Creating and Managing User Accounts Overview As an administrator, you need to provide the users in your organization with access to the various network resources that they require. User accounts enable users to log on and gain access to local or domain resources. In this module, you will learn how to create local and domain user accounts and set properties for them. Guidelines for New User Accounts A user account enables a user to log on to computers and domains with an identity that can be authenticated and authorized for access to domain resources. To make the process of creating user accounts more efficient, you need to familiarize yourself with the conventions and guidelines already in use on the network. Following the conventions and guidelines makes it easier for you to manage the user accounts after they are created. 1. Introduction to User Accounts A user account contains a user's unique credentials and enables a user to log on to the domain to gain access to network resources or to log on to a specific computer to access resources on that computer. Each person who regularly uses the network should have a user account. The following table describes the types of user accounts that Microsoft® Windows® 2000 provides. User account Description type Local user Enables a user to log on to a specific computer to gain access to account resources on that computer. Users can gain access to resources on another computer if they have a separate account on the other computer. These user accounts reside in the Security Accounts Manager (SAM) of the computer. Domain user Enables a user to log on to the domain to gain access to network account resources. The user can gain access to network resources from any computer on the network with a single user account and password. These user accounts reside in the Active Directory® directory service. ================================================================================= Network Lab Users Accounts Management page 1 Built-in user Enables a user to perform administrative tasks or to gain temporary account access to network resources. There are two built-in user accounts that cannot be deleted: Administrator and Guest. The local Administrator and Guest user accounts reside in SAM and the domain Administrator and Guest user accounts reside in Active Directory. Built-in user accounts are automatically created during Windows 2000 installation and the installation of Active Directory. 1.1 Naming Conventions The naming convention establishes how user accounts are identified in the domain. A consistent naming convention makes it easier to remember user logon names and locate them in lists. It is a good practice to adhere to the naming convention already in use in an existing network that supports a large number of users. Consider the following guidelines for naming conventions: • User logon names for domain user accounts must be unique in Active Directory. Domain user account full names must be unique within the domain in which you create the user account. Local user account names must be unique on the computer on which you create the local user account. • User logon names can contain up to 20 uppercase and lowercase characters (the field accepts more than 20 characters, but Windows 2000 recognizes only 20), except for the following: " / \ [ ] : ; | = , + * ? < > You can use a combination of special and alphanumeric characters to help uniquely identify user accounts. • If you have a large number of users, your naming convention for logon names should accommodate employees with duplicate names. The following are some suggestions for handling duplicate names: o Use the first name and the last initial, and then add additional letters from the last name to accommodate duplicate names. For example, for two users named Judy Lew, one user account logon name could be Judyl and the other Judyle. In some organizations, it is useful to identify temporary employees by their user accounts. To do so, you can prefix the user account name with a T and a dash. For example, T-Judyl. 1.2 Password Guidelines To protect access to the domain or a computer, every user account should have a complex password. This helps to prevent unauthorized individuals from logging on to your domain. Consider the following guidelines for assigning passwords to user accounts: ================================================================================= Network Lab Users Accounts Management page 2 • Always assign a complex password for the Administrator account to prevent unauthorized access to the account. • Determine whether you or the users will control passwords. You can assign unique passwords for the user accounts and prevent users from changing them, or you can allow users to enter their own passwords the first time that they log on. In most cases, users should control their own passwords. • Educate users about the importance of using complex passwords that are hard to guess: * Avoid using passwords with an obvious association, such as a family member's name. * Use long passwords because they are harder to guess. Passwords can be up to 128 characters. A minimum length of eight characters is recommended. * Use a combination of uppercase and lowercase letters and non-alphanumeric characters. 1.3 Account Options User account options control how a user accesses the domain or a computer. For example, you can limit the hours during which a user can log on to the domain and the computers from which the user can log on. You can also specify when a user account expires. This enables you to maintain the security required by your network. Logon Hours You can set logon hours for users who require access only at specific times. For example, you can set logon hours for night shift workers to enable them to log on only during their working hours. Computers from Which Users Can Log On Users can log on to the domain by using any computer in the domain by default. You can configure account options to specify the computers from which users can log on. For example, you can enable users, such as temporary workers, to log on to the domain only from their computer. This prevents these users from logging in to other computers and gaining access to sensitive information that is stored on other computers. Account Expiration You can set an expiration date on a user account to ensure that the account is disabled when the user no longer requires access to the network. For example, as a good security practice, you can set user accounts for temporary workers to expire on the date when their contracts end. 2. Creating Local User Accounts Use Computer Management to create a local user account. You can create local user accounts only on computers running Windows 2000 Professional and on stand-alone or member servers running Windows 2000 Server or Windows 2000 Advanced Server. Characteristics of Local User Account A local user account is used only in a smaller network environment, such as a workgroup, or on stand-alone computers that are not networked. Do not create local user accounts on computers that are part of a domain because the domain does not recognize local user accounts and as a result, the ================================================================================= Network Lab Users Accounts Management page 3 user account would only be able to gain access to resources that are on the computer. Local user accounts reside in the SAM database, which is the local security account database of the computer on which you created the account. They are not stored in Active Directory for the domain. In addition, local user accounts have fewer properties than domain accounts. To create a local user account, perform the following steps: 1. Click Start, point to Programs, point to Administrative Tools, and then click Computer Management. 2. In Computer Management, expand Local Users and Groups. 3. Right-click the Users folder, and then click New User. The following table describes the user information you provide for a local user account. Option Description User name The user's unique logon name, based on your naming convention. Full name The user's complete name. Use this to determine to which person the local user account belongs. Description A description that you can use to identify the user by job title, department, or office location. This field is optional. 4. In the Password and Confirm Password boxes, type the user's password. 5. Select the appropriate check box or check boxes to set the password restrictions. 6. Click Create to create the user account. When you create a local user account, Windows 2000 does not replicate the local user account information to domain controllers. A domain controller is a Windows 2000-based server that is running Active Directory. This is why you cannot use local user accounts to gain access to resources on other computers. After the local user account is created, the computer uses its SAM to authenticate the local user account, which allows the user to log on to that computer. The user can then gain access to resources that are available only on the local computer. 3. Creating and Configuring Domain User Accounts Domain user accounts allow users to log on to a domain and gain access to resources anywhere on the network. You create a domain user account on a domain controller. Windows 2000 provides administrative tools to help you create and administer user accounts. Windows 2000 Administration Tools are installed on a domain controller by default. However, you can remotely manage a domain and its user accounts by manually installing the Windows 2000 Administration Tools on a member server or a computer running Windows 2000 Professional. Use Active Directory Users and Computers to create the domain user account and to configure domain user accounts, such as setting password requirements (whether the users must change their passwords the next time they log on).