UsersTasks | Windows Server 2003 in a Nutshell

Users Tasks

Managing Domain Users

Domain user accounts are administered using the Active Directory Users and Computers console. After opening this console, expand the console tree and select the OU in which the account is located or where it will be created. Then proceed with the steps described in the following sections. Note that built-in user accounts such as Administrator and Guest are located in the default Users container.

Create a User

Right-click on OU New User

Then specify first and/or last name (at least one of these is required) and the user logon name. The full name and downlevel (Pre-Windows 2000) logon name are then generated automatically from this information, but you can also define them differently if desired. The wizard's second screen asks you to specify a password and account restrictions (see Configure a User later in this section for more information).

You can also create multiple user accounts by importing a specially formatted .csv file using the bulk-import utility csvde.exe .

On the first screen of the wizard, specify:

User logon name: This is the name that the user will use to log on to the network, which might be something like marys or msmith for user Mary Smith. User logon names must always be unique within the domain. What's confusing is that there is an unlabeled listbox to the right of the text box for user logon name. This listbox displays the name of the currently selected domain, but this domain name begins with an @ sign. The idea implied here is that the user logon name consists of two parts , an alias such as marys and a domain such as @mtit.com .

To create the account in a different domain, use the drop-down arrow in the listbox. Note that you must be a member of the Administrator or Account Operators group in a domain to be able to create accounts in the domain.

User logon name (Pre-Windows 2000)

This is the logon name that the same user will use when logging on to client computers running NT Workstation, Windows 98, or earlier versions of Microsoft Windows. Once again, the confusion is that there are two text boxes for this logon name: the first one is already populated with the older NetBIOS name of the domain followed by a backslash, and the second one is populated with the user logon name or alias you typed in the previous step. For example, if HEADQUARTERS is the NetBIOS domain name associated with the domain mtit.com , then Mary Smith's downlevel logon name would be HEADQUARTERS\marys .

A user's downlevel logon name must also be unique within the domain. The NetBIOS domain name is determined when Active Directory is installed using the Active Directory Installation Wizard. This NetBIOS domain name can be found later using Active Directory Users and Computers by right-clicking on the domain node Properties General.

Full names must be unique within the OU in which the account resides. For example, there can be an account named Mary Smith in both the Accounting and Sales OUs within the mtit.com domain, provided that these accounts have different user logon names. You can do this by assigning Mary Smith in Accounting the logon name marys@mtit.com and Mary Smith in Sales the logon name marys2@mtit.com .

Accounts in different domains within a domain tree can also have identical full names. For example, there can be an account named Mary Smith in both the mtit.com and ny.mtit.com domains, where mtit.com is the parent domain and ny.mtit.com is the child domain. In this case, the logon name for Mary Smith in mtit.com would be marys@mtit.com , while that for Mary Smith in ny.mtit.com would be marys@ny.mtit.com , ensuring their uniqueness.

Configure a User

Right-click on user Properties

This opens the properties sheet for the account, which has a number of tabs.

General, Address, Telephones, and Organization

These tabs let you specify personal information about the user. You should take time to populate these fields so you can search for users in Active Directory using search criteria such as name, address, organization, email, and so on.

Account

These settings are a superset of the account settings you specified when you created the account.

Logon Hours

Lets you specify when users can log on to the domain. This can help prevent accounts from being misused during off-hours. If users are logged on and their hours expire, they can't form new connections to shared resources in the domain, but they aren't bumped off resources they are already connected to.

Log On To

Lets you specify the NetBIOS names of client computers in the domain with which the user is permitted to log on to the domain. This can help prevent users from trying to access information stored on computers that belong to other users. By default, users can log on to the domain using any client computer in the domain.

Account Options

These are more commonly known as account restrictions. Note that selecting some options prevents others from being selected. The more commonly enabled options include:

User must change password at next logon: This is a good choice in low- to medium-security environments because it forces users to take responsibility for managing their passwords and removes this burden from the administrator. In high-security environments, complex passwords may be created and assigned to users by the administrator.
User can't change password: Again, this is generally used in high-security environments or, at the other end of the scale, it can be used to prevent careless users from denying themselves access.
Password never expires: Note that an expired password and an expired account are two different things.
Account is disabled: See Disable a User Accoun t later in this section.
Account Expires: By default, new accounts never expire.

User Profile

This lets you specify the network location of the user profile, the user's home folder, and a logon script that runs when the user logs on.

Another way to configure logon scripts for users is to use Group Policy, which allows administrators to centrally manage startup, shutdown, logon, and logoff scripts for all users and computers in a domain. See the earlier section Group Policy for more information.

Remote Control

This lets you enable administrators to remotely observe and control a Terminal Services session being run by the user.

Member Of

This displays the groups to which the user belongs and lets you modify which groups the user belongs to. See Groups earlier in this chapter for more information on the different kinds of groups that can be created in WS2003.

Leave the Primary Group as Domain Users unless you have Macintosh or POSIX clients and there is a reason you need to specify a different group.

Dial-in

This lets you control whether and how the user can remotely connect via a dial-up connection to a remote access server. See Routing and Remote Access earlier in this chapter for more information.

Environment, Sessions, Terminal Services Profile

This lets you specify the startup environment, Terminal Services profile, and time-out and reconnection settings for Terminal Services.

Add Users to a Group

This option is obscurely worded and means simply "add the selected account(s) to a group you specify":

Right-click on account(s) Add members to a group select group

Multiple accounts can be selected by the usual methods .

Copy a User Account

Right-click on account Copy

Similar to adding a user account as shown earlier, except that when you copy an account, the new account has many of the same properties as the original one. Properties that are copied for the new account include the account restrictions, account expiration date, user profile, home folder, logon script, group membership, RAS, and Terminal Services settings of the original account. It's convenient when creating a large number of accounts to create a series of account templates for the different categories of users in your enterprise. Then copy each template as needed to create accounts for your users, entering only the personal information needed for each user. Make sure you disable account templates, as they should not be used to log on to the network.

Disable a User Account

Right-click on account Disable Account

When an account is disabled, it still exists, but the user can't log on using the account. Disabled accounts in Active Directory Users and Computers have a red X icon on them. To enable an account that has been disabled, right-click on the account Enable Account.

Delete a User Account

Right-click on account Delete

Deleting an account is an irreversible action. It's usually better to disable an account instead. For example, if Bob is leaving the company and Susan is coming to replace him, disable Bob's account when he leaves , rename it Susan, and enable it when Susan arrives to take Bob's place. This way, Susan will have access to all the network resources that Bob had access to.

The problem with deleting rather than disabling accounts is that when you delete an account, its security identifier becomes unusable. (The SID is the internal way by which WS2003 identifies the account.) Thus, if you delete the account bobsmith and then create a new account called bobsmith, the new account has a different SID from the old one and hence doesn't automatically inherit all the settings and access privileges that the old one had.

Find a User Account

If you have a large number of user accounts, you can use the Find function of Active Directory Users and Groups to find the account you want to work with. You can find accounts in a particular domain or OU by:

Right-click on domain or OU Find

You can also change the focus of the Find Users, Contacts, and Groups box to search the entire directory.

Rename a User Account

Right-click on account Rename specify new name, display name, user logon name, and Pre-Windows 2000 user logon name

Renaming an account allows you to transfer all the rights, permissions, and group memberships of an account to another user. You may want to do this when an employee is leaving the company and will be replaced by someone new who will take over her job. Simply rename the account with the new employee's username, then change the personal information on the account's properties sheet to that of the new employee.

Reset Password of a User Account

Right-click on account Reset Password

If a user forgets his password or it expires before he can change it, he will be unable to log on to the network with his user account.

Checking "Force user to change password at next logon" doesn't get replicated immediately like the password. Therefore, it is best to reset the password and check this setting on a domain controller in the site where the user is located.

Unlock a User Account

Right-click on account Properties Account clear Account Is Disabled

A user account is locked out when the user has violated the security policy for the domain. For example, if a user exceeds the number of failed logon attempts permitted by a policy, the user will receive an error message when she attempts to log on, informing her that her account has been locked out and must be unlocked by an administrator.

Naming Conventions

Before you start creating user accounts for your enterprise, it is important to establish guidelines for naming conventions. These guidelines are needed to ensure that:

Account names are simple and easy to remember for users.
Users with identical names will have unique accounts.

Here are some considerations and recommendations for establishing naming conventions:

User logon names can be up to 20 characters long and can include any characters except the following:
```
 "/\[  ]:;=,+#?<> 
```
User logon names can have spaces in them, but this is generally not a good practice, since it may lead to unusable email addresses. For example, Bob Smart of the mtit.com domain could have the user logon name bob smart@mtit.com , but this would be unusable as an SMTP email address. Since email addresses are a separate attribute of a user's account, you could assign bobsmart@mtit.com as Bob Smart's email address, but this could confuse good old Bob ("Why do I use bob smart to log on to my machine but bobsmart in my email address?").
Common naming conventions include: first name plus last initial, first initial plus last name, full name with spaces, full name without spaces, initials underscore department/OU, T- prefix for temporary employees , and so on. Use your imagination , but think of the users who will be using your accounts.

Managing Local Users

Local user accounts are administered using Local Users and Groups under System Tools in Computer Management.

Create a Local User

Local Users and Groups right-click on Users New User

The minimum to specify here is the username for the user. This will automatically make the full name the same as the username.

Configure a Local User

Local Users and Groups Users right-click on a user Properties

You can change the group membership of the user (which by default is the Users built-in local group) and specify a home folder, logon script, and profile path for the user if desired. Most of these settings aren't very useful in a workgroup setting, however, which is what local user accounts are mainly designed for.

Manage User Profiles

The following tasks deal with default, local, roaming, and mandatory user profiles.

Customize the Default User Profile

Log on to a WS2003 computer as an ordinary user (e.g., Bob).
Configure the computer to reflect the desktop environment you wish all your users to have.
Log off the client computer to create a local user profile C:\Documents and Settings\Bob .
Log on as Administrator and make hidden files visible by:

Windows Explorer Tools Folder Options View Show hidden files and folders

This step is necessary to access the hidden Default Users profile in the next step.
Replace the existing default user profile with the newly configured one by:

Control Panel System Advanced User Profiles Settings select newly configured profile Copy To select C:\Documents and Settings\Default User Permitted to use Change Everyone

When a user logs on to the computer for the first time, he will be assigned the customized default profile.

Configure a Local Profile

Log on with your user account, make changes to your desktop settings, then log off. Your local profile will be updated with any changes you have made.

Create a Roaming User Profile

First you need to create and customize the profile:

Log on as Administrator Computer Management System Tools Local Users and Groups right-click on Users New User specify name and password clear User must change password at next logon Create Close Log off Log on as the newly created user configure desktop settings as desired log off

Your new profile is now stored in C:\Documents and Settings\<username> . Now create a share called Profiles on a file server on your network and create a folder called < username > within this share to store the new profile. Now copy your customized profile to the file server as follows :

Control Panel System Advanced User Profiles Settings select the customized profile you created Copy To \\fileserver\Profiles\<username> Permitted to use Change specify name of customized user account you created

Finally, assign the profile to the user by:

Computer Management System Tools Local Users and Groups right-click on Users Properties Profile Profile Path \\fileserver\Profiles\<username>

Create a Mandatory User Profile

First, create a roaming user profile as described earlier, then open the profile using Windows Explorer and rename Ntuser.dat as Ntuser.man .