certain workstations enter the workstation names in the Logon Workstations dialog box (only 8 total are possible to enter)
  • By default each new user account can access all computers in the domain.

Passwords, Logon Hours, Workstation Restrictions

Guidelines

  • always assign a password to the Administrator account
  • who controls the password? - Administrator or user - on most networks, the user
  • set password to expire on temporary employee accounts (when employee's contract ends)
  • Passwords can be up to 14 characters in length

The Screens

The Groups button brings up the Group Membership Dialog Box:

The Profile button brings up the User Environment Profile Dialog Box:

The Hours button brings up the Logon Hours Dialog Box:

The Logon to button brings up the Logon Workstations Dialog Box:

The Account button brings up the Account Information Dialog Box:

The Dialin button brings up the Dialin Information Dialog Box:


 

Deleting or Renaming an Account

  • delete an account when it is no longer needed
  • Rename when you want to retain all rights, permissions, and group memberships for the account of a different user.

Granting Dial-In Permission

    • Before a user can log on to the network using RAS, they must have dial-in permission assigned to their user name (New User dialog box, click Dialin). Three options dialin options are:
      • No callback
        • user incurs cost
      • Set by caller
        • user specifies number, RAS server will call back and incur cost
      • Preset to
        • specifies phone # to call back to
        • this reduces the risk of an unauthorized person calling because the user must be at the specified number
  • The Administrator and Guest account cannot be deleted.
Managing the User Work Environment

There are two ways to do this:

  • Logon Scripts
  • User Profiles
  • Logon scripts are for users who log on from non-Windows NT based clients such as MS-DOS, WfW, LAN Manager clients.
  • A logon script can be used to configure the user's network and printer connections. They cannot be used to define the appearance of the user's desktop environment or hardware settings, such as video display resolution. The logon script is a batch file (.bat or .cmd) or an .exe that runs automatically when a user logs on to the network.
  • User Profiles define such things as the appearance of
    • desktop environments
    • Network connections
    • printer connections
    • In short it hold ALL user specific settings
  • User Profile can also be used to restrict what is available to the user, for example, the administrator can remove the Administrative Tools Folder to prevent a user from changing a configuration.
  • All user-specific settings are saved in the Profiles folder within the system root folder (C:\Winnt\Profiles)
  • Here are the folder where the info is stores

Roaming User Profiles

  • roaming user profiles are stored centrally on a network server.
  • A roaming user profile can be specified for each user account to provide the user with the same working environment, no matter where the user logs on to the domain. There are two types of roaming user profiles:
    •  

    • Roaming mandatory profiles. This is pre-configured and the user is not able to change any settings that will last longer than his current session. One mandatory profile can be used for multiple user accounts. Use this for users that REQUIRE identical desktop configurations.
    • Roaming personal user profile. Is changeable by the user, when the user logs off the profile is updated with any changes made by the user. Users should be assigned their own profile.

Note: Windows NT user profiles are not compatible with Windows 95 user profiles, so Windows 95 user profiles should be created on a Windows 95 computer.

Defining a User's Environment
  • Within the User Environment Profile tab you can specify the location of a user profile, logon scripts and home folder (don't forget to provide the full path).
    • Use the "%username% instruction in the user profile box to specify the location of personal user profiles (the variable will be replaced with the user account name.
    • Use a "profile_name" instruction in the user profile box to specify the location of mandatory user profiles.
  • More notes on Home Directories
    • can be used only on an NT Server or Workstation
    • when the command prompt is opened, this will be the default place to start
    • cannot be implemented on a FAT volume ( you have to go create the directories manually, and then specify them in the User Environment box.
BIG NOTE: 
Before you can specify a network location, either
  • the \winntroot\Profiles or
  • where you are going to keep the user profiles,

make sure that the folder you point to exists and is shared.

  • You can increase protection of new user-accounts by specifying "must change password at next logon", because it will force users to protect their account.

E-mail Me! Comments and suggestions? E-mail me at grantwil@sk.sympatico.ca
Last Updated: Wednesday, March 10, 1999 Grant Wilson, Tisdale, SK. Canada