Managing Existing User and Group Accounts

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

from Chapter 6, Windows NT Administrator's Pocket Consultant by William R. Stanek.

In a perfect world, you could create user and group accounts and never have to touch them again. Unfortunately, we live in the real world. After you create accounts, you'll spend a lot of your time managing them. This chapter provides guidelines and tips to make that task easier.

Note: For ease of reference this chapter uses the term User Manager to refer to both User Manager and User Manager for Domains, unless otherwise noted.

Updating User and Group Accounts

User Manager is usually the tool to use when you want to update an account. Because you'll be working with User Manager quite a bit, you'll want to learn how to get the most out of it. Here are some tips for working with accounts in User Manager:

  • Double-click on a user or group name to open it for editing.

  • Resize user and group areas within User Manager by, first, clicking on the small black box midway down the right-hand side of the window and, second, holding the mouse button as you resize the window by moving up or down.

  • Use Font from the Options menu to select a font that's easy for you to read. Be sure to select the Save Settings On Exit option from the same menu. This ensures that your User Manager settings are saved for next time.

  • Do not use the low-speed connection settings unless you have to. If you do, the available information is severely restricted and you are limited in what you can do.

Renaming User Accounts

User Manager lets you rename user accounts using the Rename option on the User menu. To do this, complete the following steps:

  1. Select the account you want to rename in the main window of User Manager.

  2. Choose Rename from the User menu and then enter the new account name when prompted.

SIDs

When you rename a user account, you give the account a new label. As discussed in Chapter 4, text labels are meant to make managing and using accounts easier. Behind the scenes, Microsoft Windows NT uses SIDs (security identifiers) to identify, track, and handle accounts independently from user names. SIDs are unique identifiers that are generated when accounts are created.

Because SIDs are mapped to account names internally, you don't need to change the privileges or permissions on the renamed account. Windows NT simply maps the SID to the new account name as necessary.

Marriage is a common reason for changing the name on an account. For example, if Jane Williams (JANEW) gets married, she may want her user name to be changed to Jane Marshall (JANEM). When you change the user name from JANEW to JANEM, all associated privileges and permissions will reflect the name change. Thus, if you view the permissions on a file that JANEW had access to, JANEM will now have access (and JANEW will no longer be listed).

Changing Other Information

When you change JANEW to JANEM, the user properties and names of files associated with the account are not changed. This means you should update the account information. The information you may need to change includes:

  • Full Name Change the user account's Full Name in User Manager.

  • User Profile Path Change the User Profile Path in User Manager, then rename the corresponding directory on disk.

  • Logon Script Name If you use individual logon scripts for each user, you'll need to change the Logon Script Name in User Manager and then rename the logon script on disk.

  • Home Directory Change the home directory path in User Manager, then rename the corresponding directory on disk.

Note: Changing directory and file information for an account when a user is logged on may cause problems. So you may want to update this information after-hours or ask the user to log off for a few minutes and then log back on.

Copying User and Group Accounts

Creating accounts from scratch every time can be tedious. Instead of starting anew each time, you may want to use an existing account as a starting point. To do this, follow these steps:

  1. Select the account you want to copy in the main window of User Manager.

  2. Press F8 or choose Copy from the User menu. For user accounts, this opens the Copy Of dialog box. For group accounts, this opens the appropriate dialog box for the type of group you are copying. If you are copying a local group, you'll see the New Local Group dialog box. Otherwise, you'll see the New Global Group dialog box.

  3. Update the properties of the account as appropriate.

As you might expect, when you create a copy of an account, User Manager doesn't retain all the information from the existing account. Instead, User Manager tries to copy only the information you'll need and discards the information that you'll need to update.

Properties Retained

For user accounts, the properties that are retained include

  • Account description

  • Check box selections for User Must Change Password, User Can't Change Password, and Password Never Expires

  • Group account memberships

  • Profile settings

  • Logon hours

  • Permitted logon workstations

  • Account type and expiration

  • Dial-in privileges

Note: If you used environment variables to specify the profile settings in the original account, the environment variables are used for the copy of the account as well. For example, if the original account used the %UserName% variable, the copy of the account will also use this variable.

Properties Not Retained

For user accounts, the properties that are not retained include

  • User Name

  • Full Name

  • Check box selections for Account Disabled

  • Password and Confirm Password

  • Rights and Permissions

Deleting User and Group Accounts

Deleting an account permanently removes the account. Once you delete an account, you can't create an account with the same name to get the same permissions. That's because the SID for the new account won't match the SID for the old account.

Because deleting built-in accounts could have far-reaching effects on the domain, Windows NT does not let you delete built-in user accounts or group accounts. You could remove other types of accounts by selecting them and pressing the Del key or by using the Delete option on the User menu. When prompted, click OK and then click Yes.

Note: When you delete a user account, Windows NT doesn't delete the user's profile, personal files, or home directory. If you want to delete these files and directories, you'll have to do it manually.

Changing and Resetting Passwords

As an administrator, you'll often have to change or reset user passwords. This usually happens when users forget their passwords or their passwords expire.

To change or reset a password, follow these steps:

  1. Start User Manager, then double-click on the user's account name.

  2. Enter a new password for the user and confirm it. The password should conform to the password policy for the domain.

  3. Deselect the Account Disabled and Account Locked Out check boxes as necessary.

Enabling User Accounts

User accounts can become disabled for several reasons. If a user forgets the password and tries to guess it, the user may exceed the account policy for bad logon attempts. Another administrator could have disabled the account while the user was on vacation. Or the account could have expired. What to do when an account is disabled, locked out, or expired is described in the following sections.

Account Disabled

When an account is disabled, do the following:

  1. Start User Manager, then double-click on the user's account name.

  2. Deselect the Disable Account check box in User Manager.

Account Locked Out

When an account is locked out, do the following:

  1. Start User Manager, then double-click on the user's account name.

  2. Deselect the Account Locked Out check box in User Manager.

Account Expired

When an account is expired, do the following:

  1. Start User Manager, then double-click on the user's account name.

  2. Click on the Account button, then set a new expiration date for the account using the fields in the Account Expires area.

Note: If users are frequently locked out of their accounts, you may want to consider adjusting the account policy for the domain. Here, you may want to increase the value for acceptable bad logon attempts and reduce the duration for the associated counter. For more information on setting account policy, see Chapter 5.

Troubleshooting Logon Problems

The previous section listed ways in which accounts can become disabled. Beyond the typical reasons for an account being unavailable, some system settings can also cause access problems. Specifically, you should look for the following:

  • User gets a message that says that the user can't log on interactively. The user right to log on locally is not set for this user and the user is not a member of a group that has this right.

    The user may be trying to log on to a server or domain controller. If so, keep in mind that the right to log on locally applies to all domain controllers in the domain. Otherwise, this right only applies to the single workstation.

    If the user should have access to the local system, follow these steps:

    1. Start User Manager, then double-click on the user's account name.

    2. Click on the Groups button, then make the user a member of a group that has local logon privileges.

    User gets a message that the system could not log the user on. If you've already checked the password and account name, you may want to check the account type. The user may be trying to access the domain with a local account. If the user should have a domain account, change the account type by doing the following:

    1. Start User Manager, then double-click on the user's account name.

    2. Click on the Account button, then select the Global Account radio button.

    On the other hand, if the user should have a local account, tell the user to select the local computer name rather than the domain name when logging on.

  • User has a mandatory profile and the computer storing the profile is unavailable. When a user has a mandatory profile, the computer storing the profile must be accessible during the logon process. If the computer is shut down or otherwise unavailable, users with mandatory profiles will not be able to log on.

    User gets a message saying the account has been configured to prevent the user from logging on to the workstation. The user is trying to access a workstation that is not defined as a permitted logon workstation. If the user should have access to this workstation, change the logon workstation information by doing the following:

    1. Start User Manager, then double-click on the user's account name.

    2. Click on the Logon To button, then add the workstation to the permission list.

from Windows NT Administrator's Pocket Consultant by William R. Stanek. Copyright © 1999 Microsoft Corporation.

Link
Click to order