Lesson 4: Setting Properties for User Accounts | MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000

A set of default properties is associated with each local user account that you create. After you create a local user account, you can configure these account properties. A user's Properties dialog box has three tabs that contain information about each user account: the General tab, the Member Of tab, and the Profile tab.

After this lesson, you will be able to

Set properties for user accounts

Estimated lesson time: 15 minutes

The General Tab in a User Account's Properties

The General tab in the Properties dialog box for a user account (see Figure 4.5) allows you to set or edit all the fields from the New User dialog box, except for User Name, Password, and Confirm Password. It also provides one additional check box: Account Is Locked Out.

Figure 4.5 The General tab of a user's Properties dialog box

You can't select the Account Is Locked Out check box because it is unavailable when the account is active and not locked out of the system. The system locks out a user if he or she exceeds the limit set on the number of failed logon attempts. This is a security feature to make it more difficult for an unauthorized user to break into the system. If an account has been locked out by the system, the Account Is Locked Out check box becomes available and an administrator can clear the check box to allow the user access to the system.

The Member Of Tab in a User Account's Properties

The Member Of tab in the Properties dialog box for a user account allows you to add the user account to or remove the user account from a group.

The Profile Tab in a User Account's Properties

The Profile tab in the Properties dialog box for a user account allows you to set a path for the user profile, logon script, and home folder (see Figure 4.6).

Figure 4.6 The Profile tab of a user's Properties dialog box

User Profile

A user profile is a collection of folders and files that stores the user's current desktop environment, application settings, and personal data. A user profile also contains all of the network connections that are established when a user logs on to a computer, such as Start menu items and mapped drives to network servers. User profiles maintain consistency for users in their desktop environments by providing each user the same desktop environment he or she had the last time that he or she logged on to the computer.

Windows 2000 creates a user profile the first time a user logs on at a computer. After the user logs on for the first time, Windows 2000 stores the user profile on that computer. This user profile is also known as a local user profile.

User profiles operate in the following manner:

When a user logs on to a client computer running Windows 2000, the user always receives his or her individual desktop settings and connections, regardless of how many users share the same client computer.
The first time a user logs on to a client computer running Windows 2000, Windows 2000 creates a default user profile for the user and stores it in the system partition root\Documents and Settings\user_logon_name folder (typically C:\Documents and Settings\user_logon_name), where user_logon_name is the name the user types in when logging on to the system.
A user profile contains the My Documents folder, which provides a place for users to store personal files. My Documents is the default location for the File Open and Save As commands. By default, Windows 2000 creates a My Documents icon on the user's desktop. This makes it easy for users to locate their personal documents.
A user can change his or her user profile by changing desktop settings. For example, a user makes a new network connection or adds a file to My Documents. Then, when the user logs off, Windows 2000 incorporates the changes into the user profile. The next time the user logs on, the new network connection and the file are present.

NOTE
You should have users store their documents in My Documents rather than in home directories. Home directories are covered later in this chapter. Windows 2000 automatically sets up My Documents, which is the default location for storing data for Microsoft applications.

By opening the System program in Control Panel and clicking the User Profiles tab, an administrator can easily copy, delete, or change the type of a user profile. Changing the type for user profiles means changing it from a local user profile, which sets up the user's desktop environment on a specific computer, to a roaming user profile. A roaming user profile is especially helpful in a domain environment, because it follows the user around, setting up the same desktop environment for the user no matter what computer the user logs on to in the domain.

There is a third type of user profile, the mandatory user profile, which is a read-only roaming user profile. When the user logs off, Windows 2000 does not save any changes made during the session, so the next time the user logs on the profile is exactly the same as the last time the user logged on. You can create a mandatory user profile for a specific user or for a group of users.

NOTE
A hidden file called Ntuser.dat contains the section of the Windows 2000 system settings that applies to the individual user account and contains the user environment settings. This file can be used to create a profile for a mandatory roaming user. To create a profile for a mandatory roaming user, you create a user account that you can use to create user profiles. Log on as the user for the account you created, and configure all the desktop environment settings you want. Log on as administrator and locate the Ntuser.dat file in C:\Documents and Settings\user_logon_name. Change the name of the Ntuser.dat file to Ntuser.man. You can then copy this file to apply the mandatory user profile to any other user or group.

Logon Script

A logon script is a file you can create and assign to a user account to configure the user's working environment. For example, a login script can be used to establish network connections or start applications. Each time a user logs on, the assigned logon script is run.

Home Folder

In addition to the My Documents folder, Windows 2000 provides you with the means to create another location for users to store their personal documents. This additional location is the user's home folder. You can store a home folder on a client computer or in a shared folder on a file server. In fact, you can locate all users' home folders in a central location on a network server.

Storing all home folders on a file server has the following advantages:

Users can gain access to their home folders from any client computer on the network.
Backing up and administrating user documents is centralized.
The home folders are accessible from a client computer running any Microsoft operating system (including MS-DOS, Windows 95, Windows 98, and Windows 2000).

NOTE
Store home folders on an NTFS file system volume so that you can use NTFS permissions to secure user documents. If you store home folders on a FAT volume, you can restrict home folder access only by using shared folder permissions.

To create a home folder on a network file server, you must perform the following three tasks:

Create and share a folder in which to store all home folders on a network server. The home folder for each user will reside in this shared folder.
For the shared folder, remove the default Full Control permission from the Everyone group and assign Full Control to the Users group. This ensures that only users with domain user accounts can gain access to the shared folder.
Provide the path to the user's home folder in the shared home directory folder on the Profile tab of the Properties dialog box for the user account. Since the home folder is on a network server, click Connect and specify a drive letter to use to connect. In the To box, you would specify a UNC name—for example, \\server_name\shared_folder_name\ user_logon_name. Type the username variable as the user's logon name to automatically give each user's home folder the user logon name (for example, type \\server_name\Users\%username% ).
If you use the username variable to name a folder on an NTFS volume, the user is assigned the NTFS Full Control permission, and all other permissions are removed for the folder, including those for the Administrator account.

Follow these steps to set User Account Properties:

On the Administrative Tools menu, click Computer Management.
Right-click the appropriate local user account, and then click Properties.
Click the appropriate tab for the properties that you want to type in or change, and then type in values for each property.

Practice: Modifying User Account Properties

In this practice, you modify user account properties and then test them.

Exercise 1: Testing Account Properties

In this exercise, you again test the User Must Change Password At Next Logon property of the users you created in the previous Practice. You then set the User Cannot Change Password Account property on User1 and the Account Is Disabled property on User2. Finally, you test these account properties.

If a user is currently logged on to your computer, log that user off.
Log on to the system as User3. Remember to use this user's password: User3.
Windows 2000 displays a Logon Message dialog box indicating that you are required to change your password at first logon.
Click OK.
Windows 2000 displays a Change Password dialog box. Notice that the password you just typed is in the Old Password box.
Type password in both the New Password box and in the Confirm New Password box.
Click OK.
Windows 2000 displays a Change Password dialog box indicating that your password has been changed.
Click OK.

Exercise 2: Setting User Account Properties

In this exercise, you set and then test the User Cannot Change Password property.

To set the User Cannot Change Password property

Log off as User3.
Log on as Administrator.
Start Computer Management from the Administrative Tools menu.
Expand Local Users And Groups, and then click Users.
Windows 2000 displays the users in the details pane.
Right-click User1, and then click Properties.
The User1 Properties dialog box appears.
Select User Cannot Change Password.
The User Cannot Change Password check box should contain a check mark indicating that it is selected. Notice that the User Must Change Password At Next Logon check box is now unavailable.
Click OK to close the User1 Properties dialog box.
Right-click User2, and then select Properties.
The User2 Properties dialog box appears.
Select Account Is Disabled.
The Account Is Disabled check box should contain a check mark indicating that it is selected.
Click OK to close the User2 Properties dialog box, close Computer Management, and then log off the computer.

To test user account properties

Log on as User1 with a password of password.
Press Ctrl+Alt+Delete.
Windows 2000 displays the Windows Security dialog box.
Click Change Password.
The Change Password dialog box appears.
Type password in the Old Password box, and then type User1 in the New Password and the Confirm New Password boxes.
Click OK.
A Change Password dialog box appears indicating that you do not have permission to change your password.
Click OK.
Click Cancel to close the Change Password dialog box.
Log off as User1 and then log on as User2 with no password.
A Logon Message dialog box appears, indicating that your account has been disabled.
Click OK to close the Logon Message dialog box.

Lesson Summary

In this lesson, you learned that a set of default properties is associated with each local user account that you create. These properties include whether users can change their own passwords, whether users are required to change their passwords at the next logon, and whether an account is disabled. The Computer Management snap-in allows you to configure or modify these account properties easily.

In the practice portion of this lesson, you configured account properties, which included those that prohibit users from changing their passwords and disabled a user account. Finally, you tested these properties to verify that they worked as expected.