Understanding User and Group Accounts

Archived content - No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

from Chapter 4, Windows NT Administrator's Pocket Consultant by William R. Stanek.

One of your primary tasks as a Microsoft Windows NT administrator is to manage accounts. Accounts enable individual users to log on to the network and access network resources. The permissions and privileges you assign to accounts determine the actions users can perform, as well as which computer systems and resources they can access.

Although you may be tempted to give users wide access, you need to balance the user's need for job-related resources against your need to protect sensitive resources or privileged information. For example, you wouldn't want everyone in the company to have access to payroll data. Consequently, you would make sure that only those who need it have access to that information.

The Windows NT Security Model

You control access to network resources with the components of the Microsoft Windows NT security model. These components include

• Interactive logon processes

• Local security authority

• Security account manager

• Security reference monitor

Granting and Denying Access

The Windows NT security model components work together to grant or deny access to resources based on the permissions and privileges of user accounts as follows:

• Logon processes restrict access to resources based on user accounts, which have names and passwords.

• Local security authority verifies that the user has authority to access the local system.

• Security account manager validates rights and authorities using its database containing information about users and groups.

• Security resource monitor validates access to files, folders, and other system objects.

Differences Between User and Group Accounts

Windows NT provides accounts for users and groups. User accounts are designed for individuals. Group accounts are designed to ease administration for multiple users. While you can log on to user accounts, you cannot log on to a group account.

User Accounts

User accounts are identified with user names and passwords. User names are text labels for accounts. Passwords are authentication strings for accounts. Although Windows NT displays user names to describe privileges and permissions, the key identifiers for accounts are SIDs (security identifiers). SIDs are unique identifiers that are generated when accounts are created. Windows NT uses SIDs to track accounts independently from user names.

SIDs serve many purposes, the most important of which are to allow you to easily change user names and to allow you to delete accounts without worrying that someone may gain access to resources simply by re-creating an account.

When you change a user name, you tell Windows NT to map a particular SID to a new name. When you delete an account, you tell Windows NT that a particular SID is no longer valid. Afterward, even if you create an account with the same user name, the new account will not have the same privileges and permissions as the previous one. That's because the new account will have a new SID.

Group Accounts

In addition to user accounts, Windows NT provides group accounts. You use group accounts to grant permissions to similar types of users and to simplify account administration. If a user is a member of a group that can access a resource, that particular user can access the resource. Thus, you can give a user access to various work-related resources just by making the user a member of the correct group. Note that while you can log on to a computer with a user account, you cannot log on to a computer with a group account.

Real World Employees in a marketing department probably need access to all marketing-related resources. Instead of granting access to these resources individually, you could make users members of a Marketing group so the users automatically obtain the group's privileges. Later, if a user moves to a different department, you simply remove the user from the group and all access permissions are revoked. Compared to having to revoke access for each individual resource, this technique is pretty easy—so you'll want to use group accounts whenever possible.

Windows NT also uses unique security identifiers to track group accounts. This means that you cannot delete a group account, re-create it, and expect all the permissions and privileges to remain the same. The new group will have a new security identifier, and all the permissions and privileges of the old group will be lost.

Tools for Working with User and Group Accounts

Windows NT provides several tools for working with user and group accounts:

• Add User Accounts Wizard

• User Manager

• User Manager for Domains

• A group of command-line tools

The administration tools you will use the most are User Manager and User Manager for Domains. User Manager (MUSRMGR.EXE) is a Windows NT Workstation tool for managing the resources of a single workstation. User Manager for Domains (USRMGR.EXE) is a Windows NT Server tool for administering accounts throughout a Windows NT domain.

You may wonder why there are two account administration tools that seem to do the same thing. Basically, User Manager is a streamlined version of User Manager for Domains. When you work with a single workstation, many of the options for Windows NT domains don't apply, so you don't need the extra features that the Windows NT Server tool provides. On the other hand, when you work with many computers within a domain, you'll need these extra features. You'll find these applications in the Administrative Tools folder for their respective systems.

Run User Manager by going to Start, selecting Programs, then Administrative Tools, and then User Manager. Figure 4-1, on the following page, shows the User Manager for Domains.

Tip If your primary computer is a Windows NT workstation and you will regularly administer domain accounts, you can install the User Manager for Domains on your workstation. To do this, complete the following steps:

1. Access the Windows NT Server 4.0 CD-ROM.

2. Execute the SETUP .BAT file in the \Clients\Srvtools\Winnt directory on the CD. This will install Windows NT Server management tools on your workstation.

3. You'll now have access to User Manager for Domains. The executable for this tool is USRMGR.EXE. You can launch it from the command line or the Run utility. You can also create a shortcut for easy access.

   

   Figure 4-1: User Manager for Domains is the Windows NT Server tool for administering user accounts. The top part of the screen lists user accounts. The bottom part lists group accounts.

When you start User Manager for Domains, the tool displays the domain in which your user account is defined. If you manage multiple Windows NT domains, you can select a different domain to administer by doing the following:

1. Choose the Domain option on the User menu.

2. Click on the domain name in the list of domains or enter the name of the domain, then click OK.

To have User Manager for Domains start up with a different domain, you can modify its shortcut on the Administrative Tools menu or create a new shortcut. To modify an existing shortcut, do the following:

1. Right-click on the taskbar's Start button, then select Open All Users.

2. Drill down to the tools shortcuts by double-clicking on the Programs folder and then the Administrative Tools folder.

3. Right-click on the User Manager for Domains shortcut and choose Properties from the Context menu.

4. Click on the Shortcut tab.

5. Now you can edit the command in the Target field to include the domain name as a parameter. Simply follow the current entry with a space and then the domain name. Figure 4-2 shows how to do this for a domain called ZETA.

   

   Figure 4-2: By editing the target for the shortcut, you can determine which domain is set when the tool starts. Add the domain name to the entry in the Target field.

Global and Local Scope

Once you are pointing to the domain you want to administer, you can create new accounts or edit existing accounts. Depending on how you create them, user and group accounts can have different scopes—global or local. That is, the accounts have different areas in which they are valid.

• When you create accounts with the User Manager tool on a Windows NT workstation, the accounts are valid only on that single workstation. This means that the accounts have a local scope.

• When you create accounts with User Manager for Domains, the accounts are by default usable throughout the currently selected domain. This means that the accounts have a global scope.

NT allows you to create both local and global group accounts with User Manager for Domains. Don't let this confuse you. Local groups still have only a local scope and are valid only for the computer you're currently using. Global groups still have a global scope and are valid throughout the currently selected domain. Table 4-1, on the following page, provides a quick reference for account types and their uses. For complete details on working with the User Manager, see Chapter 5, "Creating User and Group Accounts."

Table 4-1 Quick Reference for Using Account Administration Tools and Working with Accounts

from Windows NT Administrator's Pocket Consultant by William R. Stanek. Copyright © 1999 Microsoft Corporation.

Click to order