Strategies to Minimize Logon Problems

The best way to solve a problem is to take all necessary measures to ensure that the problem doesn't happen in the first place. Although it is not possible to completely eliminate every source of failed logon problems, you can do a lot to keep your network users happy by taking a few precautions :

Place a backup domain controller on every physical subnet If a network link goes down, users can still be validated by the local BDC and continue to work with resources to which they can still connect. A BDC with enough available resources can simultaneously perform the same functions as any other Windows NT Server, so if you have a server on a subnet that is offering resources and it is not already overloaded, consider replacing it with a BDC and let it serve two roles. Remember, if the server is not already a domain controller, you will have to re-install the OS and select that option during setup.
Enforce reasonable password policies Some operating systems allow you to computer-generate random passwords that are very difficult to remember. If a user cannot remember a password, most of the time the user will just write it down somewhere, which can compromise security. If you force users to change passwords too frequently, they will most likely have a hard time remembering what the recent password is, unless they write it down somewhere. If you set the account policy lockout values too low, you will find that users get locked out because of simple typing errors, and the help desk will spend a lot of time unlocking these accounts.
Keep track of user accounts You can use a paper method or an electronic one such as a spreadsheet or database. Delete accounts for users who leave the company and create new ones for new employees . Getting rid of the dead wood will help avoid confusion when troubleshooting and will help keep the SAM databases down to a reasonable size .
Never use generic accounts where more than one user logs in under the same username Though this is a tempting idea because you have fewer user accounts to manage, it can be a security nightmare if something goes wrong and you are unable to use auditing measures to figure out the who, what, and when of the matter. Also, when more than one person is using the same account to log on, it takes only one person with fumble-fingers to incorrectly type a password a few times and lock an account, also preventing others who use the same account from logging in.

To fully understand how to troubleshoot problems with logons , you should make yourself knowledgeable about the Windows NT Event Viewer administrative tool. You can find out more about this valuable utility in Chapter 43.

Chapter 37. Windows 2000 and Windows Server 2003 User and Computer Management Utilities

SOME OF THE MAIN TOPICS IN THIS CHAPTER ARE

The Microsoft Management Console 686

User Management 686

Computer Management 693

Windows 2000 User Groups 696

In Windows NT Server 4.0, every basic management task required you to use a different program: the User Manager, the Server Manager, and others. In Windows 2000 and Windows 2003 servers, the Microsoft Management Console (MMC) is the main interface for most all administrative tools. By using a common interface, MMC makes it easy to learn new utilities, because they all operate about the same.

The Microsoft Management Console

MMC is intended to provide a common interface into various administrative tools used with Windows 2000/XP/2003. Utilities are created as snap-ins that are loaded into the MMC application and presented to the user . Each console consists of a left pane with a tree of objects you can manage using the particular snap-in. This tree can contain things such as folders and other containers, or administrative objects. Some objects in the tree can be expanded by clicking on the plus sign (+) next to them, to reveal a further nesting of objects. Hence the treelike structure, which is similar to a set of directories and subdirectories.

Note

The MMC interface is not limited to Microsoft management applications. Many third-party applications also have designed snap-ins that can be used with MMC. The goal of this effort is to provide a consistent interface to manage not just the operating system and layered products, but also applications and utilities created for Windows platforms.

The right pane is usually used to display data or other information based on choices made in the left pane. For example, in the Computer Management administrative tool, you select Disk Defragmenter from the tree of options in the left pane, and the disk defragmenter displays disks that you can defragment, as well as the progress of the fragmentation process, in the pane on the right.

Note

For the most common system management tasks , you don't have to worry about setting up a snap-in for MMC. Use Start, Programs, Administrative Tools for Windows 2000, and you will see that the familiar utilities are already set up, along with some others you might not recognize. For Windows Server 2003, use Start, Administrative Tools.

Buy on amazon.com >>

Ogletree T.W., Soper M.E.

<< Previous page

Table of contents

Next page >>