UsersConcepts

A user (or user account) is a security principle that allows an individual to log on to a computer or network. The two kinds of user accounts in WS2003-based networks are:

Local user account

Enables a user to log on to a standalone server to access resources on that computer. Local users are stored on the computer on which they are created in the computer's local security database. Local users can't be created on domain controllers, but they can be created on member servers belonging to a domain.

Domain user account

Enables a user to log on to a domain to access resources on computers in the domain. Domain users are domainwide in scope and are stored within Active Directory. Domain user accounts are internally identified within Active Directory by their security identifier. If you delete an account and create a new account with the same name , it will have a different SID than the deleted account.

Built-in Accounts

In addition, a number of built-in user accounts are created when WS2003 is installed:

Administrator

An account that has full administrative rights for the domain or computer.

Guest

An account used to grant temporary access to network resources in the domain or computer. This account is disabled by default and should be enabled only when needed.

On a member server or client computer, the Administrator and Guest accounts are local user accounts and are stored in the local security database. For example, the Administrator account on a member server has full administrative rights on that member server and no rights on any other computer in the network. On a domain controller, however, these accounts are domain user accounts and are stored in Active Directory. Therefore, the Administrator account on a domain controller has full rights on every computer in the domain. Depending on which optional components of WS2003 are installed, there may be other built-in user accounts. Table 4-53 lists some of the most common of these accounts.

Table 4-53. Optional built-in user accounts

User Profiles

A user profile is a collection of files that stores the desktop configuration and personal settings of a user. User profiles ensure that users have consistent desktop and application settings each time they log on to their machines. User profiles can also be stored on the network to enable users to access their desktop and personal settings from any machine on the network and can be configured either to allow or prevent users from modifying their settings. Specifically, a user profile stores information about a user's desktop settings, wallpaper, screen resolution, desktop icons, Start menu items, files stored in his My Documents folder, network connections, mapped drives , and network shortcuts to shared folders and printers located on network servers

The three types of user profiles are local, roaming, and mandatory. These three types allow administrators to control users' desktop environments in a variety of ways.

Local User Profile

This user profile is stored on the local machine. A local user profile (or local profile) for a user is created the first time a user logs on locally to a machine. These local profiles are stored by default in subfolders of C:\Documents and Settings . Each subfolder is named after the username of a user who has logged on locally to the machine at least once. For example, the local profile for Administrator is located in the folder C:\Documents and Settings\Administrator and consists of a series of subfolders and files within the Administrator folder.

When a user makes changes to her desktop (e.g., changes the wallpaper) and then logs off, the local profile is updated to reflect any changes made by the user during the session. When the user next logs on, the settings will reflect these changes made during the previous session. If multiple users use the same machine, each user will have his own, separate, local profile stored in the folder C:\Documents and Settings\<username> . Each user's settings will be preserved regardless of what the other users do while they are logged on to the machine.

Roaming User Profile

By storing users' profiles on a network file server and configuring users' accounts with information about where their profiles can be found, you give users the ability to roam around the network, log on to any client machine, and retrieve their own personal desktop settings for use on that machine. This is known as roaming user profiles (or roaming profiles) and is useful when users need to perform their work at multiple client computers.

When a user logs on to a machine using the roaming profile and makes changes to the desktop environment, these changes are saved when the user logs off. If the user then logs on to a different machine, the changes made on the first machine are reflected on the second. In other words, users can make changes to their roaming profiles, unless mandatory user profiles are implemented, as described next.

Roaming profiles are typically used when users share their computers. For example, if you have 15 sales personnel sharing five computers (since most of the time they should be out drumming up contracts anyway), then you could implement roaming profiles for these users so they can use whichever of the five computers is currently free. Another example would be if you had 10 trainers who need to access their email during coffee break. You could give them two computers to share and assign them roaming profiles (the cost-effective solution) or give them each a laptop (my own preference, but no one ever listens to me).

Mandatory User Profile

A mandatory user profile (or mandatory profile) is a form of roaming user profile in which the user can't make changes. The user can, however, make changes to the desktop environment while logged on. But when she logs off, the mandatory profile is not updated to reflect these changes. Mandatory user profiles are also sometimes referred to as mandatory roaming profiles and roaming mandatory profiles!

You might use mandatory profiles for naive users to prevent them from making changes to their desktop. Users sometimes like to install shareware and other software they have downloaded off the Internet, and sometimes such software can cause problems that necessitate costly intervention from technical support staff. Mandatory profiles prevent such changes to users' desktops and thus reduce the costs of supporting these users.

Another use for mandatory profiles might be to create a customized user profile that you assign to several users who need to perform the same type of tasks on their computers. You can create a default user profile that reflects the kind of desktop environment most conducive to their productivity, make this profile mandatory, and then assign it to each user.

How User Profiles Work

When a user logs on to a WS2003 client computer for the first time, the following procedure occurs:

1. WS2003 checks whether a roaming profile has been specified for the user by the administrator. If so, it downloads this roaming profile from the appropriate network file server and applies it to the user's desktop environment. When the user logs off, the roaming profile is updated on the file server to reflect any changes the user has made during the session.

2. If not, WS2003 checks whether there is a network-default user profile. A default user profile is a kind of template from which all other user profiles are created. It is called the network-default user profile if it has the name Default User and is stored in the NETLOGON administrative share on all domain controllers.

3. If such a default profile exists on the domain controller that the client computer contacts, WS2003 downloads this profile and applies it to the user's desktop environment. When the user logs off, a local profile is created on the client computer for the user. The next time the user logs on, the local profile is used instead of the network-default profile.

4. If not, WS2003 loads the default local user profile and applies it to the user's desktop environment. When the user logs off, a local profile is created on the client computer for the user. The next time the user logs on, the local profile is used instead of the local default profile.

Home Folders

A user's home folder is a centralized location on a network file server where he can store his personal documents. Home folders were a feature of NT that allowed users to store their personal files on network file servers, which could be backed up easily, instead of on their local machines. While WS2003 still supports home folders for backward compatibility with legacy applications, the default location for users to store their personal files is now the My Documents folder. By default, this folder is located on a user's local machine and is part of the user's profile.

My Documents

My Documents is a special folder that is part of a user profile. The My Documents folder is the default location for users to store their personal and work files. When you select File Open from the menu of a "designed for WS2003" application, the application looks by default in the My Documents folder for the currently logged-on user. Similarly, when a user selects File Save As to save work, it goes into the My Documents folder.

Each user who logs on to a WS2003 machine has his own separate My Documents folder for storing files. Each user also has an icon on the desktop that allows him easy access to his files. The My Documents folder for a user is contained within the user profile for that particular user. For example, if a user named Bob has his local user profile stored in C:\Documents and Settings\Bob on his machine, Bob's personal and work files will be stored in the subfolder C:\Documents and Settings\Bob\My Documents .

My Documents and other important user profiles can also be redirected to a network share using Group Policy. This ensures that users have their data available no matter which client computer they log on with. See Group Policy earlier in this chapter for more information.