Creating and Managing User Accounts

Overview As an administrator, you need to provide the users in your organization with access to the various network resources that they require. User accounts enable users to log on and gain access to local or domain resources. In this module, you will learn how to create local and domain user accounts and set properties for them.

Guidelines for New User Accounts

A user account enables a user to log on to computers and domains with an identity that can be authenticated and authorized for access to domain resources.

To make the process of creating user accounts more efficient, you need to familiarize yourself with the conventions and guidelines already in use on the network. Following the conventions and guidelines makes it easier for you to manage the user accounts after they are created.

1. Introduction to User Accounts

A user account contains a user's unique credentials and enables a user to log on to the domain to gain access to network resources or to log on to a specific computer to access resources on that computer. Each person who regularly uses the network should have a user account.

The following table describes the types of user accounts that Microsoft® Windows® 2000 provides.

User account Description type Local user Enables a user to log on to a specific computer to gain access to account resources on that computer. Users can gain access to resources on another computer if they have a separate account on the other computer. These user accounts reside in the Security Accounts Manager (SAM) of the computer.

Domain user Enables a user to log on to the domain to gain access to network account resources. The user can gain access to network resources from any computer on the network with a single user account and password. These user accounts reside in the Active Directory® directory service.

======Network Lab Users Accounts Management page 1

Built-in user Enables a user to perform administrative tasks or to gain temporary account access to network resources. There are two built-in user accounts that cannot be deleted: Administrator and Guest. The local Administrator and Guest user accounts reside in SAM and the domain Administrator and Guest user accounts reside in Active Directory. Built-in user accounts are automatically created during Windows 2000 installation and the installation of Active Directory.

1.1 Naming Conventions

The naming convention establishes how user accounts are identified in the domain. A consistent naming convention makes it easier to remember user logon names and locate them in lists. It is a good practice to adhere to the naming convention already in use in an existing network that supports a large number of users.

Consider the following guidelines for naming conventions: • User logon names for domain user accounts must be unique in Active Directory. Domain user account full names must be unique within the domain in which you create the user account. Local user account names must be unique on the computer on which you create the local user account. • User logon names can contain up to 20 uppercase and lowercase characters (the field accepts more than 20 characters, but Windows 2000 recognizes only 20), except for the following: " / \ [ ] : ; | = , + * ? < > You can use a combination of special and alphanumeric characters to help uniquely identify user accounts. • If you have a large number of users, your naming convention for logon names should accommodate employees with duplicate names. The following are some suggestions for handling duplicate names: o Use the first name and the last initial, and then add additional letters from the last name to accommodate duplicate names. For example, for two users named Judy Lew, one user account logon name could be Judyl and the other Judyle. In some organizations, it is useful to identify temporary employees by their user accounts. To do so, you can prefix the user account name with a T and a dash. For example, T-Judyl.

1.2 Password Guidelines

To protect access to the domain or a computer, every user account should have a complex password. This helps to prevent unauthorized individuals from logging on to your domain. Consider the following guidelines for assigning passwords to user accounts: ======Network Lab Users Accounts Management page 2 • Always assign a complex password for the Administrator account to prevent unauthorized access to the account. • Determine whether you or the users will control passwords. You can assign unique passwords for the user accounts and prevent users from changing them, or you can allow users to enter their own passwords the first time that they log on. In most cases, users should control their own passwords. • Educate users about the importance of using complex passwords that are hard to guess: * Avoid using passwords with an obvious association, such as a family member's name. * Use long passwords because they are harder to guess. Passwords can be up to 128 characters. A minimum length of eight characters is recommended. * Use a combination of uppercase and lowercase letters and non-alphanumeric characters.

1.3 Account Options

User account options control how a user accesses the domain or a computer. For example, you can limit the hours during which a user can log on to the domain and the computers from which the user can log on. You can also specify when a user account expires. This enables you to maintain the security required by your network.

Logon Hours You can set logon hours for users who require access only at specific times. For example, you can set logon hours for night shift workers to enable them to log on only during their working hours.

Computers from Which Users Can Log On Users can log on to the domain by using any computer in the domain by default. You can configure account options to specify the computers from which users can log on. For example, you can enable users, such as temporary workers, to log on to the domain only from their computer. This prevents these users from logging in to other computers and gaining access to sensitive information that is stored on other computers.

Account Expiration You can set an expiration date on a user account to ensure that the account is disabled when the user no longer requires access to the network. For example, as a good security practice, you can set user accounts for temporary workers to expire on the date when their contracts end.

2. Creating Local User Accounts

Use Computer Management to create a local user account. You can create local user accounts only on computers running Windows 2000 Professional and on stand-alone or member servers running Windows 2000 Server or Windows 2000 Advanced Server.

Characteristics of Local User Account A local user account is used only in a smaller network environment, such as a workgroup, or on stand-alone computers that are not networked. Do not create local user accounts on computers that are part of a domain because the domain does not recognize local user accounts and as a result, the ======Network Lab Users Accounts Management page 3 user account would only be able to gain access to resources that are on the computer.

Local user accounts reside in the SAM database, which is the local security account database of the computer on which you created the account. They are not stored in Active Directory for the domain. In addition, local user accounts have fewer properties than domain accounts.

To create a local user account, perform the following steps:

1. Click Start, point to Programs, point to Administrative Tools, and then click Computer Management.

2. In Computer Management, expand Local Users and Groups. 3. Right-click the Users folder, and then click New User. The following table describes the user information you provide for a local user account.

Option Description

User name The user's unique logon name, based on your naming convention.

Full name The user's complete name. Use this to determine to which person the local user account belongs.

Description A description that you can use to identify the user by job title, department, or office location. This field is optional.

4. In the Password and Confirm Password boxes, type the user's password. 5. Select the appropriate check box or check boxes to set the password restrictions. 6. Click Create to create the user account. When you create a local user account, Windows 2000 does not replicate the local user account information to domain controllers. A domain controller is a Windows 2000-based server that is running Active Directory. This is why you cannot use local user accounts to gain access to resources on other computers.

After the local user account is created, the computer uses its SAM to authenticate the local user account, which allows the user to log on to that computer. The user can then gain access to resources that are available only on the local computer.

3. Creating and Configuring Domain User Accounts

Domain user accounts allow users to log on to a domain and gain access to resources anywhere on the network. You create a domain user account on a domain controller.

Windows 2000 provides administrative tools to help you create and administer user accounts. Windows 2000 Administration Tools are installed on a domain controller by default. However, you can remotely manage a domain and its user accounts by manually installing the Windows 2000 Administration Tools on a member server or a computer running Windows 2000 Professional.

Use Active Directory Users and Computers to create the domain user account and to configure domain user accounts, such as setting password requirements (whether the users must change their passwords the next time they log on). In addition, you can create a home folder to provide users with a central location in which they can store their data.

======Network Lab Users Accounts Management page 4 2.1 Installing Windows 2000 Administration Tools

Install Windows 2000 Administration Tools to remotely manage a domain controller from any computer (client computers and member servers) that is running Windows 2000. Windows 2000 Administration Tools is included on the Windows 2000 Server and Windows 2000 Advanced Server compact discs.

Note: You must have administrative rights on the domain controller to manage the domain remotely.

Install Windows 2000 Administration Tools on a computer running Windows 2000 Professional or on a stand-alone or member server running Windows 2000 Server or Windows 2000 Advanced Server. To install Windows 2000 Administration Tools, open the I386 folder on the applicable Windows 2000 Server compact disc, and then double-click Adminpak.msi. The Windows 2000 Administration Tools Setup wizard guides you through the process of installing Windows 2000 Administration Tools. After Windows 2000 Administration Tools is installed, you can gain access to the administrative tools by clicking Start, pointing to Programs, and then pointing to Administrative Tools.

For security purposes, do not log on to the domain with administrative privileges. Instead, log on as a normal user and use the runas command when performing administrative tasks. The runas command enables you to use administrative tools with administrative rights and permissions while you are logged on as a normal user.

To use the runas command, on the Administrative Tools menu, hold the SHIFT key, right-click Active Directory Users and Computers, and then click Run as. In the Run As Other User dialog box, verify that Run the program as the following user is selected. Type the user name and password for your administrator account, type the domain, and then click OK.

======Network Lab Users Accounts Management page 5 2.2 Creating a Domain User Account

A domain user account resides on a domain controller and is automatically replicated to all other domain controllers. Create the domain user account in the default Users folder or in a separate folder that you have created to hold domain user accounts. To create a domain user account, perform the following steps:

1. Open Active Directory Users and Computers from the Administrative Tools menu, and then expand the domain in which you want to add the user account. 2. Right-click the folder that will contain the user account, point to New, and then click User.

The following table describes the options that you can configure.

Option Description First name The user's first name.

Initials The user's middle initials. This is not a required entry.

Last name The user's last name.

Full name The user's complete name. This name must be unique within the folder in which you create the account. Windows 2000 completes this option if you enter information in the First name or Last name box, and then displays this name in the folder where the user account is located in Active Directory.

User logon name The user's unique logon name, based on the naming conventions. This is required and must be unique within Active Directory.

User logon name The user's unique logon name that is used to log on from previous versions (pre-Windows of Microsoft Windows. This is a required entry and must be unique within 2000) the domain.

======Network Lab Users Accounts Management page 6

Setting Password Requirements

The following table describes the password requirements that you can configure when you assign a password to a domain user account.

Option Description

Password Provide the password that is used to authenticate the user. For greater security, you must assign a complex password. The password is not visible when you type it. Instead, it is represented as a series of asterisks (*).

Confirm password Confirm the password by typing it a second time to ensure that it has been entered correctly. This is a required entry.

User must change Select this check box if you want the user to change his or her password the first time password at next that he or she logs on. This ensures that the user is the only person who knows the logon password.

User cannot change Select this check box if you have more than one person using the same domain user password account (such as Guest) or to maintain control over user account passwords. This allows only administrators to control passwords.

Password never Select this check box if you never want the password to change-for example, for a expires domain user account that will be used by an application or a service in Windows 2000. Never enable Password never expires for Administrator accounts.

Account is disabled Select this check box to prevent use of this user account-for example, for a new employee who has not yet started.

Note: The Password never expires option overrides the User must change password at next logon option.

2.3 Managing User Data by Creating Home Folders

You can provide a centralized network location for users to store their documents. This additional location is the user's home folder. Home folders are not part of a user profile, so they do not ======Network Lab Users Accounts Management page 7 affect the logon process. You can locate all users' home folders in a central location on a network server.

Consider the following points when determining the home folder location: • Back up and restore capability Preventing the loss of data is your primary responsibility. It is much easier to ensure that files are backed up when they are located in a central location on a server. If users' home folders are located on their local computers, you will need to perform regular backups on each computer.

• Sufficient space on the server It is important that there is enough room on the server to allow users to store their data. Windows 2000 provides more precise control of network-based storage with disk quotas, which enable you to monitor and limit the amount of hard disk space used by each user.

• Sufficient space on users' computers If users are working on computers with very little disk space or no hard disks, home folders should be located on a network server.

• Network Performance There is less network traffic if the home folder is located on the user's local computer.

To create a home folder, perform the following tasks:

1. Create and share a folder on a server. 2. Grant the appropriate permission for the folder. 3. Provide a path for the user account to the folder.

2.4 Setting Properties for Domain User Accounts

A set of default properties is associated with each domain user account that you create. After you create a domain user account, you can configure personal and account properties, logon options, and dial-up settings.

You can use the properties that you define for a domain user account to search for users in Active Directory. For example, you can search for a person by a telephone number, office location, manager's name, or last name. For this reason, you should provide detailed property definitions for each domain user account that you create.

2.4.1 Setting Personal Properties

The Properties dialog box contains information about each user account. This information is stored in Active Directory. The more complete the information, the easier it is to search for users in Active Directory. For example, if all of the properties on the Address tab are complete, you can locate the user by using the street address as the search criteria.

======Network Lab Users Accounts Management page 8

To set personal properties, perform the following steps:

1. Open Active Directory Users and Computers from the Administrative Tools menu, select the domain, and then click the appropriate folder to view available domain user accounts. 2. Right-click the appropriate domain user account, and then click Properties. 3. On the Properties dialog box, choose the appropriate tab for the personal properties that you want to enter or change, and then enter values for each property. The following table describes the tabs in the user Properties dialog box.

Tab Purpose

General Documents the user's name, description, office location, telephone number, e-mail alias, and home page information.

Address Documents the user's street address, post office box, city, state or province, postal zip code, and country.

Account Assigns the user's logon name, set account options, and specify account expiration.

Profile Assigns the user's profile path and home folder.

Telephones Documents the user's home, pager, mobile, fax, and Internet Protocol (IP) telephone numbers, and allows you to type notes that contain descriptive information about the user.

Organization Documents the user's title, department, company manager, and direct reports.

Member Of Specifies the groups to which the user belongs.

Dial-in Sets remote access permissions, callback options, and static IP address and routes.

Environment Specifies one or more applications to start up and the devices to connect to when a Terminal Services user logs on.

Sessions Specifies Terminal Services settings.

Remote control Specifies Terminal Services remote control settings.

Terminal Services Sets the user's Terminal Services profile. Profile

2.4.2 Setting Account Properties

On the Account tab of the Properties dialog box, you can configure settings that were specified when you created a domain user account, such as the user logon name and logon options. You can modify the password requirements by clearing or selecting the appropriate check box under Account options. ======Network Lab Users Accounts Management page 9

In addition, you can use the Account tab to set an expiration date for a user account. This is the date on which Windows 2000 will automatically disable the user account. By default, a user account never expires.

To set an account expiration date, perform the following steps: 1. Open the Properties dialog box for the appropriate user account. 2. On the Account tab, under Account Expires, click End of. Select an expiration date from the list, and then click OK.

2.4.3 Specifying Logon Options

Setting logon options for a domain user account allows you to control the hours during which a user can log on to the domain, in addition to the computers from which a user can log on to the domain. These are settings you gain access to from the Account tab.

Setting Logon Hours By default, users can connect to a server 24 hours a day, 7 days a week. In a high-security network, you may want to restrict the hours when a user can log on to the network. For example, you may want to restrict hours in the following types of environments:

• Where logon hours are a condition for security certification, such as in a government network. • Where there are multiple shifts. You can enable night shift workers to log on only during their working hours. To set logon hours, perform the following steps:

1. Open the Properties dialog box for the user account. On the Account tab, click Logon Hours. A blue box indicates that the user can log on during the hour. A white box indicates that the user cannot log on. 2. To allow or deny access, do one of the following, and then click OK: * Select the boxes on the days and hours that you want to deny access by clicking the start time, dragging to the end time, and then clicking Logon Denied. * Select the rectangles on the days and hours that you want to allow access by clicking the start time, dragging to the end time, and then clicking Logon Permitted.

======Network Lab Users Accounts Management page 10 Important: Connections to network resources on the domain are not terminated when the user's logon hours expire. However, the user will not be able to make new connections to other computers in the domain.

Setting the Computers from Which Users Can Log On

By default, any user with a valid account can log on to the network from any computer running Windows 2000, unless the computer is a domain controller. In a high-security network where sensitive data is stored on the local computer, restrict the computers from which users can log on to the network. For example, User1 can only log on from the computer named Computer1. You cannot specify the computer from which a user cannot log on. To specify the computers from which a user can log on, perform the following steps:

1. Open the Properties dialog box for the user account, and then, on the Account tab, click Log On To. 2. Click The following computers. Add the computers from which a user can log on by typing the name of the computer in the Computer name box, and then click Add. When you are finished adding computers, click OK.

2.4.4 Copying Domain User Accounts

You can copy an existing domain user account to simplify the process of creating a new domain user account. When you copy an existing user account, many of the account properties are copied to the new user account. This eliminates the need to configure all of the properties for the new user account.

Note: You cannot copy user accounts on a computer that is running Windows 2000 Professional or on a Windows 2000 member server. You can only copy user accounts on a domain controller.

Properties Copied to the New User Account The user properties are copied from the existing domain user account to the new domain user account as described in the following table.

Tab Properties copied to new domain user account

General None.

Address All, except Street Address.

Account All, except Logon Name, which is copied from the Copy Object - User dialog box.

Profile All, except the Profile path and Home folder entries, which are modified to reflect the new user's logon name.

Telephones None.

Organization All, except Title.

Member Of All.

Dial-in None. Default settings apply to new user account.

Environment None. Default settings apply to new user account.

Sessions None. Default settings apply to new user account.

======Network Lab Users Accounts Management page 11 Remote control None. Default settings apply to new user account.

Terminal Services None. Default settings apply to new user account. Profile

Important: Rights and permissions that are granted to an individual user account are not copied to the new user account.

Copying an Existing User Account

To create a new user account by copying an existing user account, perform the following steps:

1. Open Active Directory Users and Computers, and then click the Users folder in the console tree. 2. In the details pane, right-click the user account that you want to copy, and then click Copy. 3. In the Copy Object - User dialog box, type the user name and user logon name information for the new user account, and then click Next. 4. Type and confirm the password, set the password requirements (clear the Account is disabled check box, if appropriate), and then click Next. 5. Verify that the new user account information is correct, and then click Finish. . Creating User Account Templates

A user account template is a standard user account that you can create to contain the properties that apply to users with common needs. For example, if all sales personnel require membership in the Sales group, you can create a template that includes membership to that group.

To create a template, create a new domain user account, or copy an existing domain user account. Assign a unique account name, and remember to select the Account is disabled check box when setting the password requirements.

Guidelines to consider when creating templates are:

• Make a template for each classification of employee, such as sales, accountants, managers, and so on. • If you commonly have short-term or temporary network users, create a template with limited logon hours, workstation specifications, and other necessary restrictions.

======Network Lab Users Accounts Management page 12

Tip: If you begin each template name with a nonalphabetic character, such as the underscore character (_), the template will always appear at the top of the list in the details pane of the Active Directory Users and Computers window.

Creating a New User Account by Using a Template

To use a template to create a new user account, copy the template account, assign a user name and password for the new user, and change the user account properties as necessary. Remember to clear the Account is disabled check box.

2.5 Customizing User Settings with User Profiles

In Windows 2000, a user's computing environment is determined primarily by the user profile. For security purposes, Windows 2000 requires a user profile for each user account that has access to the system.

The user profile contains all of the settings that the user can define for the work environment of a computer running Windows 2000, including display, regional, mouse, and sounds settings, in addition to network and printer connections. You can set up user profiles so that a profile follows a user to each computer that the user logs on to.

2.5.1 User Profile Types

A user profile is created when a user logs on to a computer for the first time. All user-specific settings are automatically saved in the user's folder within the Documents and Settings folder (C:\Documents and Settings\User name). When the user logs off, the user's profile is updated on the computer at which the user was logged on. Thus, the user profile maintains the desktop settings for each user's work environment on the local computer. Types of user profiles include: • Default user profile • Local user profile • Roaming user profile • Mandatory user profile

• Default user profile. Serves as the basis for all user profiles. Every user profile begins as a copy of the default user profile, which is stored on each computer running Windows 2000 Professional or Windows 2000 Server. ======Network Lab Users Accounts Management page 13 • Local user profile. Created the first time a user logs on to a computer and is stored on the local computer. Any changes made to the local user profile are specific to the computer on which the changes were made. Multiple local user profiles can exist on one computer.

• Roaming user profile. Created by the system administrator and stored on a server. This profile is available every time a user logs on to any computer on the network. If a user makes changes to his or her desktop settings, the user profile is updated on the server when the user logs off. • Mandatory user profile. Created by the administrator to specify particular settings for a user or users and it can be local or roaming. A mandatory user profile does not enable users to save any changes to their desktop settings. Users can modify the desktop settings of the computer while they are logged on, but these changes are not saved when they log off. Only system administrators can make changes to mandatory user profiles.

2.5.2 Creating Roaming and Mandatory Roaming User Profiles

You can store user profiles on a server so that they are available every time a user logs on to any computer on the network. Roaming and mandatory user profiles are stored centrally on a server in order to provide users with the same working environment regardless of which computer they log on to.

Creating a Roaming User Profile To set up a roaming user profile, perform the following tasks:

1. Create a shared folder on a server and provide users with the Full Control permission to the folder. Provide the path to the shared folder. Open Active Directory Users and Computers. In the details pane, right-click the applicable user account, and then click Properties. On the Profile tab, under User profile, type the path information to specify the shared folder in the Profile path box.

======Network Lab Users Accounts Management page 14 The path information should appear as follows:

\\server_name\shared_folder_name\user_name

You can use the variable %username% instead of typing in the user name. Windows 2000 automatically replaces %username% with the user account name for the roaming user profile.

Note: The Ntuser.dat file contains the section of the registry that applies to the user account and contains the user profile settings. This file is located in the user's profile folder.

Creating a Mandatory Roaming User Profile Typically you use a mandatory profile when a group of users needs the same desktop settings and you do not want them to modify their desktops.

To create a mandatory roaming user profile, perform the following tasks:

1. Create a shared folder on a server with a profile folder for the user profile you will create inside. Provide users with the Full Control permission to the profile folder. For example, create a folder called Profiles, and then create a folder called User1 in the Profiles folder. 2. Set up a configured roaming user profile. In Active Directory Users and Computers, create a new user, specify the user's profile folder for the path information, and then configure the profile. For example, create a user called User1 and specify the profile path of \\server_name\Profiles\User1. To configure the profile, log on to the domain as User1, modify the desktop settings as necessary, and then log off. 3. Rename the profile file Ntuser.dat to Ntuser.man. This makes the profile read-only and therefore mandatory. To rename the profile, log on as Administrator, open Windows Explorer, and, in the user's profile folder, rename the Ntuser.dat file to Ntuser.man. After a roaming user profile is created, only an administrator can modify it.

Note: The Ntuser.dat file in the user's profile folder will be hidden. To view the file in Windows Explorer, click Tools, and then click Folder Options. On the View tab of the Folder Options dialog box, under Advanced settings, click Show hidden files and folders. Clear the Hide file extensions for known file types check box, and then click OK.

======Network Lab Users Accounts Management page 15