Creating User and Group Accounts in Windows 2000
By William R. Stanek
A key part of your job as an administrator is to create user accounts, and this chapter will show you how to do that.
User accounts allow Microsoft Windows 2000 to track and manage information about users, including permissions and privileges. When you create user accounts, the primary account administration tools you use are
Active Directory Users And Computers, which is designed to administer accounts throughout an Active Directory domain.
Local Users And Groups, which is designed to administer accounts on a local computer.
Creating domain accounts as well as local users and groups is covered in this chapter.
The most important aspects of account creation are account setup and organization. Without the appropriate policies, you could quickly find that you need to rework all your user accounts. So before you create accounts, determine the policies you'll use for setup and organization.
A key policy you'll need to set is the naming scheme for accounts. User accounts have display names and logon names. The display name (or full name) is the name displayed to users and the name referenced in user sessions. The logon name is the name used to log on to the domain. Logon names were discussed briefly in the section of Chapter 7 entitled "Logon Names, Passwords, and Public Certificates."
Rules for Display Names
In Windows 2000, the display name is normally the concatenation of the user's first name and last name, but you can set it to any string value. The display names must follow these rules:
Local display names must be unique on a workstation.
Display names must be unique throughout a domain.
Display names must be no more than 64 characters long.
Display names can contain alphanumeric characters and special characters.
Rules for Logon Names
Logon names must follow these rules:
Local logon names must be unique on a workstation and global logon names must be unique throughout a domain.
Logon names can be up to 104 characters. However, it isn't practical to use logon names that are longer than 64 characters.
A Microsoft Windows NT version 4.0 or earlier logon name is given to all accounts, which by default is set to the first 20 characters of the Windows 2000 logon name. The Windows NT version 4.0 or earlier logon name must be unique throughout a domain.
Users logging on to the domain from Windows 2000 computers can use their Windows 2000 logon name or their Windows NT version 4.0 or earlier logon name, regardless of the domain operations mode.
Logon names can't contain certain characters. Invalid characters are
" / \ [ ] : ; | = , + * ? < >
Logon names can contain all other special characters, including spaces, periods, dashes, and underscores. But it's generally not a good idea to use spaces in account names.
Note: Although Windows 2000 stores user names in the case that you enter, user names aren't case sensitive. For example, you can access the Administrator account with the user name Administrator or administrator. Thus, user names are case aware but not case sensitive.
Naming Schemes
You'll find that most small organizations tend to assign logon names that use the user's first or last name. But you can have several Toms, Dicks, and Harrys in an organization of any size. So rather than having to rework your logon naming scheme when you run into problems, select a good naming scheme now and make sure other administrators use it. For naming accounts, you should use a consistent procedure that allows your user base to grow and limits the possibility of name conflicts and ensures that your accounts have secure names that aren't easily exploited. If you follow these guidelines, the types of naming schemes you may want to use include:
User's first name and last initial You take the user's first name and combine it with the first letter of the last name to create the logon name. For William Stanek, you would use williams or bills. This naming scheme isn't practical for large organizations.
User's first initial and last name You take the user's first initial and combine it with the last name to create the logon name. For William Stanek, you would use wstanek. This naming scheme isn't practical for large organizations, either.
User's first initial, middle initial, and last name You combine the user's first initial, middle initial, and last name to create the logon name. For William R. Stanek, you would use wrstanek.
User's first initial, middle initial, and first five characters of the last name You combine the user's first initial, middle initial, and the first five characters of the last name to create the logon name. For William R. Stanek, you would use wrstane.
User's first name and last name You combine the user's first and last name. To separate the names, you could use the underscore character ( _ ) or hyphen (-). For William Stanek, you could use william_ stanek or william-stanek.
Tip In tight security environments, you can assign a numeric code for the logon name. This numeric code should be at least 20 characters long. Combine this strict naming method with smart cards and smart card readers to allow users to quickly log on to the domain. Don't worry, users can still have a display name that humans can read.
Windows 2000 accounts use passwords and public certificates to authenticate access to network resources. This section focuses on passwords.
Secure Passwords
A password is a case-sensitive string that can contain up to 104 characters with Active Directory directory service and up to 14 characters with Windows NT Security Manager. Valid characters for passwords are letters, numbers, and symbols. When you set a password for an account, Windows 2000 stores the password in an encrypted format in the account database.
But simply having a password isn't enough. The key to preventing unauthorized access to network resources is to use secure passwords. The difference between an average password and a secure password is that secure passwords are difficult to guess and crack. You make passwords difficult to crack by using combinations of all the available character types—including lowercase letters, uppercase letters, numbers, and symbols. For example, instead of using happydays for a password you would use haPPy2Days&, Ha**y!dayS, or even h*PPY%d*ys.
Unfortunately, no matter how secure you initially make a user's password, eventually the user usually chooses the password. Because of this, you'll want to set account policies. Account policies are a subset of the policies configurable as a group policy.
Setting Account Policies
As you know from previous discussions, you can apply group policies at various levels within the network structure. You manage local group policies in the manner discussed in the section of Chapter 4 entitled "Managing Local Group Policies." You manage global group policies as explained in the section of Chapter 4 entitled "Managing Site, Domain, and Unit Policies."
Once you access the group policy container you want to work with, you can set account policies by completing the following steps:
As shown in Figure 8-1, access the Account Policies node by working your way down the console tree. Expand Computer Configuration, then Windows Settings, and then Security Settings.
You can now manage account policies through the Password Policy, Account Lockout Policy, and Kerberos Policy nodes.
Note: Kerberos policies aren't used with local computers. Kerberos policies are only available with group policies that affect sites, domains, and organizational units.
Figure 8-1: Use entries in the Account Policies node to set policies for passwords and general account use. The console tree shows the name of the computer or domain you're configuring. Be sure this is the appropriate network resource to configure.
Figure 8-2: With local policies, you'll see the effective policy as well as the local policy.
To configure a policy, double-click its entry or right-click on it and select
Security. This opens a Properties dialog box for the policy.
For a local policy, the Properties dialog box is similar to the one shown in Figure 8-2. The effective policy for the computer is displayed but you can't change it. You can change the local policy settings, however. Use the fields provided to configure the local policy. For a local policy, skip the remaining steps; those steps apply to global group policies.
Note: Site, domain, and organizational unit policies have precedence over local policies.
For a site, domain, or organizational unit, the Properties dialog box is similar to the one shown in Figure 8-3.
Figure 8-3: Define and configure global group policies using their Properties dialog box.
All policies are either defined or not defined. That is, they are either configured for use or not configured for use. A policy that isn't defined in the current container could be inherited from another container.
Select or clear the Define This Policy Setting check box to determine whether a policy is defined.
Tip Policies can have additional fields for configuring the policy. Often, these fields are option buttons labeled Enabled and Disabled. Enabled turns on the policy restriction. Disabled turns off the policy restriction.
Specific procedures for working with account policies are discussed in the sections of the chapter entitled "Configuring Password Policies," "Configuring Account Lockout Policies," and "Configuring Kerberos Policies." This chapter's next section, "Viewing Effective Policies," will teach you more about viewing the effective policy on a local computer.
Viewing Effective Policies
When working with account policies and user rights assignment, you'll often want to view the effective policy on a local system. The effective policy is the policy being enforced and, as discussed in Chapter 4 under "Group Policy Management," the effective policy depends on the order in which you apply the policies.
To view the effective policy on a local system, complete the following steps:
Access the local policy for the system you want to work with, as explained in the section of Chapter 4 entitled "Managing Local Group Policies." Or select Local Policy Settings on the Administrative Tools menu (if these tools are installed and you're currently logged on to the computer you want to examine).
Access the policy node that you want to examine. Figure 8-4 shows the Password Policy node.
With local policies, the Computer Setting column is replaced by a Local Setting column and an Effective Setting column. The Local Setting column shows the local policy settings. The Effective Setting column shows the policy settings that are being enforced on the local computer.
If there are policy conflicts that you want to track down, review the sections of Chapter 4 entitled "In What Order Are Multiple Policies Applied?" and "When Are Group Policies Applied?"
As you learned in the previous section, there are three types of account policies: password policies, account lockout policies, and Kerberos policies. The sections that follow show you how to configure each one of these policies.
Figure 8-4: Local policies show the effective setting as well as the local setting.
Password policies control security for passwords and they include
Enforce Password History
Maximum Password Age
Minimum Password Age
Minimum Password Length
Passwords Must Meet Complexity Requirements
Store Password Using Reversible Encryption For All Users In The Domain
The uses of these policies are discussed in the following sections.
Enforce Password History
Enforce Password History sets how frequently old passwords can be reused. You can use this policy to discourage users from changing back and forth between a set of common passwords. Windows 2000 can store up to 24 passwords for each user in the password history. By default, Windows 2000 stores one password in the password history.
To disable this feature, set the size of the password history to zero. To enable this feature, set the size of the password history using the Passwords Remember field. Windows 2000 will then track old passwords using a password history that is unique for each user, and users won't be allowed to reuse any of the stored passwords.
Note: To discourage users from cheating Enforce Password History, you shouldn't allow them to change passwords immediately. This will prevent users from changing their passwords several times to get back to their old passwords.
Maximum Password Age
Maximum Password Age determines how long users can keep a password before they have to change it. The aim is to periodically force users to change their passwords. When you use this feature, set a value that makes sense for your network. Generally, you use a shorter period when security is very important and a longer period when security is less important.
The default expiration date is 42 days, but set it to any value from 0 to 999. A value of zero specifies that passwords don't expire. Although you may be tempted to set no expiration date, users should change passwords regularly to ensure the network's security. Where security is a concern, good values are 30, 60, or 90 days. Where security is less important, good values are 120, 150, or 180 days.
Note: Windows 2000 notifies users when they're getting close to the password expiration date. Anytime the expiration date is less than 30 days away, users see a warning when they log on that they have to change their password within so many days.
Minimum Password Age
Minimum Password Age determines how long users must keep a password before they can change it. You can use this field to prevent users from cheating the password system by entering a new password and then changing it right back to the old one.
By default, Windows 2000 lets users change their passwords immediately. To prevent this, set a specific minimum age. Reasonable settings are from three to seven days. In this way, you make sure that users are less inclined to switch back to an old password but are able to change their passwords in a reasonable amount of time if they want to.
Minimum Password Length
Minimum Password Length sets the minimum number of characters for a password. If you haven't changed the default setting, you'll want to do so immediately. The default is to allow empty passwords (passwords with zero characters), which is definitely not a good idea.
For security reasons, you'll generally want passwords of at least eight characters. The reason for this is that long passwords are usually harder to crack than short ones. If you want greater security, set the minimum password length to 14 characters.
Passwords Must Meet Complexity Requirements
Beyond the basic password and account policies, Windows 2000 includes facilities for creating additional password controls. These facilities are available in the password filters, which can be installed on a domain controller. If you've installed a password filter, enable Passwords Must Meet Complexity Requirements. Passwords are then required to meet the filter's security requirement.
For example, the standard Windows NT filter (PASSFILT.DLL) enforces the use of secure passwords that follow these guidelines:
Passwords must be at least six characters long.
Passwords can't contain the user name, such as stevew, or parts of the user's full name, such as Steve.
Passwords must use three of the four available character types: lowercase letters, uppercase letters, numbers, and symbols.
Store Password Using Reversible Encryption
Passwords in the password database are encrypted. This encryption can't normally be reversed. If you want to allow the encryption to be reversed, enable Store Password Using Reversible Encryption For All Users In The Domain. Passwords are then stored with reversible encryption and can be recovered in case of emergency. Forgetting a password in not an emergency situation. Any administrator can change user passwords.
Account lockout policies control how and when accounts are locked out of the domain or the local system. These policies are
Account Lockout Threshold
Account Lockout Duration
Reset Account Lockout Threshold After
Account Lockout Threshold
Account Lockout Threshold sets the number of logon attempts that are allowed before an account is locked out. If you decide to use lockout controls, you should set this field to a value that balances the need to prevent account cracking against the needs of users who are having difficulty accessing their accounts.
The main reason users may not be able to access their accounts properly the first time is that they forgot their passwords. If this is the case, it may take them several attempts to log on properly. Workgroup users could also have problems accessing a remote system where their current passwords don't match the passwords the remote system expects. If this happens, several bad logon attempts may be recorded by the remote system before the user ever gets a prompt to enter the correct password. The reason is that Windows 2000 may attempt to automatically log on to the remote system. In a domain environment, this normally doesn't happen because of the Single Log-On feature.
You can set the lockout threshold to any value from 0 to 999. The lockout threshold is set to zero by default, which means that accounts won't be locked out because of invalid logon attempts. Any other value sets a specific lockout threshold. Keep in mind that the higher the lockout value, the higher the risk that a hacker may be able to break into your system. A reasonable range of values for this threshold is between 7 and 15. This is high enough to rule out user error and low enough to deter hackers.
Account Lockout Duration
If someone violates the lockout controls, Account Lockout Duration sets the length of time the account is locked. You can set the lockout duration to a specific length of time using a value between 1 and 99,999 minutes or to an indefinite length of time by setting the lockout duration to zero.
The best security policy is to lock the account indefinitely. When you do, only an administrator can unlock the account. This will prevent hackers from trying to access the system again and will force users who are locked out to seek help from an administrator, which is usually a good idea. By talking to the user, you can determine what the user is doing wrong and help the user avoid problems.
Tip When an account is locked out, access the Properties dialog box for the account in Active Directory Users And Computers. Then click the Account tab and clear the Account Is Locked Out check box. This unlocks the account.
Reset Account Lockout Threshold After
Every time a logon attempt fails, Windows 2000 raises the value of a threshold that tracks the number of bad logon attempts. Reset Account Lockout Threshold After determines how long the lockout threshold is maintained. This threshold is reset in one of two ways. If a user logs on successfully, the threshold is reset. If the waiting period for Reset Account Lockout Threshold After has elapsed since the last bad logon attempt, the threshold is also reset.
By default, the lockout threshold is maintained for one minute, but you can set any value from 1 to 99,999 minutes. As with Account Lockout Threshold, you need to select a value that balances security needs against user access needs. A good value is from one to two hours. This waiting period should be long enough to force hackers to wait longer than they want to before trying to access the account again.
Note: Bad logon attempts to a workstation against a password-protected screen saver don't increase the lockout threshold. Similarly, if you lock a server or workstation using Ctrl+Alt+Delete, bad logon attempts against the Unlock dialog box don't count.
Kerberos version 5 is the primary authentication mechanism used in an Active Directory domain. To verify the identification of users and network services, Kerberos uses service tickets and user tickets. As you might expect, service tickets are used by Windows 2000 service processes and user tickets are used by user processes. Tickets contain encrypted data that confirm the identity of the user or service.
You can control ticket duration, renewal, and enforcement through the following policies:
Enforce User Logon Restrictions
Maximum Lifetime For Service Ticket
Maximum Lifetime For User Ticket
Maximum Lifetime For User Ticket Renewal
Maximum Tolerance For Computer Clock Synchronization
These policies are discussed in the sections that follow.
Caution: Only administrators with an intimate understanding of Kerberos security should change these policies. If you change these policies to inefficient settings, you may cause serious problems on the network. In most cases the default Kerberos policy settings work just fine.
Enforce User Logon Restrictions
Enforce User Logon Restrictions ensures that any restrictions placed on a user account are enforced. For example, if the user's logon hours are restricted, this policy is what enforces the restriction. By default, the policy is enabled and should only be disabled in rare circumstances.
Maximum Lifetime
Maximum Lifetime For Service Ticket and Maximum Lifetime For User Ticket set the maximum duration for which a service or user ticket is valid. By default, service tickets have a maximum duration of 41,760 minutes and user tickets have a maximum duration of 720 hours.
You can change the duration of tickets. For service tickets, the valid range is from 0 to 99,999 minutes. For user tickets, the valid range is from 0 to 99,999 hours. A value of zero effectively turns off expiration. Any other value sets a specific ticket lifetime.
A ticket that expires can be renewed, provided the renewal takes place within the time set for Maximum Lifetime For User Ticket Renewal. By default, the maximum renewal period is 60 days. You can change the renewal period to any value from 0 to 99,999 days. A value of zero effectively turns off the maximum renewal period and any other value sets a specific renewal period.
Maximum Tolerance
Maximum Tolerance For Computer Clock Synchronization is one of the few Kerberos policies that you may need to change. By default, computers in the domain must be synchronized within five minutes of each other. If they aren't, authentication fails.
If you have remote users that log on to the domain without synchronizing their clock to the network timeserver, you may need to adjust this value. You can set any value from 0 to 99,999.
Chapter 7 covered built-in capabilities and user rights. Although you can't change built-in capabilities for accounts, you can administer user rights for accounts. Normally, you apply user rights to users by making them members of the appropriate group or groups. You can also apply rights directly, and you do this by managing the user rights for the user's account.
Note: Any user who is a member of a group that's assigned a certain right also has that right. For example, if the Backup Operators group has the right and TJSMITH is a member of this group, TJSMITH has this right as well. Keep in mind that changes you make to user rights can have a far-reaching effect. Because of this, only experienced administrators should make changes to the user rights policy.
You assign user rights through the Local Policies node of Group Policy. As the name implies, local policies pertain to a local computer. However, you can configure local policies and then import them into Active Directory. You can also configure these local policies as part of an existing Group Policy for a site, domain, or organizational unit. When you do this, the local policies apply to computer accounts in the site, domain, or organizational unit.
To administer user rights policies, complete the following steps:
Access the group policy container you want to work with, and then access the Local Policies node by working your way down the console tree. Expand Computer Configuration, Windows Settings, and then Local Policies.
Expand User Rights Assignment, shown in Figure 8-5, You can now manage user rights.
To configure user rights assignment, double-click a user right or right-click on it and select Security. This opens a Properties dialog box.
You can now configure the user rights as described in Steps 1_4 of the section of this chapter entitled "Configuring User Rights Locally" or Steps 1_7 of the following section, "Configuring User Rights Globally."
Figure 8-5: Use User Rights Assignment to configure user rights for the current group policy container.
For a site, domain, or organizational unit, you configure individual user rights by completing the following steps:
Open the Properties dialog box for the user right, shown in Figure 8-6.
Note: All policies are either defined or not defined. That is, they are either configured for use or not configured for use. A policy that isn't defined in the current container could be inherited from another container.
Select Define These Policy Settings to define the policy.
To apply the right to a user or group, click Add. Then, in the Group Name dialog box, click Browse. This opens the Select Users Or Groups dialog box shown in Figure 8-7. You can now apply the right to users and groups. The fields of this dialog box are used as follows:
- Look In To access account names from other domains, click the Look In list box. You should now see a list that shows the current domain, trusted domains, and other resources that you can access. Select Entire Directory to view all the account names in the directory.
Figure 8-6: Define the user right and then apply the right to users and groups.
Note: Only domains that have been designated as trusted are available in the Look In drop-down menu. Because of the transitive trusts in Windows 2000, this usually means that all domains in the domain tree or forest are listed. A transitive trust is one that isn't established explicitly. Rather, the trust is established automatically based on the forest structure and permissions set in the forest.
Name The Name column shows the available accounts of the currently selected domain or resource.
Add Add selected names to the selection list.
Check Names Validate the user and group names entered into the selection list. This is useful if you type names in manually and want to ensure that they're available.
After you select the account names to add to the group, click OK. The Group Name dialog box should now show the selected accounts. Click OK again.
The Properties dialog box is updated to reflect your selections. If you made a mistake, select a name and remove it by clicking Remove.
When you're finished granting the right to users and groups, click OK.
For local computers, you apply user rights by completing the following steps:
Open the Properties dialog box for the user right, shown in Figure 8-8.
The effective policy for the computer is displayed, but you can't change it. However, you can change the local policy settings. Use the fields provided to configure the local policy. Remember that site, domain, and organizational unit policies have precedence over local policies.
Figure 8-7: Use the Select Users Or Groups dialog box to apply the user right to users and groups.
The Assigned To column shows current users and groups that have been given a user right. Select or clear the related check boxes under the Local Policy Setting column to apply or remove the user right.
You can apply the user right to additional users and groups by clicking Add. This opens the Select Users Or Groups dialog box shown previously in Figure 8-7. You can now add users and groups.
You need to create a user account for each user who wants to use your network resources. You create domain user accounts with Active Directory Users And Computers. You create local user accounts with Local Users And Groups.
Generally, there are two ways to create new domain accounts:
Create a completely new user account Create a completely new account by right-clicking on the container in which you want to place the user account, pointing to New, and then selecting User. This opens the New Object - User Wizard shown in Figure 8-9. When you create a new account, the default system settings are used.
Figure 8-8: Define the user right and then apply the right to users and groups.
Base the new account on an existing account Right-click the user account you want to copy in Active Directory Users And Computers, and then select Copy. This starts the Copy Object - User Wizard, which is essentially the same as the New User dialog box. However, when you create a copy of an account, the new account gets most of its environment settings from the existing account. For more information on copying accounts, see the section of Chapter 9 entitled "Copying Domain User Accounts."
Once either the New Object - User or the Copy Object - User Wizard is started, you can create the account by completing the following steps:
As shown in Figure 8-9, the first wizard dialog box lets you configure the user display name and logon name.
Type the user's first and last name in the fields provided. The first and last names are used to create the Full Name, which is the user's display name.
Make changes to the Full Name field as necessary. For example, you may want to type the name in LastName FirstName MiddleInitial format or in FirstName MiddleInitial LastName format. The Full Name must be unique in the domain and must be 64 characters or less.
In User Logon Name, type the user's logon name. Then use the drop-down list to select the domain the account is to be associated with. This sets the fully qualified logon name.
The first 20 characters of the logon name are used to set the Windows NT version 4.0 or earlier logon name. This logon name must be unique in the domain. If necessary, change the Windows NT version 4.0 or earlier logon name.
Figure 8-9: Configure the user display and logon names.
Click Next. Then configure the user's password using the dialog box shown in Figure 8-10. The options for this dialog box are used as follows:
Password The password for the account. This password should follow the conventions of your password policy.
Confirm Password A field to ensure that you assign the account password correctly. Simply reenter the password to confirm it.
User Must Change Password At Next Logon If selected, the user must change the password upon logon.
User Cannot Change Password If checked, the user can't change the password.
Password Never Expires If selected, the password for this account never expires. This setting overrides the domain account policy. Generally, it's not a good idea to set a password so it doesn't expire because this defeats the purpose of having passwords in the first place.
Account Is Disabled If checked, the account is disabled and can't be used. Use this field to temporarily prevent anyone from using an account.
Click Next, and then click Finish to create the account. If there are problems creating the account, you'll see a warning and you'll need to use the Back button to retype information in the user name and password dialog boxes, as necessary.
Once the account is created, you can set advanced properties for the account as discussed later in the chapter.
Figure 8-10: Configure the user's password.
You create local user accounts with Local Users And Groups. You can access this utility and create an account by completing the following steps:
Choose Start, then Programs, then Administrative Tools, and then Computer Management. Or select Computer Management in the Administrative Tools folder.
Right-click the Computer Management entry in the console tree and select Connect To Another Computer on the shortcut menu. You can now choose the system whose local accounts you want to manage. Domain controllers don't have local users and groups.
Expand the System Tools node by clicking the plus sign (+) next to it and then choose Local Users And Groups.
Right-click Users and then select New User. This opens the New User dialog box shown in Figure 8-11. Each of the fields in the dialog box are used as follows:
Username The logon name for the user account. This name should follow the conventions for the local user name policy.
Full Name The full name of the user, such as William R. Stanek.
Description A description of the user. Normally you'd type the user's job title, such as Webmaster. You could also type the user's job title and department.
Password The password for the account. This password should follow the conventions of your password policy.
Confirm Password A field to ensure that you assign the account password correctly. Simply reenter the password to confirm it.
Figure 8-11: Configuring a local user account is different than configuring a domain user account.
User Must Change Password At Next Logon If selected, the user must change the password upon logon.
User Cannot Change Password If checked, the user can't change the password.
Password Never Expires If selected, the password for this account never expires. This setting overrides the local account policy.
Account Is Disabled If checked, the account is disabled and can't be used. Use this field to temporarily prevent anyone from using an account.
Click Create when you're finished configuring the new account.
You use group accounts to manage privileges for multiple users. You create global group accounts in Active Directory Users And Computers. You create local group accounts in Local Users And Groups.
As you set out to create group accounts, remember that you create group accounts for similar types of users. Following this, the types of groups you may want to create include the following:
Groups for departments within the organization Generally, users who work in the same department need access to similar resources. Because of this, you can create groups that are organized by department, such as Business Development, Sales, Marketing, or Engineering.
Groups for users of specific applications Often, users will need access to an application and resources related to the application. If you create application-specific groups, you can be sure that users get proper access to the necessary resources and application files.
Groups for roles within the organization Groups could also be organized by the user's role within the organization. For example, executives probably need access to different resources than supervisors and general users. Thus, by creating groups based on roles within the organization, you can ensure that proper access is given to the users that need it.
To create a global group, complete the following steps:
Start Active Directory Users And Computers. Right-click the container in which you want to place the user account. Afterward, point to New, and then select Group. This opens the New Object - Group dialog box shown in Figure 8-12.
Type a name for the group. Global group account names follow the same naming rules as display names for user accounts. They aren't case sensitive and can be up to 64 characters long.
The first 20 characters of the group name are used to set the Windows NT version 4.0 or earlier group name. This group name must be unique in the domain. If necessary, change the Windows NT version 4.0 or earlier group name.
Figure 8-12: The New Object - Group dialog box allows you to add a new global group to the domain.
Select a group scope, either Domain Local, Global, or Universal.
Select a group type, either Security or Distribution.
Click OK to create the group. Once the account is created, you can add members and set additional properties, as discussed later in the chapter.
You create local groups with Local Users And Groups. You can access this utility and create a group by completing the following steps:
Choose Start, then Programs, then Administrative Tools, and then Computer Management. Or select Computer Management in the Administrative Tools folder.
Right-click the Computer Management entry in the console tree and select Connect To Another Computer on the shortcut menu. You can now choose the system whose local accounts you want to manage. Domain controllers don't have local users and groups.
Expand the System Tools node by clicking the plus sign (+) next to it and then choose Local Users And Groups.
Right-click Groups and then select New Group. This opens the New Group dialog box shown in Figure 8-13.
After you type a name and description of the group, use the Add button to add names to the group. This opens the Select Users Or Groups dialog box, which was shown previously in Figure 8-7. You can now add members to the group. You can use the fields of this dialog box as follows:
Look In To access account names from other computers and domains, click the Look In list box. You should now see a list that shows the current computer, trusted domains, and other resources that you can access. Select Entire Directory to view all the account names in the directory.
Name The Name column shows the available accounts of the currently selected domain or resource.
Add Add selected names to the selection list.
Check Names Validate the user and group names entered into the selection list. This is useful if you type names in manually and want to make sure that they're available.
After you select the account names to add to the group, click OK.
The New Group dialog box is updated to reflect your selections. If you made a mistake, select a name and remove it by clicking Remove.
Click Create when you're finished adding or removing group members.
Figure 8-13: The New Group dialog box allows you to add a new local group to a computer.
You use Active Directory Users And Computers to configure group membership. When working with groups keep the following points in mind:
All new domain users are members of the group Domain Users, and their primary group is specified as Domain Users.
All new domain workstations and member services are members of Domain Computers, and their primary group is Domain Computers.
All new domain controllers are members of Domain Controllers and their primary group is Domain Controllers.
Active Directory Users And Computers gives you several ways to manage group membership. You can
Manage individual membership
Manage multiple memberships
Set primary group membership for individual users and computers
You can add or remove group membership for any type of account by completing the following steps:
Double-click the user, computer, or group entry in Active Directory Users And Computers. This opens the account's Properties dialog box.
Select the Member Of tab.
To make the account a member of a group, click Add. This opens the Select Groups dialog box, which is the same as the Select Users Or Groups dialog box discussed in previous examples. You can now choose groups that the currently selected account should be a member of.
To remove the account from a group, select a group and then click Remove.
Click OK.
Another way to manage group membership is to use a group's Properties dialog box to add or remove multiple accounts. To do this, follow these steps:
Double-click the user or computer entry in Active Directory Users And Computers. This opens the account's Properties dialog box.
Select the Members tab.
To add accounts to the group, click Add. This opens the Select Users Or Groups dialog box. You can now choose users, computers, and groups that should be members of this currently selected group.
To remove members from a group, select an account and then click Remove.
Click OK.
Primary groups are used by users who access Windows 2000 through services for Macintosh. When a Macintosh user creates files or directories on a Windows 2000 system, the primary group is assigned to these files or directories. All user and computer accounts must have a primary group regardless of whether the accounts access Windows 2000 systems through Macintosh. This group must be a group with global or universal scope, such as the global group Domain Users or the global group Domain Computers. To set the primary group, complete the following steps:
Double-click the user, computer, or group entry in Active Directory Users And Computers. This opens the account's Properties dialog box.
Select the Member Of tab.
Select a group with global or universal scope in the Member Of list box.
Click Set Primary Group.
All users must be a member of at least one primary group. You can't revoke membership in a primary group without first assigning the user to another primary group. To do this, complete the following steps:
Select a different group with global or universal scope in the Member of list box, and then click Set Primary Group.
In the Member of list box, click the former primary group and then click Remove. The group membership is now revoked.