User Accounts

After you have created your organizational units and groups, it is time to add user accounts and begin matching users with the resources that they need to do their jobs. The first factor that you should consider at this point is, just what is a user account, and what is it good for? This is a slightly more difficult question than it may seem at first.

When you create a new account for Ulysses Grant in your accounting department and another for Teddy Roosevelt in the sales department, you put each of them into separate groups, with permissions to various resources. Remember, though, that in truth you are not assigning them access, but rather you are assigning their role in the company access. A user account, in other words, represents a particular job in the company—not an individual. If Teddy decided to leave the company and run for president, all you would have to do is rename the account and give it to the person hired to replace him. That person would then fill the role and would have all the rights necessary to do their work.

explicit permission

Occurs when a user is given permissions to a resource without any groups involved.

The other point to remember is that in a well-implemented network, users actually have permissions to no resources at all. This is not to say that users should not be able to access files or printers! A user is created, given particular configuration options and rights based on their network role, and is then placed into groups that provide access to the resources needed. In other words, groups, not individual users, have the permissions.

You should never have to give a user explicit permission to a resource (file, directory, or printer). Doing so can cause significant confusion and raise questions such as, “Why can that user print to the color printer? None of the groups she is in has rights to it.” The answer may be that another administrator gave the user explicit permission to the printer for a particular task and then forgot to take it away. Although it is certainly possible to give users permissions directly, in general you should remember to use the groups. That’s what they’re there for.

Other than the users you create, two built-in users are created with the domain:

Administrator  The most powerful account on the domain, the Administrator account cannot be deleted or disabled, and effectively has access to all resources and configuration options on the domain. Access to the Administrator account password should be kept to a small number of people. Oh, and don’t forget the password...

Guest  The Guest account is used to provide anonymous access to certain resources on the network. This is obviously a low-security option, and the Guest account is disabled by default. It can be useful for visitor access in a kiosk or for allowing read-only access to certain materials on the network.

Creating User Accounts

If possible, a user account should be created for every individual on the network. Shared accounts (for example, Interns) can certainly be created, but if all interns use the same username and password to log on to the network, it is difficult to maintain any real distinction between them in a security context. It would be far better to create separate accounts—Intern1, Intern2, etc.

To create a new user, simply go to Active Directory Users and Computers and select the container you wish to create the user in. The default is the Users folder, but you can also place the user in an organizational unit. Right-click the container and select New „ User. When you create a new user, you will be able to configure the following information.

Users folder

One of a number of default folders in the Active Directory. In most cases, using this default location is fine. Users in this folder can later be placed into groups in other folders or organizational units.

Data

Description

First Name

User’s first name.

Last Name

User’s last name.

Name

Full name.

User Logon Name

Unique name within the Active Directory.

Password

Authentication information used to log on the user.

Confirm Password

The initial password, assigned by the administrator, is retyped here to ensure it is correct.

User Must Change Password at Next Logon

If the user is assigned an initial password by the administrator, this option ensures that the user will create their own password when they first use the account.

User Cannot Change Password

Prevents a user from changing a password. Good for shared accounts.

Password Never Expires

Overrides password expiration options.

click to expand

click to expand

You can require specific password lengths, expiration times, and password reuse policies. Although these provide greater security, don’t make the policy so draconian that users can’t remember their passwords. Users writing their passwords on sticky notes and leaving them on their monitors is usually a good clue you have gone too far!

Tip 

Before you start creating users, make sure that you have worked out an acceptable naming convention, or policy. For instance, will you use ugrant and troosevelt or ulyssesg and teddyr? If the company is small enough, perhaps just Ulysses and Teddy will do. Regardless, make sure you create a naming strategy that works for the organization and can expand. What happens when a second Ulysses Grant is hired, for instance?

profile

A record of the user’s personal configuration data and preferences. You can store a profile locally or you can store all user profiles on the server and allow them to roam, which means a user could log on to any machine in the domain and get their own profile.

Configuring User Accounts

After you have created an account, you will be given a number of additional options that will add to or restrict the power of the account on the network. To access an account’s configuration information, select the account in Active Directory Users and Computers and right-click it. Select the Properties option. The User Properties window has a number of tabs, including those shown here.

Tab

Configuration Options

General

Name, display name, description, office, phone, e-mail, web page

Address

Full mailing address

Account

Logon name, logon hours, workstation restrictions, account options, account expiration

Profile

Profile, logon script, and home folder locations

Telephones

Additional phone numbers and comments

Organization

Title, department, company, manager, and direct reports

Member Of

Group and Primary group memberships

Dial-in

Remote access, callback, and IP address info

Many of these fields are simply informational, such as the Address and Telephones fields. Others serve specific network security or organizational purposes. The Account and Profile tabs are extremely important to understand, because they allow an administrator to set network locations and user options, including:

  • Through the use of a logon script, an administrator can map drives for a user, attach printers, and set system or user variables.

  • Profiles can be used to standardize the Windows Desktop and to restrict which programs or options a user can access.

  • Home folders can be set up to ensure that all users have their own place on the network to store files. Home folders are secured so that only the user who owns the folder can access its information.

Terminal Services

Whereas normal servers provide file or printer access, a terminal server provides full desktop access. Terminal Services allow a single machine to be used by multiple users at once. Each individual uses their own keyboard, mouse, and monitor, and is presented with a Windows Desktop, but all programs run locally on the terminal server.

  • Logon Hours and Workstation Restrictions options enable the administrator to specify the times that a user can use the network, as well as the machines that they are allowed to use.

  • Account options enable the administrator to set password options, such as how the password is saved for the user, and when it expires.

These options give you a great deal of power over the way that users access and use the network. Thus, the end of this chapter returns us to the same idea that we started with: Taking extra stitches here means taking enough time to figure out what your users need, and how you can best configure the network to make their job easier and their work secure. You will therefore want to think carefully about the consequences of implementing any of these options. Using home folders, for instance, allows for easier network backup of user files, but also means that if the home folder server ever fails, users will not be able to access their files until the server is available again.

click to expand

Tip 

Depending on which options you have installed, you may see more than just the eight tabs described here. Terminal Services, for instance, adds four tabs to the User Properties page when installed (Advanced Server or Datacenter Server only).




MCSA. MCSE 2003 JumpStart. Computer and Network Basics
MCSA/MCSE 2003 JumpStart
ISBN: 078214277X
EAN: 2147483647
Year: 2003
Pages: 203
Authors: Lisa Donald

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net