Lesson 1: Understanding User Accounts

Previous page
Table of content
Next page

Microsoft Windows 2000 supports three different types of user accounts: local user accounts, domain user accounts, and built-in user accounts. A local user account allows a user to log on to a specific computer to gain access to resources on that computer. A domain user account allows a user to log on to the domain to gain access to network resources. A built-in user account allows a user to perform administrative tasks or to gain access to local or network resources.

After this lesson, you will be able to

  • Describe the role and purpose of user accounts

Estimated lesson time: 10 minutes

Local User Accounts

Local user accounts allow users to log on at and gain access to resources only on the computer on which the local user account has been created. When you create a local user account, Windows 2000 creates the account only in that computer's security database, which is called the local security database, as shown in Figure 4.1. Windows 2000 doesn't replicate local user account information to any other computer. After the local user account has been created, the computer uses its local security database to authenticate the local user account, which allows the user to log on to that computer.

Figure 4.1 Characteristics of local user accounts

If you have a workgroup that consists of five computers running Windows 2000 Professional and you create a local user account—for example, User1 on Computer1—you can log on to Computer1 only with the User1 account. If you need to be able to log on to all five of the computers in the workgroup as User1, you must create a local user account, User1, on each of the five computers. Furthermore, if you decide to change the password for User1, you must change the password for User1 on each of the five computers because each of these computers maintains its own local security database.

NOTE

Do not create local user accounts on computers running Windows 2000 that are part of a domain because the domain doesn't recognize local user accounts. The user would be unable to gain access to resources in the domain and the domain administrator would be unable to administer the local user account properties or assign access permissions for domain resources.

Domain User Accounts

Domain user accounts allow users to log on to the domain and gain access to resources anywhere on the network. The user provides his or her password and user name at logon. Windows 2000 authenticates the user and then builds an access token that contains information about the user and security settings. The access token identifies the user to computers that are part of the Windows 2000 domain on which the user tries to gain access to resources. Windows 2000 provides the access token for the duration of the logon session.

NOTE

You can have domain user accounts only if you have a domain. You can have a domain only if you have at least one computer running one of the Windows 2000 Server products that is configured as a domain controller, which has the directory services based on Active Directory technology installed.

You create a domain user account in the copy of the Active Directory database (the Directory) on a domain controller, as shown in Figure 4.2. The domain controller replicates the new user account information to all domain controllers in the domain. After Windows 2000 replicates the new user account information, all of the domain controllers in the domain tree can authenticate the user at logon.

Figure 4.2 Characteristics of domain user accounts

Built-In User Accounts

Windows 2000 automatically creates accounts called built-in accounts. Two commonly used built-in accounts are Administrator and Guest accounts.

Administrator

Use the built-in Administrator account to manage the overall computer network. If your computer is part of a domain, use the built-in Administrator account to manage the domain configuration. Tasks done using the Administrator account include creating and modifying user accounts and groups, managing security policies, creating printers, and assigning permissions and rights to user accounts to gain access to resources.

If you are the administrator, you should create a user account that you use to perform nonadministrative tasks. Log on by using the Administrator account only when you perform administrative tasks.

NOTE

You can't delete the Administrator account. You should always rename the built-in Administrator account to provide a greater degree of security. Use a name that doesn't identify it as the Administrator account. This makes it difficult for unauthorized users to break into the Administrator account because they don't know which user account it is.

Guest

Use the built-in Guest account to allow occasional users to log on and gain access to resources. For example, an employee who needs access to resources for a short time could use the Guest account.

NOTE

The Guest account is disabled by default. Enable the Guest account only in low-security networks and always assign it a password. You can rename the Guest account, but you can't delete it.

Lesson Summary

In this lesson, you learned that Microsoft Windows 2000 supports local user accounts, domain user accounts, and built-in user accounts. With a local user account, a user logs on to a specific computer to gain access to resources on that computer. With a domain user account, a user can log on to the domain to gain access to network resources. With built-in user accounts, you can perform administrative tasks or gain access to resources.

When you create a local user account, Windows 2000 creates the account only in that computer's security database, which is called the local security database. If you need to have access to multiple computers in your workgroup, you must create an account on each of the computers in the workgroup. You don't create built-in user accounts; Windows 2000 creates them automatically.

You also learned that if your computer is part of a domain, Windows 2000 provides domain user accounts. And built-in user accounts exist that are domain user accounts. These are used to perform administrative tasks or gain access to network resources. When you create a domain user account, Windows 2000 creates the account in the copy of the Active Directory database (the Directory) on a domain controller. The domain controller then replicates the new user account information to all domain controllers in the domain, simplifying user account administration.


Previous page
Table of content
Next page
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 244
BUY ON AMAZON
MySQL Stored Procedure Programming
OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
Snort Cookbook
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
Cisco Voice Gateways and Gatekeepers
Information Dashboard Design: The Effective Visual Communication of Data
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy