Managing Accounts

Windows 2000 offers new tools for user and group account management. These tools cover three scenarios, and each tool is optimized for its environment:

• Managing accounts in Windows 2000 Professional
• Managing accounts in Windows 2000 Server without Active Directory
• Managing accounts in Windows 2000 Server with Active Directory

Let's take a moment to look at each in turn.

Managing Accounts in Windows 2000 Professional

User accounts are managed using User Manager in Windows NT 4 Workstation. In Windows 2000 Professional, user accounts are configured using the Users And Passwords tool accessed via Control Panel. The purpose of this tool is to make local administration simple and foolproof. Defining users with this tool only sets up local user accounts; stored in the machine's SAM database, the user accounts are not users in Active Directory.

The beauty of this tool is that both types of credentials used by Windows 2000—passwords and private keys (and the associated certificates)—are administered seamlessly from the one tool, as shown in Figure 3-4.

Figure 3-4. The Users And Passwords tool in Windows 2000 Professional.

Managing Accounts in Windows 2000 Server Without Active Directory

User accounts are managed using User Manager For Domains in Windows NT 4 Server. In Windows 2000 Server, you use the Local Users And Groups tool. Like the tool available in Windows 2000 Professional, the accounts are local to the computer and are granted rights and permissions on the computer.

This tool is also available as an advanced option when using Windows 2000 Professional. To open it, click the Advanced tab of the Users And Passwords dialog box; then click Advanced in the Advanced User Management area.

Managing Accounts in Windows 2000 Server with Active Directory

In Windows 2000, domain accounts are managed using the Active Directory Users And Computers tool; in Windows NT 4 Server, they are administered using User Manager For Domains. The Active Directory Users And Computers tool looks similar to the Local Users And Groups tool, but the similarity is skin-deep—the tools' implementations are very different.

Extending the Active Directory Schema

Extending the Active Directory schema is not to be taken lightly; in fact, this functionality is disabled by default. Perform the following steps to extend the schema:

1. From the command line, go to the %winnt%/system32 directory.
2. Type regsvr32 schmmgmt.dll. (You don't need to type this command every time you want to extend the Active Directory schema; you need to type it only once.)
3. From the command line or the Start menu, run mmc /a.
4. Choose Add/Remove Snap-in from the Console menu.
5. Click Add.
6. Select Active Directory schema.
7. Click Add.
8. Click Close.
9. Click OK.

The format of the SAM is inflexible (you cannot change the data format or add your own field definitions), but Active Directory is richer and can be extended to include user-defined extensions. This is called extending the Active Directory schema. For example, you might have a user attribute relating to a user's access to a human resources database; this information could be added to the Active Directory user object.