1 User Account Administration Introduction to User Accounts Planning New User Accounts Creating User Accounts Creating User Profiles Creating Home Directories Maintaining User Accounts

2 Introduction to User Accounts Local User Accounts Domain User Accounts Built-In User Accounts

3 Local User Accounts

4 Local user accounts allow users to log on and gain access to resources only on the computer where the local user account is created. Microsoft Windows 2000 creates the account only in that computer’s security database, which is called the local security database. Windows 2000 does not replicate local user account information to domain controllers. The domain does not recognize local user accounts. Do not create local user accounts on computers that require access to domain resources.

5 Domain User Accounts

6 Allow users to log on to the domain and gain access to resources anywhere on the network. The user provides a user name and password during the logon process. A domain user account can be created in a container or OU in the copy of the Active Directory database on a domain controller. The domain controller replicates the new user account information to all domain controllers in the domain. After the new user account information is replicated, all of the domain controllers in the domain tree can authenticate the user during the logon process.

7 Access Tokens Windows 2000 authenticates the user and then builds an access token that contains information about the user and security settings. The access token identifies the user trying to gain access to resources on computers running Windows 2000 and pre- Windows 2000 computers. Windows 2000 provides the access token for the duration of the logon session.

8 Built-In User Accounts Administrator Use this account to manage the overall computer and domain configuration. Create a user account to perform nonadministrative tasks. Use this account only when performing administrative tasks. The account can be renamed to provide a greater degree of security. The account cannot be deleted.

9 Built-In User Accounts Guest Allows occasional users the ability to log on and gain access to resources Disabled by default Enabled only in low-security networks Always assigned a password Can be renamed and disabled, but not deleted

10 Planning New User Accounts Naming Conventions Password Requirements Account Options Practice: Planning New User Accounts

11 Naming Conventions Local user accounts: Unique to the computer Domain user accounts: Unique to the directory 20 characters maximum Invalid characters: “ / \ [ ] : ; | =, + * ? User logon names: Not case-sensitive Accommodate duplicate employee names Identify type of employee compatibility

12 Password Requirements Use passwords that are hard to guess. Maximum 14 characters; minimum eight recommended. Use uppercase and lowercase letters, numerals, and nonalphanumeric characters. Use at least one symbol character in the second through sixth positions. Make password significantly different from prior passwords. Must not contain the user’s name or user name. Must not be a common word or name.

13 Account Options Logon hours Computers from which users can log on Account expiration

14 Creating User Accounts Creating Local User Accounts Creating Domain User Accounts Practice: Creating Domain User Accounts User Account Properties Setting Personal Properties Setting Account Properties Setting Logon Hours Setting the Computers from Which Users Can Log On Configuring Dial-In Settings Practice: Modifying User Account Properties

15 Local Users and Groups Snap-In, New User Dialog Box

16 Local User Account Options User Name: A unique name based on naming conventions; required. Full Name: Complete name of the user; determines which person belongs to an account; optional. Description: Useful for identifying users; optional. User Must Change Password At Next Logon: Requires user to change password when logging on the first time. User Cannot Change Password: Only administrators are allowed to control passwords. Password Never Expires: Password will never change. Account Is Disabled: Prevents use of the user’s account.

17 Creating Domain User Accounts Use the Active Directory Users and Computers console to create, delete, or disable domain user accounts on the domain controller, or local user accounts on any computer in the domain. The user logon name defaults to the domain in which the domain user account is being created. With proper permissions, any domain can be selected to create domain user accounts. The container must be selected to create the new account. Create the account in the default Users container or in a container that is created to hold domain user accounts.

18 Active Directory Users and Computers Console

19 User Name Options First Name: The user’s first name. Initials: The user’s initials. Last Name: The user’s last name. Full Name: The user’s complete name. User Logon: Uniquely identifies the user throughout the entire network. User Logon Name (Pre-Windows 2000): User’s unique logon name that is used to log on from earlier versions of Windows; entry is required and must be unique within the domain.

20 New Object-User Dialog Box

21 Password Options Password: Used to authenticate the user. Confirm Password: Confirmation that the password was typed correctly. User Must Change Password At Next Logon: Requires user to change password when logging on the first time. User Cannot Change Password: Only administrators are allowed to control passwords. Password Never Expires: Password will never change. Account Is Disabled: Prevents use of the user’s account.

22 User Account Properties A default set of properties is associated with each user account created. Personal and account properties, logon options, and dial-in settings can be configured after creating a user account. Account properties equate to object attributes for domain users. Properties defined for a domain user account can be used to search the directory or for use in other applications as objects’ attributes. Detailed definitions should be provided for each domain user account created.

23 Properties Dialog Box Tabs General: User’s first name, last name, display name, description, office location, telephone number(s), address, home page, and additional Web pages Address: User’s street address, post office box, city, state or province, zip or postal code, and country or region Account: User’s logon name, logon hours, computers permitted to log on to, account options, and account expiration Profile: Profile path, logon script path, home directory, and shared document folder Telephones: User’s home, pager, mobile, fax, and IP telephone numbers, and spaces for comments Organization: User’s title, department, company, manager, and direct reports

24 Additional Properties Dialog Box Tabs Remote Control: Terminal Services remote control settings Terminal Services Profile: Terminal Services user profile Member Of: Groups to which the user belongs Dial-In: Dial-in properties for the user Environment: Terminal Services startup environment Sessions: Terminal Services timeout and reconnection settings

25 Address Tab of the Properties Dialog Box

26 Account Tab of the Properties Dialog Box

27 Additional Account Options Store Password Using Reversible Encryption: Enables Macintosh users to log on Smart Card Is Required For Interactive Logon: Allows a user to log on with a smart card Account Is Trusted For Delegation: Allows a user to assign responsibility for management and administration of a portion of the namespace to another user, group, or organization Account Is Sensitive And Cannot Be Delegated: Prevents the account from being assigned for delegation by another account Use DES Encryption Types For This Account: Provides the Data Encryption Standard (DES) Do Not Require Kerberos Preauthentication: Removes Kerberos preauthentication for accounts using another implementation of Kerberos Account Expires: Sets account expiration dates

28 Logon Hours Dialog Box

29 Setting Logon Hours Controls when a user can log on to the domain. Limits the hours users can explore the network. By default, Windows 2000 permits access for all hours on all days. Reduces the amount of time that the account is open to unauthorized access.

30 Logon Workstation Dialog Box

31 Setting Logon Options Setting logon options for the domain user account allows you to control the computers from which a user can log on to the domain. Setting the computers from which a user can log on prevents users from accessing another user’s data that is stored on that user’s computer. By default, each user can log on from all computers in the domain.

32 Options on the Dial-In Tab Allow Access Deny Access Control Access Through Remote Access Policy Verify Caller-ID Callback Options No Callback Set By Caller Always Callback To Assign A Static IP Address Apply Static Routes Static Routes

33 Creating User Profiles User Profiles Local User Profiles Roaming User Profiles Mandatory User Profiles Practice: Managing User Profiles

34 User Profile Overview A collection of folders and data that stores the user’s current desktop environment, application settings, and personal data Contains all network connections established when a user logs on to a computer Maintains consistency of desktop environments; provides each user with the same desktop environment used the last time that user logged on

35 User Profiles Advantages to Users Multiple users can use the same computer; each user receives own desktop settings at logon. When logging on to their workstation, users receive the same desktop settings as existed when they logged off. Customization of the desktop environment by one user does not affect another user’s settings. Roaming user profile: User profile stored on a server, which follows that user to any computer running Windows NT 4.0 or Windows 2000 on the network. Application settings are retained for applications that are Windows 2000-certified.

36 User Profiles Administrative Advantages Allows creation of a default user profile that is appropriate for the user’s task Allows a mandatory user profile to be established that does not save changes made by the user to the desktop settings Allows specific default user settings to be included in all of the individual user profiles

37 Profile Types Local user profile: Created upon first logon to a computer and stored on the computer’s local hard disk; changes are saved on the computer on which changes are made. Roaming user profile: Created by the system administrator and stored on a server; changes are updated on the server. Mandatory user profile: A roaming profile used to specify particular settings for individuals or an entire group of users; changes made by the user are discarded.

38 User Profile Contents Local user profiles are stored in C:\Documents and Settings\user-logon-name folder. Roaming user profiles are stored in a shared folder on the server. Use the My Documents folder to centralize all user settings and personal documents into a single folder that is part of the user profile. Windows 2000 automatically sets up the My Documents folder, which is the default location for storing users’ data for Microsoft applications. Home directories can also contain files and programs for a user.

39 Contents of a User Profile Folder Application data folder Cookies folder Desktop folder Favorites folder FrontPageTempDir folder Local Settings folder My Documents folder My Pictures folder NetHood folder PrintHood folder Recent folder SendTo folder Start Menu folder Templates folder NTUSER.DAT file

40 Local User Profiles Windows 2000 creates a local user profile the first time a user logs on at a computer, storing the profile on that computer. The local user profile is stored in the C:\Documents and Settings\user_logon_name folder. When logging on to Windows 2000, users always receive their individual desktop settings and connections, regardless of how many users share the same client computer. When a user logs off, Windows 2000 incorporates the changes into the user profile stored on the computer.

41 Roaming User Profiles Roaming user profiles support users who work at multiple computers. Roaming user profiles are stored on the network server and are available to the user no matter where the user logs on in the domain. Users always receive their own individual desktop settings and connections. The first time a user logs on at a computer, Windows 2000 copies all documents to the local computer. When a user logs off, Windows 2000 copies changes back to the server where the profile is stored.

42 Profile Path for a Roaming User Profile

43 Copying a User Profile Template

44 Mandatory User Profiles A mandatory user profile is a read-only roaming user profile. Users can modify the desktop settings of the computer while they are logged on, but none of these changes is saved when they log off. The next time that the user logs on, the profile is the same as the last time that user logged on. One mandatory profile can be assigned to multiple users who require the same desktop settings. By changing one profile, several users’ desktop environments can be changed.

45 Creating a Mandatory User Profile A hidden file called NTUSER.DAT contains that section of the Windows 2000 system settings that applies to the individual user account and contains the user environment settings. This hidden file becomes a read-only file if you change its name to NTUSER.MAN.

46 Creating Home Directories Introducing Home Directories Creating Home Directories on a Server

47 Home Directory Overview Folder that can be provided to users to store personal documents in addition to the My Documents folder Sometimes the default folder for saving documents in older applications Stored on a client computer or in a shared folder on a file server Not a member of a roaming user profile Does not affect network traffic during the logon process

48 Home Directory Advantages Users can gain access to their home directories from any client computer on the network. Backing up and administration of user documents are centralized. Home directories are accessible from a client computer running any Microsoft operating system.

49 Creating Home Directories Permission to administer the object in which the user accounts reside is mandatory. When %username% is used to name a folder on an NTFS volume, the user is assigned the NTFS Full Control permission. All other permissions are removed from the folder, including those for the Administrator account.

50 Specifying a Path to a Home Directory Folder

51 Maintaining User Accounts Disabling, Enabling, Renaming, and Deleting User Accounts Resetting Passwords Unlocking User Accounts Practice: Administering User Accounts

52 Maintaining User Accounts Overview The needs of an organization might require the modification of user accounts. Modifications of user accounts are based on personnel changes or personal information. You make changes to the user account object in Active Directory to modify a user account. You must have permission to administer the object in which the user accounts reside.

53 Modifications Affecting Functionality of User Accounts Disabling and enabling a user account Renaming a user account Deleting a user account

54 Disabling, Enabling, Deleting, or Renaming User Accounts

55 Resetting Passwords Reset a password if a user’s password expires before it can be changed, or if a user forgets the password. It is not necessary to know the old password. Once the password is set, it is not visible to any user, including the administrator, thus improving security.

56 Unlocking User Accounts A Windows 2000 group policy locks out a user account when the user violates the policy. When a user account is locked out, Windows 2000 displays an error message.