A set of default properties is associated with each local user account that you create. After you create a local user account, you can configure these account properties. A user's Properties dialog box has three tabs that contain information about each user account: the General tab, the Member Of tab, and the Profile tab.
After this lesson, you will be able to
Estimated lesson time: 15 minutes
The General tab in the Properties dialog box for a user account (see Figure 4.5) allows you to set or edit all the fields from the New User dialog box, except for User Name, Password, and Confirm Password. It also provides one additional check box: Account Is Locked Out.
Figure 4.5 The General tab of a user's Properties dialog box
You can't select the Account Is Locked Out check box because it is unavailable when the account is active and not locked out of the system. The system locks out a user if he or she exceeds the limit set on the number of failed logon attempts. This is a security feature to make it more difficult for an unauthorized user to break into the system. If an account has been locked out by the system, the Account Is Locked Out check box becomes available and an administrator can clear the check box to allow the user access to the system.
The Member Of tab in the Properties dialog box for a user account allows you to add the user account to or remove the user account from a group.
The Profile tab in the Properties dialog box for a user account allows you to set a path for the user profile, logon script, and home folder (see Figure 4.6).
Figure 4.6 The Profile tab of a user's Properties dialog box
A user profile is a collection of folders and files that stores the user's current desktop environment, application settings, and personal data. A user profile also contains all of the network connections that are established when a user logs on to a computer, such as Start menu items and mapped drives to network servers. User profiles maintain consistency for users in their desktop environments by providing each user the same desktop environment he or she had the last time that he or she logged on to the computer.
Windows 2000 creates a user profile the first time a user logs on at a computer. After the user logs on for the first time, Windows 2000 stores the user profile on that computer. This user profile is also known as a local user profile.
User profiles operate in the following manner:
You should have users store their documents in My Documents rather than in home directories. Home directories are covered later in this chapter. Windows 2000 automatically sets up My Documents, which is the default location for storing data for Microsoft applications.
By opening the System program in Control Panel and clicking the User Profiles tab, an administrator can easily copy, delete, or change the type of a user profile. Changing the type for user profiles means changing it from a local user profile, which sets up the user's desktop environment on a specific computer, to a roaming user profile. A roaming user profile is especially helpful in a domain environment, because it follows the user around, setting up the same desktop environment for the user no matter what computer the user logs on to in the domain.
There is a third type of user profile, the mandatory user profile, which is a read-only roaming user profile. When the user logs off, Windows 2000 does not save any changes made during the session, so the next time the user logs on the profile is exactly the same as the last time the user logged on. You can create a mandatory user profile for a specific user or for a group of users.
A hidden file called Ntuser.dat contains the section of the Windows 2000 system settings that applies to the individual user account and contains the user environment settings. This file can be used to create a profile for a mandatory roaming user. To create a profile for a mandatory roaming user, you create a user account that you can use to create user profiles. Log on as the user for the account you created, and configure all the desktop environment settings you want. Log on as administrator and locate the Ntuser.dat file in C:\Documents and Settings\user_logon_name. Change the name of the Ntuser.dat file to Ntuser.man. You can then copy this file to apply the mandatory user profile to any other user or group.
A logon script is a file you can create and assign to a user account to configure the user's working environment. For example, a login script can be used to establish network connections or start applications. Each time a user logs on, the assigned logon script is run.
In addition to the My Documents folder, Windows 2000 provides you with the means to create another location for users to store their personal documents. This additional location is the user's home folder. You can store a home folder on a client computer or in a shared folder on a file server. In fact, you can locate all users' home folders in a central location on a network server.
Storing all home folders on a file server has the following advantages:
Store home folders on an NTFS file system volume so that you can use NTFS permissions to secure user documents. If you store home folders on a FAT volume, you can restrict home folder access only by using shared folder permissions.
To create a home folder on a network file server, you must perform the following three tasks:
If you use the username variable to name a folder on an NTFS volume, the user is assigned the NTFS Full Control permission, and all other permissions are removed for the folder, including those for the Administrator account.
Follow these steps to set User Account Properties:
In this practice, you modify user account properties and then test them.
In this exercise, you again test the User Must Change Password At Next Logon property of the users you created in the previous Practice. You then set the User Cannot Change Password Account property on User1 and the Account Is Disabled property on User2. Finally, you test these account properties.
Windows 2000 displays a Logon Message dialog box indicating that you are required to change your password at first logon.
Windows 2000 displays a Change Password dialog box. Notice that the password you just typed is in the Old Password box.
Windows 2000 displays a Change Password dialog box indicating that your password has been changed.
In this exercise, you set and then test the User Cannot Change Password property.
To set the User Cannot Change Password property
Windows 2000 displays the users in the details pane.
The User1 Properties dialog box appears.
The User Cannot Change Password check box should contain a check mark indicating that it is selected. Notice that the User Must Change Password At Next Logon check box is now unavailable.
The User2 Properties dialog box appears.
The Account Is Disabled check box should contain a check mark indicating that it is selected.
To test user account properties
Windows 2000 displays the Windows Security dialog box.
The Change Password dialog box appears.
A Change Password dialog box appears indicating that you do not have permission to change your password.
A Logon Message dialog box appears, indicating that your account has been disabled.
In this lesson, you learned that a set of default properties is associated with each local user account that you create. These properties include whether users can change their own passwords, whether users are required to change their passwords at the next logon, and whether an account is disabled. The Computer Management snap-in allows you to configure or modify these account properties easily.
In the practice portion of this lesson, you configured account properties, which included those that prohibit users from changing their passwords and disabled a user account. Finally, you tested these properties to verify that they worked as expected.