|1| Chapter 7, User Account Administration
|2| Chapter 7, Lesson 1
Introduction to User Accounts
1. Overview
A. A user account provides a user with the
ability to log on to the domain to gain access to network resources or to log
on to a computer to gain access to resources on that computer.
B. Each person who regularly uses the network
should have a unique user account.
|3| 2. Local
User Accounts
|4| A. Allow users to log on and gain access to
resources only on the computer where the local user account is created
B. Microsoft Windows 2000 creates the account
only in that computer’s security database, which is called the local security
database.
C. Windows 2000 does not replicate local user
account information to domain controllers.
D. After the local user account exists, the
computer uses its local security database to authenticate the local user
account, which allows the user to log on to that computer.
E. The domain does not recognize local user
accounts.
F. Do not create local user accounts on computers
that require access to domain resources
G. The domain administrator is unable to
administer the local user account properties or assign access permissions for
domain resources unless the administrator connects to the local computer using
the Action menu on the Computer Management console.
|5| 3. Domain
User Accounts
|6| A. Overview
1. Domain user accounts allow users to log
on to the domain and gain access to resources anywhere on the network.
2. The user provides a user name and
password during the logon process.
3. A domain user account can be created in a
container or OU in the copy of the Active Directory database on a domain
controller.
4. The domain controller replicates the new
user account information to all domain controllers in the domain.
5. After the new user account information is
replicated, all of the domain controllers in the domain tree can authenticate
the user during the logon process.
|7| B. Access token
1. Windows 2000 authenticates the user and
then builds an access token that contains information about the user and
security settings.
2. The access token identifies the user
trying to gain access to resources on computers running Windows 2000 and
pre–Windows 2000 computers.
3. Windows 2000 provides the access token
for the duration of the logon session.
Note During
the few minutes it takes to replicate the domain, the user could be prevented
from immediately logging on using the newly created domain user account. By
default, replication of directory information occurs every five minutes.
4. Built-In User Accounts
A. Commonly used built-in accounts
|8| 1. Administrator
a. Used to manage the overall computer and
domain configuration
b. Create a user account to perform
nonadministrative tasks
c. Use only when performing administrative
tasks
d. Can be renamed to provide a greater degree
of security
e. Cannot be deleted
|9| 2. Guest
a. Allows occasional users the ability to log
on and gain access to resources
b. Disabled by default
c. Enabled only in low-security networks
d. Always assigned a password
e. Can be renamed and disabled, but not
deleted
B. Other built-in accounts
1. IUSR_computername
and IWAM_computername
a. Automatically created when Internet
Information Services (IIS) is installed on the domain controller
b. IUSR_computername
is an account for anonymous access to IIS.
c. IWAM_computername
is an account for anonymous access to IIS out-of-process applications.
2. TsInternetUser
a. Automatically created when Terminal
Services is installed on the domain controller
b. Account used by Terminal Services
|10| Chapter 7, Lesson 2
Planning New User Accounts
1. Naming Conventions
A. Overview
1. A naming convention establishes how users
are identified in the domain.
2. A consistent naming convention helps
users to remember logon names and locate them in lists.
|11| B. Considerations
1. Local user account names must be unique
on the computer where the local user account is created.
2. The user’s logon name (DN) must be unique
to the directory.
3. The user’s full name (RDN) must be unique
within the OU where the domain user account is created.
4. User logon names can contain up to 20
upper case or lower case letters.
5. The following characters are invalid: “ /
\ [ ] : ; | = , + * ? < >
6. Use a combination of special and
alphanumeric characters to help uniquely identify user accounts.
Note User
logon names are not case-sensitive, but Windows 2000 preserves the case. In
addition, Windows 2000 recognizes only the first 20 characters, even though the
field accepts more than 20.
7. Add letters from the last name to
differentiate duplicate employee names.
8. Identify temporary accounts with, for
example, a “T-” prefix.
9. Some e-mail systems might not accept
characters, such as spaces and
“( )” brackets.
|12| 2. Password
Requirements
A. Always assign a password for the
Administrator account to prevent unauthorized access to the account.
B. Determine whether the Administrator or the
users will control passwords.
C. Use passwords that are hard to guess.
D. Passwords can be up to 14 characters (note
that this what will be recognized); a minimum length of eight characters is
recommended.
E. Use characters from each of the following
three groups: upper case and lower case letters, numerals, and nonalphanumeric
characters.
F. Have at least one symbol character in the
second through sixth positions.
G. Make new passwords significantly different
from prior passwords.
H. Passwords must not contain the user’s
name.
I. Passwords must not be a common word or
name.
Note Windows
2000 group policies can also affect passwords.
|13| 3. Account
Options
A. Logon hours
1. Assess the hours when a user can log on
to the network.
2. Set logon hours for users who require
access only at specific times.
B. Computers from which users can log on
1. Assess the computers from which a user
can log on.
2. By default, users can log on to the
domain by using any computer in the domain.
3. Require users to log on to the domain
only from their computer
Note If
NetBIOS over TCP/IP is disabled, Windows 2000 is unable to determine from which
computer a user is logged on and, therefore, restricting users to specific
computers is not possible.
C. Account expiration
1. Determine whether a user account should
expire.
2. Set an expiration date on the user
account to ensure that the account is disabled when the user should no longer
have access to the network.
3. Set user accounts for temporary employees
to expire when their contracts end.
|14| Chapter 7, Lesson 3
Creating User Accounts
|15| 1. Creating
Local User Accounts
A. Overview
1. Use the Local Users and Groups snap-in to
create, delete, or disable local user accounts on the local computer in a
workgroup.
2. Local user accounts cannot be created on
a domain controller.
B. To create local user accounts
1. Click Start, point to Programs, point to
Administrative Tools, and then click Computer Management
2. Expand the Local Users and Groups
snap-in, right-click Users, and select New User
3. In the New User dialog box, set the local
user account options
|16| C. Local user account options
1. User Name: A unique name based on naming
conventions; required
2. Full Name: Complete name of the user;
determines which person belongs to an account; optional
3. Description: Useful for identifying
users; optional
4. User Must Change Password At Next Logon:
Requires user to change password when logging on the first time
5. User Cannot Change Password: Only
administrators are allowed to control passwords
6. Password Never Expires: Password will
never change
7. Account Is Disabled: Prevents use of the
user’s account
|17| 2. Creating
Domain User Accounts
A. Overview
1. Use the Active Directory Users and
Computers console to create, delete, or disable domain user accounts on the
domain controller, or local user accounts on any computer in the domain.
2. The user logon name defaults to the
domain in which the domain user account is being created.
3. With proper permissions, any domain can
be selected to create domain user accounts.
4. The container must be selected to create
the new account.
5. Create the account in the default Users
container or in a container that is created to hold domain user accounts
B. To create domain user accounts
1. Click Start, point to Programs, point to
Administrative Tools, and then click Active Directory Users And Computers
2.
Click the
domain, right-click the Users container, point to New, and click User
3. In the New Object-User dialog box, set
the domain user name options
|18| C. User name options
|19| 1. First Name: The user’s first name
2. Initials: The user’s initials
3. Last Name: The user’s last name
4. Full Name: The user’s complete name
5. User Logon: Uniquely identifies the user
throughout the entire network
6. User Logon Name (Pre–Windows 2000):
User’s unique logon name that is used to log on from earlier versions of
Windows; entry is required and must be unique within the domain
|20| D. Password options
|21| 1. Password: Used to authenticate the user
2. Confirm Password: Confirmation that the
password was typed correctly
3. User Must Change Password At Next Logon:
Requires user to change password when logging on the first time
4. User Cannot Change Password: Only
administrators are allowed to control passwords
5. Password Never Expires: Password will
never change
6. Account Is Disabled: Prevents use of the
user’s account
3. Account Properties
|22| A. User account properties
1. Overview
a. A default set of properties is associated
with each user account created.
b. Personal and account properties, logon
options, and dial-in settings can be configured after creating a user account.
c. Account properties equate to object
attributes for domain users.
d. Properties defined for a domain user
account can be used to search the directory or for use in other applications as
objects’ attributes.
e. Detailed definitions should be provided
for each domain user account created.
|23| 2. Properties dialog box tabs
a. General: User’s first name, last name,
display name, description, office location, telephone number(s), e-mail
address, home page, and additional Web pages
b. Address: User’s street address, post
office box, city, state or province, zip or postal code, and country or region
c. Account: User’s logon name, logon hours,
computers permitted to log on to, account options, and account expiration
d. Profile: Profile path, logon script path,
home directory, and shared document folder
e. Telephones: User’s home, pager, mobile,
fax, and IP telephone numbers, and spaces for comments
f. Organization: User’s title, department,
company, manager, and direct reports
|24| g. Remote Control: Terminal Services remote
control settings
h. Terminal Services Profile: Terminal
Services user profile
i. Member Of: Groups to which the user belongs
j. Dial-In: Dial-in properties for the user
k. Environment: Terminal Services startup
environment
l.
Sessions:
Terminal Services timeout and reconnection settings
Note For
local user accounts, the Properties dialog box contains only the General, Member
Of, and Profile tabs.
|25| B. Setting personal properties
1. Overview
a. Four tabs in the Properties dialog box
contain personal information about each user: General, Address, Telephone, and
Organization.
b. These tabs allow you to locate domain user
accounts in the directory.
2. To set personal properties
a. On the Administrative Tools menu, click
Active Directory Users And Computers, and then click the domain
b. Click the appropriate container to view
available domain user accounts
c. Right-click the appropriate domain user
account and click Properties
d. Click the appropriate tab for the personal
properties that you want to enter or change, and then enter values for each
property
e. Click OK
|26| C. Setting account properties
1. Overview
a. Use the Account tab in the Properties
dialog box to set options for a domain user account.
b. Some domain user account options are the
same for both the Account tab and the New Object-User dialog box.
|27| 2. Additional account options
a. Store Password Using Reversible
Encryption: Enables Macintosh users to log on
b. Smart Card Is Required For Interactive
Logon: Allows user to log on with a smart card
c. Account Is Trusted For Delegation: Allows
a user to assign responsibility for management and administration of a portion
of the namespace to another user, group, or organization
d. Account Is Sensitive And Cannot Be
Delegated: Prevents the account from being assigned for delegation by another
account
e. Use DES Encryption Types For This Account:
Provides the Data Encryption Standard (DES)
f. Do Not Require Kerberos
Preauthentication: Removes Kerberos preauthentication for accounts using
another implementation of Kerberos
g. Account Expires: Sets account expiration
dates
|28| D. Setting logon hours
|29| 1. Overview
a. Controls when a user can log on to the
domain
b. Limits the hours users can explore the
network (By default, Windows 2000 permits access for all hours on all days.)
c. Reduces the amount of time that the
account is open to unauthorized access
2. To set logon hours
a.
In the
Properties dialog box, on the Account tab, click Logon Hours
Note A
blue box indicates that the user can log on during the hour, and a white box
indicates that the user cannot log on.
b. To allow or deny access, do one of the
following:
(1) Select the rectangles on the days and hours
for which access is to be allowed, click the start time, drag to the end time,
and then click Logon Permitted
(2) Select the rectangles on the days and hours
for which access is to be denied, click the start time, drag to the end time,
and then click Logon Denied
c. Click OK
Note Any
connections to network resources on the domain are not disconnected when the
user’s logon hours run out. However, the user will not be able to make any new
connections.
|30| E. Setting the computers from which users can
log on
|31| 1. Logon options
a. Setting logon options for the domain user
account allows you to control the computers from which a user can log on to the
domain.
b. Setting the computers from which a user
can log on prevents users from accessing another user’s data that is stored on
that user’s computer.
c. By default, each user can log on from all
computers in the domain.
2. To set logon workstations
a. In the Properties dialog box, on the
Account tab, click Log On To
b. On the Logon Workstations dialog box,
select the option that specifies from which computers a user can log on
c. Add the computers from which a user can
log on
d. Delete or edit the name of a computer from
which the user can log on, if necessary
e. Click OK
F. Configuring dial-in settings
1. Overview
a. Configuring dial-in settings for a user
account permits you to control how a user can make a dial-in connection to the
network from a remote location.
b. User dials in to a computer running the
Windows 2000 Remote Access Server (RAS).
b.
Configure
dial-in settings on the Dial-In tab of the Properties dialog box
Note Set
up a dial-up connection by using the Network Connection Wizard, which can be
accessed from Network Connections in My Computer.
|32| 2. Options on the Dial-In tab in the
Properties dialog box
a. Allow Access: Turns on dial-in or virtual
private network (VPN) remote access for the user
b. Deny Access: Turns off dial-in or VPN
remote access for the user
c. Control Access Through Remote Access
Policy: Specifies that remote access permission for this user is controlled
through a remote access policy
d. Verify Caller-ID: Indicates the telephone
number that the user must use to dial in
e. Callback Options: Methods include:
(1) No Callback: RAS server will not call the
user back and the user pays the telephone charges (default option)
(2) Set By Caller (Routing and Remote Access
Service Only): User provides the telephone number for the RAS server to call
back
(3) Always Callback To: Uses specified
telephone number to call back the user
f. Assign A Static IP Address: Specifies
whether to disregard group dial-in profile settings and assign a static TCP/IP
address to this user
g. Apply Static Routes: Specifies whether to
configure predefined routes for one-way initiated demand-dial routed
connections
h. Static Routes: Allows the definition of
static routes
|33| Chapter 7, Lesson 4
Creating User Profiles
|34| 1. Overview
A. A user profile is a collection of folders
and data that stores the user’s current desktop environment, application
settings, and personal data.
B. A user profile contains all network
connections established the first time a user logs on to a computer
C. A user profile maintains consistency of
desktop environments and provides each user with the same desktop environment
used the last time that user logged on.
2. User Profiles
|35| A. Advantages to users
1. Multiple users can use the same computer;
each user receives own desktop settings at logon.
2. When logging on to their workstation,
users receive the same desktop settings as existed when they logged off.
3. Customization of the desktop environment
by one user does not affect another user’s settings.
4. Roaming user profile: User profile stored
on a server, which follows that user to any computer running Windows NT 4.0 or
Windows 2000 on the network
5. Application settings are retained for
applications that are Windows 2000–certified.
|36| B. Administration advantages
1. Allows creation of a default user profile
that is appropriate for the user’s task
2. Allows a mandatory user profile to be
established that does not save changes made by the user to the desktop settings
3. Allows specific default user settings to
be included in all of the individual user profiles
|37| C. Profile types
1. Local user profile: Created upon first
logon to a computer and stored on the computer’s local hard disk; changes are
saved on the computer on which changes are made
2. Roaming user profile: Created by the
system administrator and stored on a server; changes are updated on the server
3. Mandatory user profile: A roaming profile
used to specify particular settings for individuals or an entire group of
users; changes made by the user are discarded
D. Location of settings saved in a user
profile
1. Windows Explorer: All user-definable
settings for Windows Explorer
2. My Documents: User-stored documents
3. My Pictures: User-stored picture items
4. Favorites: Shortcuts to favorite locations
on the Internet
5. Mapped network drive: Any user-created
mapped network drives
6. My Network Places: Links to other
computers on the network
7. Desktop contents: Items stored on the
Desktop and Shortcut elements
8. Screen colors and fonts: All user-definable
computer screen colors and display text settings
9. Application data and registry hive:
Application data and user-defined configuration settings
10. Printer settings: Network printer
connections
11. Control Panel: All user-defined settings
made in the Control Panel
12. Accessories: All user-specific program
settings affecting the user’s Windows environment, including Calculator, Clock,
Notepad, and Paint
13. Windows 2000–based programs: Per-user
program settings for programs written specifically for Windows 2000 and
designed to track program settings
14. Online user education bookmarks: Any
bookmarks placed in the Windows 2000 Help system
E. Contents of a user profile
|38| 1. Overview
a. Local user profiles are stored in
C:\Documents and Settings\user-logon-name
folder.
b. Roaming user profiles are stored in a
shared folder on the server.
c. Use the My Documents folder to centralize
all user settings and personal documents into a single folder that is part of
the user profile
d. Windows 2000 automatically sets up the My
Documents folder, which is the default location for storing users’ data for
Microsoft applications.
e. Home directories can also contain files
and programs for a user.
|39| 2. Contents of a user profile folder
a. Application data folder: Program-specific
data
b. Cookies folder: User information and
preferences
c. Desktop folder: Includes files,
shortcuts, and folders
d. Favorites folder: Shortcuts to favorite
locations on the Internet
e. FrontPageTempDir folder: Temporary folder
used by Microsoft FrontPage
f. Local Settings folder: Application data,
History, and Temporary files; application data roams with the user by way of
roaming user profiles
g. My Documents folder: User documents
h. My Pictures folder: User picture items
i. NetHood folder: Shortcuts to My Network
Places items
j. PrintHood folder: Shortcuts to printer
folder items
k. Recent folder: Shortcuts to the most
recently used documents and accessed folders
l. SendTo folder: Shortcuts to document-handling
utilities
m. Start Menu folder: Shortcuts to program
items
n. Templates folder: User template items
o. NTUSER. DAT file: User registry settings
|40| F. Local user profiles
1. Windows 2000 creates a local user profile
the first time a user logs on at a computer, storing the profile on that
computer.
2. The local user profile is stored in the
C:\Documents and Settings\user_logon_name
folder.
3. When logging on to Windows 2000, users
always receive their individual desktop settings and connections, regardless of
how many users share the same client computer.
4. When a user logs off, Windows 2000
incorporates the changes into the user profile stored on the computer.
G. Roaming user profiles
|41| 1. Overview
a. Roaming user profiles support users who
work at multiple computers.
b. Roaming user profiles are set up on the
network server and are available to the user no matter where the user logs on
in the domain.
c. Users always receive their own individual
desktop settings and connections.
d. When a user logs on, Windows 2000 copies
the roaming user profile from the network server to the client computer and
applies the roaming user profile settings to that computer.
e. The first time a user logs on at a
computer, Windows 2000 copies all documents to the local computer.
(1) Thereafter, Windows 2000 compares the
locally stored user profile files and the roaming user profile files and copies
only the files that have changed since the last time the user logged on at the
computer.
(2) When a user logs off, Windows 2000 copies
changes back to the server where the profile is stored.
2. Standard roaming user profiles
a. Windows 2000 creates a standard roaming
user profile for a group of users by configuring the desired desktop
environment and then copying the standard profile to the user’s roaming user
profile location.
b. Uses:
(1) Provide a standard desktop environment for
multiple users with similar job responsibilities
(2) Provide users with the work environment
needed to perform their jobs and to remove connections and applications not
required
(3) Simplify troubleshooting
3. Creating roaming user profiles
a. Overview
(1) Create roaming user profiles on a file
server that is frequently backed up.
(2) Place the roaming user profile folder on a
member server instead of a domain controller to improve logon performance.
(3) To create roaming user profiles and assign
home directories for user accounts, permission to administer the object in
which the user accounts reside is necessary.
|42| b. To set up a roaming user profile
(1) On a server, create a shared folder and use
a path with the following format: \\server_name\shared_folder_name
(2)
On the Profile
tab in the Properties dialog box for the user account, provide the path to the
shared folder in the Profile Path box: \\server_name\shared_folder_name\logon_name
Note You
can type the variable %username%
instead of the user’s logon name. Windows 2000 automatically replaces the %username% variable with the user
account name for the roaming user profile.
4. To create a standard roaming user profile
a. Create a user profile template with the
appropriate configuration
b. Create a shared folder on the server
|43| c. Copy the user profile template to the
shared folder on the server and specify the users who are permitted to use the
profile in the User Profile tab in the System Properties dialog box in the
Control Panel
d. Specify the path to the profile template
in the Profile tab in the User Properties dialog box
H. Mandatory user profiles
|44| 1. Overview
a. A mandatory user profile is a read-only
roaming user profile.
b. Users can modify the desktop settings of
the computer while they are logged on, but none of these changes are saved when
they log off.
c. The next time the user logs on, the profile
is the same as the last time that user logged on.
d. One mandatory profile can be assigned to
multiple users who require the same desktop settings.
e. By changing one profile, several users’
desktop environments can be changed.
|45| 2. Creating a mandatory user profile
a. A hidden file called NTUSER.DAT contains
that section of the Windows 2000 system settings that applies to the individual
user account and contains the user environment settings.
b. This hidden file becomes a read-only file
if you change its name to NTUSER.MAN.
|46| Chapter 7, Lesson 5
Creating Home Directories
1. Introducing Home Directories
|47| A. Home Directory Overview
1. A folder that can be provided to users to
store personal documents in addition to the My Documents folder
2. Sometimes the default folder for saving
documents in older applications
3. Stored on a client computer or in a
shared folder on a file server
4. Not a member of a roaming user profile
5. Does not affect network traffic during
the logon process
|48| B. Advantages
1. Users can gain access to their home
directories from any client computer on the network.
2. Backing up and administration of user
documents are centralized.
3.
Home directories
are accessible from a client computer running any Microsoft operating system.
Note Store
home directories on an NTFS volume to take advantage of the extra security.
2. Creating Home Directories
|49| A. Overview
1. Permission to administer the object in
which the user accounts reside is mandatory.
2. Use %username%
to name a folder on an NTFS volume; the user is assigned the NTFS Full Control
permission.
3. All other permissions are removed from
the folder, including those for the Administrator account.
|50| B. To create a home directory on a file
server
1. Create and share a folder in which to
store all home directories on a network server
2. Remove the default permission Full
Control from the Everyone group and assign Full Control to the Users group
3. Provide the path to the user’s home
directory folder in the shared home directory folder in the Profile tab of the
Properties dialog box for the user account
|51| Chapter 7, Lesson 6
Maintaining User Accounts
|52| 1. Overview
A. The needs of an organization might require
the modification of user accounts.
B. Modifications of user accounts are based
on personnel changes or personal information.
C. You make changes to the user account
object in Active Directory to modify a user account.
D. You must have permission to administer the
object in which the user accounts reside.
2. Disabling, Enabling, Renaming, and Deleting
User Accounts
|53| A. Modifications affecting the functionality
of user accounts
1. Disabling and enabling a user account
2. Renaming a user account
3. Deleting a user account
B. To disable, enable, rename, and delete
user accounts
1. In the Active Directory Users and
Computers console, expand the console tree until the appropriate user account
is visible, and then select the user account
|54| 2. On the Action menu, click the command for
the type of modification needed
3. If a user account is enabled, the Action
menu displays the Disable Account command.
4. If a user account is disabled, the Action
menu displays the Enable Account command.
3. Resetting Passwords and Unlocking User Accounts
A. Overview
1. If a user cannot log on to the domain or
to a local computer because of a password problem, the user’s password might
need to be reset or account unlocked.
2. You must have administrative privileges
for the object in which the user account resides.
B. Resetting passwords
|55| 1. Overview
a. Reset a password if a user’s password
expires before it can be changed, or if a user forgets the password.
b. It is not necessary to know the old
password.
c. Once the password is set, it is not
visible to any user, including the administrator, thus improving security.
2. To reset user passwords
a. In the Active Directory Users and
Computers console, expand the console tree until the appropriate user account
is visible, and then select the user account
b. On the Action menu, click Reset Password
c.
Enter a new
password for the user, confirm the password, and then click OK
Note Always
select User Must Change Password At Next Logon to force users to change their
password the next time they log on. If a user logs on through the Internet
only, do not select the User Must Change Password At Next Logon option.
C. Unlocking user accounts
|56| 1. Overview
a. A Windows 2000 group policy locks out a
user account when the user violates the policy.
b.
When a user
account is locked out, Windows 2000 displays an error message.
2. To unlock a user’s account
a. In the Active Directory Users and
Computers console, expand the console tree until the appropriate user account
is visible, and then select the user account, designated with a red “X”
b. On the Action menu, click Properties, and
then, in the Properties dialog box, click the Account tab
c. Clear the check box and click OK