Chapter 2 - Setting Up User Accounts

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

A note from TechNet: This chapter was taken from the Microsoft Press book titled "Microsoft Windows NT Network Administration." To order the complete book, see the information in the document titled "How to Order MS Press Training Products" in the Windows NT Server Training directory.

On This Page

About This Chapter
Lesson 1: Introduction to User Accounts
Lesson 2: Planning New User Accounts
Lesson 3: Creating User Accounts
Lesson 4: Creating User Profiles
Best Practices
Review

About This Chapter

User accounts enable users to participate in a network and to access network resources. This chapter introduces you to the three types of user accounts and provides you with a planning strategy for implementing them. The hands-on procedures give you an opportunity to plan and create your own user accounts.

Before You Begin

To complete the lessons in this chapter, you must have:

  • Viewed the Overview of Directory Services video referred to in Chapter 1, "Introduction to Administering Windows NT."

  • Knowledge about the difference between a workgroup and a domain.

  • Knowledge about the difference between a domain controller and a member server.

  • Experience logging on and off Windows NT.

Lesson 1: Introduction to User Accounts

Windows NT security is based on the concept of user accounts. A user account is the user's unique credential that allows the user to access resources. This lesson provides an overview of user accounts.

After this lesson, you will be able to:

  • Describe the types of user accounts.

  • Describe the difference between a domain user account and a local user account.

Estimated lesson time: 10 minutes

Each person who will regularly use the network and participate in a domain, or who will log on to a local computer to access local resources, must have a user account. With user accounts, you can control how a user gains access to the domain or a local computer. For example, you can limit the number of hours a user can log on to the domain.

Types of User Accounts

There are three types of user accounts; one is the type of accounts that you create, and two are built-in user accounts that are created automatically when Windows NT Server or Windows NT Workstation is installed. The two built-in accounts are the Guest account and the Administrator account.

The following table describes the three types of user accounts.

Account

Description

Accounts that you create

A user account enables the user to log on to the local computer or domain and, with the appropriate permissions, allows access to network resources. User accounts contain information about the user, including the user's name and password.

Guest

The built-in Guest account is used to give occasional users the ability to log on and gain access to resources on the local computer. For example, an employee who needs to access the computer for a short time can use the Guest account. The Guest account is disabled by default.

Administrator

The built-in Administrator account is used to manage the overall computer and domain configuration and resources. The Administrator account is used when performing administrative tasks, such as creating or modifying user and group accounts, managing security policies, creating printers, and assigning permissions and rights to user accounts to access resources.

Where Accounts Are Created

A computer's operating system determines the type of accounts that you can create and manage, as well as the tool that you use to create and manage them:

  • On computers running Windows NT Workstation, the account management tool is User Manager. It is used to manage the accounts of that computer only. Accounts created with User Manager are local accounts.

  • On computers running Windows NT Server, the account management tool is User Manager for Domains. It is used to manage accounts on the local domain or on any computer, member server, or other domains to which you have access. Accounts created with User Manager for Domains can be local accounts or domain accounts.

Domain User Account

A domain user account contains information that defines a user to the domain. With a domain user account, a user can log on to the domain and gain access to domain resources from any computer on the network using a single user account and password.

A domain user account is always created in User Manager for Domains. Although a domain user account can be created from any computer running User Manager for Domains, the account is always created in the master directory database on the primary domain controller (PDC).

A copy of the master directory database is stored on all backup domain controllers (BDCs). The copy is automatically synchronized every five minutes with the master directory database on the primary domain controller.

Create domain user accounts for all users.

Cc751313.user1(en-us,TechNet.10).gif

Note: You can install User Manager for Domains on a computer running Windows NT Workstation or Windows® 95 by installing the Windows NT Server client-based administration tools.

Local User Account

A local user account contains information that defines a user to the local computer. With a local user account, a user can log on to and access local resources. To access resources on another computer, the user must have a separate user account on the other computer.

Although User Manager for Domains allows you to create accounts for the domain and for local computers, User Manager only allows you to create an account for the local computer.

Local user accounts should only be created within a workgroup, as shown in the following illustration.

Cc751313.user2(en-us,TechNet.10).gif

Lesson Summary

The following information summarizes the key points in this lesson:

  • Windows NT security is based on the concept of user accounts.

  • The Administrator account is a built-in account on all computers running Windows NT. It is used for overall management of computer resources and configuration.

  • The Guest account is a built-in account on all computers running Windows NT. It provides occasional users the ability to use local computer resources. It is disabled by default.

  • A domain user account gives a user the ability to log on to and access domain resources from any computer on the network using a single user account and password.

  • Create a domain user account for all users.

  • A local user account gives a user the ability to log on to the local computer and access local resources. To access resources on another computer, the user must have a separate account on the other computer.

  • Create local user accounts only in a workgroup environment.

For more information on

See

Creating user accounts

Chapter 2, "Working With User and Group Accounts," in Microsoft Windows NT Server Concepts and Planning.

Installing client-based network administration tools

Chapter 11, "Managing Client Administration," in Microsoft Windows NT Server Concepts and Planning.

Lesson 2: Planning New User Accounts

Before you create user accounts, determine the requirements for each user based on the security level of your network. This lesson explores the strategies for creating new user accounts in networks with minimum, medium, and high levels of security.

After this lesson, you will be able to:

  • Describe five elements of good user account planning.

  • Plan a strategy for creating new user accounts.

  • Explain how password requirements affect security levels.

  • Describe the function and possible locations of a home folder.

Estimated lesson time: 30 minutes

Elements to Consider in Planning New User Accounts

user3

To streamline the administration process, and to implement the most appropriate security measures for your organization, consider these elements in determining your planning strategy:

  • Naming convention. Use a convention that ensures unique but consistent user account names.

  • Password requirements. Select your password enforcement options, including whether a user can, or must, change his or her own password.

  • Logon hours. Determine the hours that each user is allowed to log on.

  • Workstation restrictions. Determine the computer names of the Windows NT computers that the user is permitted to work from. You can limit the choices. By default, the user can use any workstation.

  • Home folder location. Determine location of home folders on the local computer or on a server for centralized backup and administration.

Naming Convention

A naming convention establishes how users will be identified on the network. A consistent naming convention makes it easy for you and your users to remember user names and locate them in lists.

To decide your naming convention, consider the following points:

  • User names must be unique. Domain user accounts must be unique to the domain. Local user accounts must be unique to the local computer.

  • User names can contain up to 20 uppercase or lowercase characters except for the following: " / \ [ ] : ; | = , + * ? < >. You can use a combination of special and alphanumeric characters.

    If you have a large number of users, establish a naming convention that accommodates employees with duplicate names. Two suggestions for handling duplicate names are:

    • Use the first name and the last initial, and then add additional letters from the last name to accommodate duplicate names. For example, if you have two users named Eric Lang, use EricL as one user name, and use EricLa for the other.

    • Add numbers to the user name. For example, EricL1 and EricL2.

  • In large organizations, it is useful to identify temporary employees by their user account. For example, to identify temporary employees, use a "T" and a dash in front of the user name, as in, for example, T-EricL.

Password Requirements

The next element in planning new user accounts is identifying the password requirements. To protect access to the domain or a computer, every user account requires a password. This is especially important in networks with a medium to high level of security or in networks that are part of the Internet.

Consider the following guidelines for passwords:

  • Always assign the Administrator account a password to prevent unauthorized users from using the account.

    Determine who will control the password. You may want to:

    • Assign users unique passwords and then prevent users from changing them. This gives control to administrators.

    • Assign users an initial password and then require users to change them the first time they log on. This way, the account is always protected and only individual users will know their passwords. This gives control to users.

  • Determine whether an account needs to expire. For temporary employees, set their user accounts to expire when their contract or work assignment ends.

    Educate users on ways to protect their passwords by selecting passwords that deter computer hackers. Follow these guidelines:

    • Avoid using an obvious association, such as the name of a family member or pet.

    • Avoid using the user account name in any part of the password.

    • Use long passwords. Passwords can be up to 14 characters in length.

    • Use a combination of uppercase and lowercase characters. Passwords are case-sensitive. For example, the password SeCret is different from secret.

    • Include numbers in the password.

Logon Hours

By default, users can connect to a server 24 hours a day, 7 days a week. In a high-security network, restrict the hours when a user can log on to the network. For example, you may want to restrict hours in the following types of environments:

  • Where logon hours are a condition for security certification, such as in a government network.

  • Where there are multiple shifts; in this case, allow night shift workers to log on only during their working hours.

Workstation Restrictions

By default, any user with a valid account can log on to the network from any computer running Windows NT. In a high-security network where sensitive data is stored on the local computer, restrict which users can log on from that computer. For example, User1 can only log on from a computer named Computer1.

Home Folder Location

A home folder is a user's folder for storing files and programs. A home folder is useful because it provides a central location for a user's files, making it easy to locate files to back up or delete to clean up the hard disk. Each user should be assigned his or her own home folder.

If you create a home folder for a user, the home folder becomes the default folder whenever the user performs any of the following tasks within Windows NT or a program:

  • Opens a file by clicking Open on the File menu.

  • Saves a file by clicking Save As on the File menu.

  • Starts a command prompt.

If you do not assign a home folder to a user, the default folder is Users\Default on the local computer.

A home folder can be stored on a network server or on a user's local computer.

Storing Home Folders on a Server

The following are considerations for storing home folders on a server.

user4

  • Backup and restore. Preventing the loss of data is your primary responsibility. It is much easier to ensure files are backed up when they are located in a central location on a server. If users' home folders are located on their local computers, you would need to perform regular backups on each computer.

  • Space on the server. Is there enough hard disk space on the server to store users' data? Windows NT does not provide the ability to limit the amount of hard disk space used by each user.

  • Security. In any network with sensitive data, it is easier to maintain security on data if it is in a central location.

  • Use RAS or share computers. If users connect to the network using Remote Access Service (RAS), or if they share their computers, having a home folder on a server makes the users' data available from any location or computer.

Storing Home Folders on Users' Computers

If it is not important to you to have a central location for maintaining data, you can create a home folder for each user on his or her local computer. Having a home folder gives the user a familiar and central place for storing data. The following are considerations for storing home folders on a user's computer.

user5

  • Space on the users' computers. If users have space on their computers and it is not important to have centralized backup, locate home folders on users' computers.

  • Performance. There is less network traffic if each user's home folder is located on the user's local computer.

To plan new user accounts

user6

Scenario: World Wide Importers hires approximately 300 new employees a year. Approximately 20 of those employees are temporary contract employees hired on a one-year contract; the others are permanent staff. Each employee requires his or her own user account.

As the administrator for World Wide Importers, you would set up the user accounts for their Quebec office. In this exercise, however, you will work with only 9 user accounts that are representative of the accounts that you would create for World Wide Importers.

You will record your planning strategies on the "User Accounts Planning Worksheet" located at the end of this lesson. Notice that the Description column in the "User Accounts Planning Worksheet" identifies the job title for each of the nine employees. After completing the exercise, turn to Appendix A, "Planning Worksheets," and compare your worksheet to the sample provided. (The sample presents only one set of possible answers. You may have planned your accounts differently.)

To complete the "User Accounts Planning Worksheet," you need to:

  1. Specify a full name of your choice for each user, except where already noted. Record it under Full Name.

  2. Define your naming convention. Then determine each user name based on your naming convention. Record it under User Account.

  3. Under Description, the job title for each employee is already noted.

  4. Determine each user's password requirements (for example, Change at next logon). Record it under Password Requirements.

  5. Under Home Folder Location, record either "local computer" or "server."

  6. Under Logon Hours, record the access hours for each user (for example, 24/7 for 24 hour access, 7 days per week).

  7. Under Workstation Restrictions, record "Yes" if the user will be restricted, and "No," if not (Y/N).

Use the following criteria to make your decisions:

  • Two employees have the same name. The vice president's name is Linda Mitchell; the customer service representative who works the night shift is also named Linda Mitchell.

  • For permanent employees, allow each password to be controlled by the employee.

  • For temporary employees, allow each password to be controlled by the administrator for tighter security.

  • Each employee requires a home folder. All home folders need to be backed up each night.

  • Permanent employees who work the night shift need access to the network from 6 P.M. to 6 A.M.

  • Permanent employees who work the day shift require access to the network 24 hours a day, 7 days a week.

  • Temporary employees should be able to log on to only their assigned computers and only from 8 A.M. to 5 P.M.

Lesson Summary

The following information summarizes the key points in this lesson:

  • There are five key planning elements you need to consider before implementing user accounts: naming convention, password requirements, home folder location, logon hours, and workstation restrictions.

  • Require passwords for all users.

  • In medium-security and high-security networks, or if your network is on the Internet, require long passwords that use a combination of uppercase and lowercase characters, and numbers. Educate users to avoid obvious associations when they select a password.

  • In high-security networks, restrict the hours that a user can log on to the network.

  • If sensitive data is stored on a local computer, restrict who can log on to the network from that computer.

  • Assign users their own home folders so that they have a familiar and central place to store data.

  • Store home folders on a network server to simplify backing up user data and to maintain sensitive data centrally.

User Accounts Planning
Worksheet Naming Convention:____________

Full Name

Linda Mitchell

 

 

 

Linda Mitchell

 

 

 

 

Lesson 3: Creating User Accounts

User accounts are created using User Manager or User Manager for Domains. To use either tool, you must have administrator privileges. This lesson explains the differences between User Manager and User Manager for Domains and takes you step-by-step through creating, deleting, and renaming user accounts.

After this lesson, you will be able to:

  • Explain the difference between User Manager and User Manager for Domains.

  • Create user accounts.

  • Set password options.

  • Create home folders.

  • Set logon hours.

  • Set workstation restrictions.

  • Set account options.

  • Grant dial-in permissions.

  • Delete and rename user accounts.

Estimated lesson time: 40 minutes

User Manager vs. User Manager for Domains

User Manager and User Manager for Domains are very similar. In User Manager, you create, delete, or disable local user accounts on the local computer in a workgroup. In User Manager for Domains, you create, delete, or disable domain user accounts on the primary domain controller (PDC) or local user accounts on any computer in the domain.

The following illustration shows User Manager for Domains. All user account options appear in User Manager, except for Select Domain. The Select Domain option allows an administrator to select a different domain or computer in which to create or manage user accounts.

Cc751313.user7(en-us,TechNet.10).gif

The following New User dialog box is from User Manager for Domains. You can gain access to this dialog box by clicking New User on the User menu.

Cc751313.user8(en-us,TechNet.10).gif

All options in the New User dialog box appear in User Manager except for the Hours, Logon To, and Account buttons. On domain user accounts, these buttons are used to set logon hours, restrict workstation access, and set an expiration on an account.

The following table describes the user name and password options in User Manager and User Manager for Domains.

In this box

Type

Username

A unique name based on your naming convention. This is the only required option.

Full Name

The complete name of the user, to determine which person belongs to an account. This is optional.

Description

A description that is useful for identifying users. It can be a job classification, a department, or an office location. This is optional.

Password

An initial password for the account. In medium-security to high- security networks, you should always assign an initial password to keep the account secure. By default, when the user logs on for the first time, he or she must change the password.
Notice that the password is not displayed. Instead, once you enter the password, it is represented on the screen by a series of 14 asterisks, regardless of the length of the password.

Confirm Password

The password a second time to make sure that you typed the password correctly. This is required if you assign the password.

Setting Password Options

Whether or not you assign a password to a new user account, by default, the user will be required to assign a new password to the account the first time the user logs on. Password options are set in the New User dialog box.

Cc751313.user9(en-us,TechNet.10).gif

The following table describes the situations when you would select each password option.

Select this check box

If you

User Must Change Password at Next Logon (selected by default)

Want users to change their password the first time that they log on. This ensures that the user is the only person who knows his or her password. Even if you do not assign an initial password, you should require that users do this.

User Cannot Change Password

Have more than one person using the same user account (such as Guest) or want to maintain control over user passwords.

Password Never Expires

Have a user account for which you never want the password to change. For example, user accounts that will be used by Windows NT services (such as the Replicator service).
This option overrides the selection of User Must Change Password at Next Logon.

Account Disabled

Want to temporarily prevent use of this account. For example, use when an employee takes a leave of absence.

Creating a Home Folder

To create home folders for users, you specify the name of the computer where the home folders will be located and names for the home folders.

The following checklist provides an overview of the tasks that you will need to do if you centralize home folders on a server. To create centralized home folders, do the following:

  • On a server, create a folder named Users. This folder will be used to organize individual home folders. This task only needs to be done once.

  • Share the folder and assign the Full Control permission to all users so that they can connect to it. This task only needs to be done once.

    Note: The Users folder was created and shared for you in the Setup procedures described in "About This Book." Sharing folders and assigning permissions is covered in more detail in Chapter 5, "Securing Network Resources with Share Permissions" and Chapter 6, "Securing Network Resources with NTFS Permissions."

  • Specify a home folder name and location for a user account in the User Environment Profile dialog box.

    If you use %Username% in place of the home folder name, Windows NT will substitute %Username% with the user account name.

  • Specify a network drive letter that will be used to connect to the user's home folder automatically when the user logs on.

The following User Environment Profile dialog box shows an example of how you specify a home folder location for a domain user account.

Cc751313.user10(en-us,TechNet.10).gif

Note: In a workgroup, you must specify the home folder for a local user account while sitting at the local computer. In the Local Path box, enter the local path; for example, type **c:\**folder_name and Windows NT creates the folder that you specify.

To create user accounts

user11

In User Manager for Domains, you create the accounts that you planned in the hands-on procedure in the previous lesson, "Planning New User Accounts." If you did not complete the "User Accounts Planning Worksheet" from the lesson, use the sample plan provided in Appendix A, "Planning Worksheets."

  1. Log on as Administrator.

  2. Click the Start button, point to Programs, point to Administrative Tools, and then click User Manager for Domains.

  3. On the User menu, click New User.

    The New User dialog box appears.

    Configure the following options based on the information from the "User Accounts Planning Worksheet" that you completed in the previous lesson or from the sample plan provided. For each user account on the worksheet, fill in the following options:

    • Username

    • Full Name

    • Description

    • Password (leave blank)

    • Confirm Password

  4. Select the appropriate password options, and then click Add.

    The New User dialog box reappears and is cleared so that you can add another user.

  5. Create the remaining user accounts.

  6. When you have created all of the accounts on the "User Accounts Planning Worksheet," click Close to return to the User Manager window.

To create a home folder

In this procedure, you create a home folder for a user account on the "User Accounts Planning Worksheet."

  1. In the User Manager window, double-click a user account that you just created.

    The User Properties dialog box appears. Notice that this dialog box looks the same as the New User dialog box. The User Properties dialog box appears whenever you modify an existing user account (one that appears in the User Manager window).

  2. Click Profile.

    The User Environment Profile dialog box appears.

  3. Under Home Directory, click Connect.

    Notice that Z: appears in the Connect box. This is the drive letter that you will use to connect the user to the home folder upon logon.

  4. In the To box, type \\computer_name\users\%username% (where computer_name is the name of your computer).

    Remember, Users is the folder that was created and shared for you during the setup process.

  5. Click OK to return to the User Properties dialog box.

  6. Click OK to return to the User Manager window.

To assign home folders to multiple accounts at one time

In this procedure, you create a home folder for the remaining user accounts on the "User Accounts Planning Worksheet."

  1. In the User Manager window, select all of the remaining accounts that you created by holding down the ctrl key while you click each account.

  2. On the User menu, click Properties.

  3. In the User Properties dialog box, click Profile.

  4. In the Connect box, click Z: so that drive Z will be used to connect to the user's home folder.

  5. In the To box, type \\computer_name**\users\%username%** (where computer_name is the name of your computer).

  6. Click OK to return to the User Properties dialog box.

  7. Click OK to return to the User Manager window.

Setting Logon Hours

When you set logon hours for a user account, you select the days of the week and the range of time for each day that you want to allow or disallow the user to have access the network.

Cc751313.user12(en-us,TechNet.10).gif

Setting logon hours lets you control when a user can log on to the domain. Restricting logon hours limits the hours that users can explore the network, or the times that someone can try to break into the network.

Note: A user who is connected to a network resource on the domain is not disconnected when the user's logon hours run out. However, the user will be unable to make any new connections.

To specify logon hours

user13

  1. In the User Manager window, double-click a user account that requires logon hour restrictions (refer to the "User Accounts Planning Worksheet").

  2. In the User Properties dialog box, click Hours.

    By default, all hours on all days are allowed. This is represented by a filled box for every hour of every day. A filled box indicates that the user is allowed to log on during that hour. An empty box indicates that the user cannot log on.

  3. Position the mouse pointer on the rectangle on the day and hour that you want to disallow access. Press the mouse button, and drag the pointer through the last hour that you want to disallow. The area that you want to disallow should now be shaded.

  4. Click Disallow. The area will still be shaded, but the line indicating hours of access should be gone.

    For more information about using the Logon Hours dialog box, click Help.

  5. Repeat steps 3 and 4 for all of the times that you want the user to be disallowed.

  6. Click OK to return to the User Properties dialog box.

  7. Click OK to return to the User Manager window.

  8. Restrict logon hours for any other users who only need to log on during specified times.

To test logon hours

  1. Log off and then attempt to log on as the user account that you created for the sales representative.

  2. If prompted, change the password to student.

    Remember, passwords are case-sensitive.

    Were you able to successfully log on? Why or why not?

    ___________________________________________________________

  3. Log off and then attempt to log on as the user who is restricted to logging on during night time hours.

  4. If prompted, change the password to student.

    Were you able to successfully log on? Why or why not?

    ___________________________________________________________

Setting Workstation Restrictions

To set workstation restrictions, you can specify up to eight computer names from which a user can log on. Setting workstation access allows you to control which computers a user can use to log on to the domain. This prevents users from accessing another user's local data and can be used to require users to log on to workstations that are in an observed location. Set workstation restrictions in high-security networks.

user14

To specify the workstation from which a user can log on

user11

  1. In the User Manager window, double-click the user account that you created for the temporary employee.

  2. In the User Properties dialog box, click Logon To.

    The Logon Workstations dialog box appears. By default, each user account can log on from all computers.

  3. Click User May Log On To These Workstations.

  4. In the first box, type Temp1 (the name of the computer from which the user is allowed to log on).

  5. Click OK to return to the User Properties dialog box.

  6. Click OK to return to the User Manager window.

To test workstation restrictions

  1. Log on to your computer as the user account that you created for the temporary employee.

  2. If prompted, change the password to student.

    You were restricted from logging on to the computer, because the temporary employee can only log on to a computer named Temp1.

Setting Account Options

The following two options can be set in the Account Information dialog box:

  • Account Expires. Use this to set a date when the account will be automatically disabled. To specify when a user account expires, type the date of expiration. This is useful for temporary accounts for contractors or part-time employees.

  • Account Type. Use this to create a local account for a user from an untrusted domain who needs access to a network resource in your domain. A local account can be used to connect to a resource over the network. It cannot be used to log on from a computer in the domain where it was created.

    You only use the Local Account for users from untrusted domains option under Account Type if you want to assign permission to a user who has an account in a domain that does not have the appropriate trust relationship to your domain.

Cc751313.user15(en-us,TechNet.10).gif

To set the account restriction

user11

In this procedure, you configure the Temporary Employee user account to expire in 30 days.

  1. In the User Manager window, double-click the user account that you created for the temporary employee (refer to the "User Accounts Planning Worksheet").

  2. In the User Properties dialog box, click Account.

    The Account Information dialog box appears.

    Notice that the default option for Account Expires is Never.

  3. Click End of, and then type the date that is 30 days from today.

  4. Click OK to return to the User Properties dialog box.

  5. Click OK to return to the User Manager window.

Granting Dial-in Permission

Windows NT dial-up networking client software gives a user access to server-based dial-in packages, such as Windows NT Server Remote Access Service (RAS). Once the connection is made from the RAS client to the RAS server, users at remote sites can use the network as if their computers were directly connected to the network.

Before a user can log on to the network using RAS, the user must have dial-in permission assigned to his or her user account.

Note: Additionally, the Remote Access Service must already be installed and configured on the server, and the client must already be configured for dial-up networking.

You can specify an option for the RAS server to call the dial-in user back. The RAS server can dial the number specified by the user so that the company is billed for the call. Or, the RAS server can dial a number that you specify, which restricts the user to a specific dial-in location.

Cc751313.user16(en-us,TechNet.10).gif

The following table describes the Dialin Information dialog box options.

Option

Description

No Call Back

When selected, the RAS server will not call back the user, and the user will incur the telephone charges for the session. This is the default.

Set By Caller

When selected, lets the user specify a telephone number so that the RAS server can call the user back. This means that the organization that owns the RAS server will incur the telephone charges for the session.

Preset To

When selected, lets you specify a telephone number that the RAS server will use to call back the user. This reduces the risk of an unauthorized person using the user's account, because the user must be at the specified phone number in order to connect to the RAS server. In high-security networks, use this option and restrict users to dialing in from only one telephone number.

To grant dial-in permission

user11

In this procedure, you grant dial-in permission for the Accounting Manager who requires dial-in privileges from home.

  1. In the User Manager window, double-click the user account that you created for the accounting manager (refer to the "User Accounts Planning Worksheet").

  2. In the User Properties dialog box, click Dialin.

    The Dialin Permission dialog box appears.

  3. Select the Grant dialin permission to user check box.

  4. Click OK to return to the User Properties dialog box.

  5. Click OK to return to the User Manager window.

Deleting and Renaming User Accounts

In Windows NT, every account is assigned a unique security identifier (SID) when the account is first created. A SID is a unique number that identifies the account. Internal processes in Windows NT refer to an account's SID rather than the account's user or group name.

Deleting an account permanently removes the account and the permissions and rights associated with it. For example, if you create an account, delete it, and then create an account with the same user name, the new account will not have the rights or permissions previously granted to the old account because the accounts have different SID numbers.

Renaming an account retains the permissions and rights associated with it because the SID was not deleted.

The following table describes the situations in which you should delete or rename an account.

Do this

When

Rename an account

You want to retain all rights, permissions, and group memberships for the account for a different user. For example, when a new employee replaces another employee, rename the user account and have the new employee change his or her password when he or she first logs on.

Delete an account

The account is no longer needed. When an account is deleted, all of the account information is lost. This information includes account properties, rights, permissions, and group memberships. The Administrator and Guest accounts cannot be deleted.

Cc751313.user17(en-us,TechNet.10).gif

To rename a user account

user11

In this procedure, you create a user account and then rename it.

  1. Create a new user account named Temp2.

  2. In the User Manager window, select Temp2.

  3. On the User menu, click Rename.

  4. In the Change To box, type temp3 and then click OK.

    The User Manager window is updated immediately.

To delete a user account

  1. In the User Manager window, select Temp3.

  2. Press the Delete key or, on the User menu, click Delete.

    user18

    A message appears warning you that once the account is deleted, even recreating it will not make the resources available to the newly created account that were available to the account that you deleted.

  3. Click OK to acknowledge the warning.

    A message appears asking if you want to delete the user.

  4. Click Yes and the user account is deleted.

Lesson Summary

The following information summarizes the key points in this lesson:

  • In User Manager, you create, delete, or disable local accounts on a local computer in a workgroup.

  • In User Manager for Domains, you create, delete, or disable domain and local accounts on the primary domain controller.

  • Assign an initial password to an account and then require the user to change the password the first time that they log on. This ensures that the account is protected and only the user knows the password.

  • When you create home folders for users, you specify the drive to which the user will connect, the server name, and the share name. In place of the user name, use %Username% to automatically name the home folder after the user name.

  • When you set logon hours for a user account, you specify the days of the week and the time range for each day that you want to allow or disallow a user to log on.

  • When you set workstation restrictions for a user account, you can specify up to eight names of the computers from which a user can log on.

  • When you set account options, you specify the expiration date of a user account or you specify that the account is a local account for users from untrusted domains.

For more information on

See

Creating user accounts

Chapter 2, "Working With User and Group Accounts," in Microsoft Windows NT Server Concepts and Planning.

Trusted relationships between domains

Chapter 1, "Managing Windows NT Server Domains," in Microsoft Windows NT Server Concepts and Planning.
Chapter 2, "Network Security and Domain Planning," in the Networking Guide of the Microsoft Windows NT Server Resource Kit.

Dial-up networking and Remote Access Service (RAS)

Chapter 7, "RAS Security," in the Microsoft Windows NT Server Networking Supplement.

Lesson 4: Creating User Profiles

User profiles are useful for configuring or managing a user's desktop environment. This lesson introduces user profiles and explains the differences between personal user profiles, which are profiles users can change, and mandatory user profiles, which are profiles that users cannot change.

After this lesson, you will be able to:

  • Explain the difference between a roaming personal user profile and a mandatory user profile.

  • Configure a local user profile.

  • Create a roaming personal user profile.

  • Create a roaming mandatory user profile.

Estimated lesson time: 30 minutes

User Profiles

In Windows NT, a user's computing environment is determined primarily by the user profile. Windows NT security requires a user profile for each account that has access to the system.

The user profile contains all user-definable settings for the work environment of a computer running Windows NT, including display, regional, mouse, and sounds settings, and network and printer connections.

Cc751313.user19(en-us,TechNet.10).gif

When a user logs on for the first time from a Windows NT–based client, a default user profile is created for that user. All user-specific settings are automatically saved into the Profiles folder within the system root folder (typically C:\Winnt\Profiles\user_name).

A user profile can also be customized to restrict what users see in their interface and what tools they have available to use when they log on. For example, an administrator can remove the Administrative Tools folder to prevent a user from changing a configuration.

The following table describes the settings that are automatically saved in a user profile.

Source

Parameters saved

Windows NT Explorer

All user-definable settings for Windows NT Explorer.

Taskbar

All personal program groups and their properties, all program items and their properties, and all Taskbar settings.

Printers Settings

Network printer connections.

Control Panel

All user-defined settings made in Control Panel.

Accessories

All user-specific program settings affecting the user's Windows NT environment, including Calculator, Clock, Notepad, Paint, and HyperTerminal, among others.

Windows NT–based programs

Any program written specifically for Windows can be designed so that it tracks program settings on a per-user basis. If this information exists, it is saved in the user profile.

Online Help bookmarks

Any bookmarks placed in the Windows NT Help system.

Note: User profiles cannot be set for users who log on from LAN Manager, MS-DOS, Windows for Workgroups, or Windows 3.x clients. For these clients, you can write a logon script to configure the user's network and printer connections. For information on creating logon scripts, see Microsoft Windows NT Server Concepts and Planning.

Roaming User Profiles

Unlike a default user profile, roaming user profiles provide users with the same working environment, no matter which Windows NT–based computer a user logs on to. Roaming user profiles are stored centrally on a network server rather than on the user's local computer.

Cc751313.user20(en-us,TechNet.10).gif

You can specify one of the following two roaming profiles for a user account:

  • Roaming personal user profile. This is a user profile that a user can change. It is updated to include any changes made by the user when the user logs off. When the same user logs on again, the profile is loaded as it was last saved. If you use roaming personal user profiles, each user should be assigned his or her own profile.

    Roaming personal user profiles are named Ntuser.dat.

  • Roaming mandatory user profile. This is a preconfigured user profile that users cannot change. One mandatory profile can be assigned to many users. This means that by changing one profile, you can change several desktop environments. You use this type of profile to assign common settings for all users who require identical desktop configurations—for example, bank tellers.

    Mandatory user profiles require an .man extension. You can make a personal profile mandatory by renaming it—for example, Ntuser.man.

Note: Windows NT user profiles are not compatible with Windows 95 user profiles. Windows 95–based client profiles must be created on a computer running Windows 95.

Creating Roaming User Profiles

The following checklist provides an overview of the tasks required to implement roaming user profiles:

  • Create a template user profile with the appropriate configuration. You do this by creating a user account, and then configuring the appropriate desktop settings.

  • Create and share a folder named Profiles. (For this lesson, this step was done for you during the Setup process.) This will allow users to access the profiles from a remote computer.

  • Copy the template user profile to a network server and specify the users who are permitted to use the profile.

  • Specify the path to the profile for the user account in the User Environment Profile dialog box.

To create a template user profile

user11

In this procedure, you create a user account named Template Profile. This user account will be the model for a profile. Then, you configure the settings for the template profile.

  1. In the New User dialog box, create a user account named Template Profile with no password. Clear the User Must Change Password at Next Logon check box.

  2. Log on as Template Profile.

    A local user profile is automatically created for the Template Profile user on the local computer in the drive:\systemroot\Profiles folder.

  3. Right-click anywhere on the desktop, and then on the shortcut menu, click Properties.

    The Display Properties dialog box appears.

  4. Click Appearance.

    Notice the current color scheme.

  5. In the Color Schemes box, select a different color scheme, and then click OK. The change will take effect immediately.

  6. Log off and log on as the same user.

    Notice that the screen colors were those saved in the user's profile.

Copying the Profile to a Network Server

You copy a user profile using the System program in Control Panel. When you click the User Profiles tab of the System Properties dialog box, the default profiles appear for all users who have previously logged on to the computer.

user21

To copy the template user profile to a network server

user11

In this procedure, you copy the Template Profile user profile to the server for User2. (This folder was created and shared if you completed the Setup procedures described in "About This Book.")

  1. Log off and log on as Administrator.

  2. In User Manager for Domains, create a user account named User2 with no password requirements.

  3. Click the Start button, point to Settings, and then click Control Panel.

  4. In Control Panel, double-click System.

    The System Properties dialog box appears.

  5. Click the User Profiles tab.

    Notice that a user profile has been created for all users who have previously logged on to the computer, including a user profile named Template Profile.

  6. Under Profiles stored on this computer, click Template Profile, and then click Copy To.

    The Copy To dialog box appears.

  7. In the Copy profile to box, type \\computer_name\profiles\user2 (where computer_name is the name of your computer).

    Important: If you were to make the Template Profile mandatory, in the Copy profile to box, you would type \\computer_name\profiles (do not specify a user name).

To specify the users who are permitted to use the profile

  1. In the Copy To dialog box, under Permitted to use, click Change.

    The Choose User dialog box appears.

  2. In the List Names From box, make sure the domain where your accounts reside appears, and then click Show Users.

  3. In the Names box, click User2, and then click Add.

    Domain\User2 appears in the Add Name box.

  4. Click OK.

    Domain\User2 appears as the user permitted to use this profile.

  5. Click OK.

    A folder named after the user name you specified is created in the Profiles folder with all the desktop settings configured for the Template Profile user account.

  6. In Windows NT Explorer, view Profiles\User2. Notice the folders for the desktop settings that are stored in the Template Profile folder and the file Ntuser.dat.

    Important: If you were to make the Template Profile mandatory, you would rename the Ntuser.dat file to Ntuser.man. If you did not specify a user name, this file would be located in the Profiles folder.

To delete the Template Profile user profile

In this procedure, you delete the Template Profile user profile because it is no longer required. Only the profile on the server will be used.

  1. On the User Profiles tab, under Profiles stored on this computer, click the profile that was created for the template, and then click Delete.

    A Confirm Delete message appears.

  2. Click Yes to delete the local profile.

    The Template Profile user profile is deleted from the local computer.

Specifying the Path to the Roaming Profile

After you copy the roaming profile to a network server, specify the path to the profile for a user account in the User Environment Profile dialog box in User Manager for Domains.

Cc751313.user22(en-us,TechNet.10).gif

In the User Profile Path box, specify the server location of the user profile.

  • If the profile is a roaming personal profile, enter the name of the server, the share name to the Profiles folder (in this lesson, the Profiles folder is shared as "Profiles"), and %Username%. If you use %Username%, Windows NT will substitute %Username% with the user account name.

  • If the profile is a roaming mandatory profile, enter the name of the server, the share name to the Profiles folder, and the actual profile name. For example: \\Server1\Profiles\Ntuser.man.

Note: If you have many users that require roaming profiles, you can specify the path to the profile for multiple user accounts at one time by doing the following: 1) In the User Manager window, select multiple accounts. 2) On the User menu, click Properties. 3) In the User Properties dialog box, click Profile.

To specify a path to the roaming profile

  1. In the User Manager window, double-click User2.

    The User Properties dialog box appears.

  2. In the User Properties dialog box, click Profile.

  3. In the User Profile Path box, type \\computer_name\profiles\%username% (where computer_name is the name of your computer).

  4. Click OK twice to apply your changes.

  5. Exit User Manager for Domains and log off Windows NT.

To test the roaming profile

  • Log off and log on as User2.

    Notice that the screen colors are the same as the screen colors set for Template Profile.

To test the roaming profile from another computer

user23

If you have access to two computers on the same network, complete this procedure from the second computer.

  1. Log on to the second computer as User2.

  2. If a dialog box appears which provides profile options, click Download.

    Notice that the screen colors are the same as those set on the first computer because the roaming profile for the template user account is downloaded from the server and applied to the computer that the template user logs on to.

  3. Log off.

To determine the type of profile assigned to a user

  1. Log on as an Administrator, and start Control Panel.

  2. Double-click System, and then click User Profiles.

    Notice that the profile type for User2 is a roaming profile.

  3. Exit all programs and log off Windows NT.

Lesson Summary

The following information summarizes the key points in this lesson:

  • User profiles define a user's desktop environment and are created by default when a user logs on for the first time.

  • A local user profile contains all user-definable settings controlling a user's desktop environment on the local computer.

  • Roaming user profiles provide users with the same desktop environment from any Windows NT–based computer on a network.

  • A roaming personal user profile is updated whenever a user makes a change to his or her desktop configuration. Each user has his or her own personal profile.

  • A roaming mandatory user profile cannot be changed by users. One profile is assigned to many users.

For more information on

See

Logon scripts

Chapter 3, "Managing User Work Environments," in Microsoft Windows NT Server Concepts and Planning.

User profiles

Chapter 3, "Managing User Work Environments," in Microsoft Windows NT Server Concepts and Planning.

Creating Windows 95 user profiles

Chapter 15, "User Profiles and System Policies," in the Microsoft Windows 95 Resource Kit.

Best Practices

Review this checklist before you begin to create user accounts.

user24

The following checklist provides best practices for setting up user accounts:

  • To provide a greater degree of security, create a user account that you can use to perform non-administrative tasks; only log on as Administrator to perform administrative tasks.

  • Only enable the Guest account in low-security networks and always assign it a password. This account is disabled by default.

  • Always assign a password to an account.

  • Always require new users to change their passwords the first time that they log on (this is the default setting). This will force users to protect their user account.

  • In medium-security and high-security networks, create random initial passwords for all user accounts.

  • Use roaming profiles if users frequently log on from different computers. This ensures that the user's familiar desktop configuration will always appears.

  • Use the %Username% variable whenever you create a home folder or personal user profile. This variable will automatically be replaced with the user account name.

  • If your server is on an Internet, rename the Administrator account. This will help to deter hackers.

Review

The following questions are intended to reinforce key information presented in this chapter. If you are unable to answer a question, review the lesson and then try the question again.

user25

  1. What is the difference between a domain user account and a local user account?

    _______________________________________________________________________________

    _______________________________________________________________________________

    User Manager for Domains is (circle all that apply):

    1. Used to create and manage accounts on the local domain or on any computer, member server, or other domains to which you have access.

    2. Used to create and manage accounts on the local domain only.

    3. The account management tool on computers running Windows NT Server.

    4. Can be installed on a computer running Windows NT Workstation or Windows 95 using the client-based administration tools.

    User Manager is (circle all that apply):

    1. Used to create and manage user accounts on the local computer only.

    2. The account management tool on computers running Windows NT Workstation and Windows NT Server.

    3. The account management tool on computers running Windows NT Workstation only.

  2. In a high-security network, what can you do to make the Administrator and Guest accounts more secure?

    _______________________________________________________________________________

    _______________________________________________________________________________

  3. What is the difference between a local and a roaming profile?

    _______________________________________________________________________________

    _______________________________________________________________________________

Answer Key

Procedure Answers

To plan new user accounts

Sample Answer:

User Account: One common naming convention uses first name, plus the first initial of the last name. When a duplicate first name exists, use additional characters from the last name. For example, use Lindam for the vice president, and Lindami for the night shift customer service representative.

Password Requirements: For all permanent employees, the administrator will select the User Must Change Password at Next Logon check box in User Manager for Domains. For all temporary contract employees, the administrator will select the User Cannot Change Password check box and will provide the password.

Home Folder Location: Home folders will be stored on the server.

Logon Hours: The night shift customer service representative's logon hours will be restricted to 6 P.M. through 6 A.M., 7 days a week. The temporary contract employee will be restricted to 8 A.M. to 5 P.M. All other employees will have 24-hour access, 7 days per week.

Workstation Restrictions: The temporary contract employee will only be able to log on at his or her own computer.

To test logon hours

2. Were you able to successfully log on? Why or why not?

Yes, because the sales representative has access to the network 24 hours a day, 7 days a week.

4. Were you able to successfully log on?

No, because night shift personnel are only allowed to log on between 6 P.M. and 6 A.M.

-or-

Yes, if the current time is between 6 P.M. and 6 A.M.

Review Answers

  1. What is the difference between a domain user account and a local user account?

    A domain user account defines a user to the domain. A user can log on to the domain and access domain resources from any computer on the network using a single user account and password.

    A local user account defines a user to the local computer only. To access resources on another computer, the user must have a separate user account on the other computer.

  2. User Manager for Domains is (circle all that apply):

    Answers a, c, and d are correct.

  3. User Manager is (circle all that apply):

    Answers a and c correct.

  4. In a high-security network, what can you do to make the Administrator and Guest accounts more secure?

    Assign the Administrator account a password. Rename the Administrator account. The Guest account should remain disabled.

  5. What is the difference between a local and a roaming profile?

    A local profile is created and stored on the computer where the user logs on and is only applied at that computer for the user. A roaming profile is stored in a shared folder on a network server and is applied at whichever computer the user logs on from.