Managing User Accounts

On Windows NT Server member servers and Windows NT Workstation computers, the User Manager utility is used to manage the local SAM. In a domain, the utility is similar but is called the User Manager for Domains. This is the tool you use for most user account management in Windows NT. To start the User Manager for Domains, select it from the Administrative Tools folder in the Programs folder.

The User menu in this utility can be used to add, delete, or modify user accounts. To modify an existing account, simply double-click the account name and the Properties dialog box appears (you also can highlight the account and select Properties from the User menu).

To add a new user, select New User from the User menu. The New User dialog box (shown in Figure 40.8) appears. You can enter the user's logon username here (as many as 20 characters ), along with other useful information such as the user's full name and a description of what the account is used for.

Figure 40.8. Add a new user by specifying a username and other information for the account.

graphics/40fig08.gif

When you enter the password for the user account, you must enter it twice to confirm what you have typed. You can select from the check boxes any of the password options you want to use. If you select User Must Change Password at Next Logon, users will be prompted when they first use the account to create a new password known only to them. You can use this same check box on an existing user's Properties dialog box when resetting a user password that the user has forgotten. This allows you to reset the password to a new value you can give the user, but still force the user to change the password when using it for the first time.

If you select User Cannot Change Password, the user will be locked out of this function. This function is useful for service accounts, such as for SQL Server, because it precludes anyone from changing the password, which would cause the service to not start on boot.

If you select Password Never Expires, this bypasses the password policy you can set for the domain, which would usually force the user to change the password to a new value on a periodic basis. Finally, you can use the Account Disabled check box to temporarily disable logons for an account when you do not want the account to be accessible but also do not want to delete it.

After you have finished filling in the information for this dialog box, you can click the Add button to add the account, or you can use the buttons at the bottom of the dialog box to bring up additional prompts.

Adding a User to a Group

If you click the Groups button in the New User dialog box, you get the Group Memberships dialog box, shown in Figure 40.9. When an account is first created, it is, by default, a member of the Domain Users local group. You can select other groups from those shown and use the Add button to add the user to the group. You can select a group of which the user is already a member and use the Remove button to remove the user from that group. To specify the primary group to which a user will belong, highlight that group under the Member Of box and click the Set button. When you have finished selecting user groups for this user, click the OK button.

Figure 40.9. The Group Memberships dialog box allows you to control to which groups a user belongs.

graphics/40fig09.gif

User Profiles

You can use the Profile button in the New User dialog box to bring up the User Environment Profile dialog box. Here you can specify a path to the location of the file that contains the user's profile (desktop and environment settings), as well as the name of a logon script that is executed each time the user logs on to the domain. In Figure 40.10 you can see that this also is where you specify the path to the user's home directory.

Figure 40.10. The User Environment Profile dialog box allows you to set the user's profile and home directory.

graphics/40fig10.gif

You also can specify drive letters in the Connect box and then specify a pathname. This will cause the user to be automatically connected to the file shares you specify when the user logs on to the system.

Limiting the Time a User Can Log On

The Hours button in the New User dialog box brings up the Logon Hours dialog box (see Figure 40.11), where you can select the days and hours that a user account can be used.

Figure 40.11. In this dialog box specify the hours an account can be used.

graphics/40fig11.gif

In this display you can select one- hour periods by clicking on one or more of them and then using the Allow or Disallow button to specify whether the user can log on during that period. By default, all the boxes representing hours for all days are filled in with a blue color indicating that the user can log on at that time.

Tip

What happens when a user is already logged on and the time changes to a period when they are disallowed? This depends on the settings you make in the Accounts Policy for the domain. You can allow the user to continue working but not make any new network connections, or you can set the policy to force the user off the server when the time changes to a disallowed period.

Limiting Which Workstations a User Can Log On To

The Logon To button in the New User dialog box will bring up the Logon Workstations dialog box (see Figure 40.12), which you can use to specify up to eight workstations to which the user is allowed to log on using this domain account.

Figure 40.12. The Logon Workstations dialog box can be used to limit the workstations a user can use to log on to the domain.

graphics/40fig12.gif

If you want the user to be able to log on by using any workstation in the domain (the default selection), select the appropriate radio button in this dialog box.

This dialog box can be useful for situations in which security is a high priority. For user accounts that have been given advanced rights and are able to access sensitive data, you might want to restrict their use to computers that are in a particular physical location that can be monitored . For example, the payroll process is usually a very sensitive function in an organization. Not only do you want to prevent unauthorized users from modifying information here, but you also want to keep prying eyes out of information that might cause user embarrassment or discomfort. By limiting the payroll applications to specific user logon accounts and by restricting those accounts to selected workstations, you can make the monitoring process easier and more defined.

Account Information

The Account button in the New User dialog box brings up the Account Information dialog box, shown in Figure 40.13. Here you can specify that an account will never expire, or you can set a date at which time the account will no longer be able to be used for a domain logon.

Figure 40.13. The Account Information dialog box can be used to specify the type of account and limit its use.

graphics/40fig13.gif

There are two types of domain accounts, and you can select the type for this account in this dialog box. A global account is the default account for a user in that user's own home domain. This account can be placed into a global group and exported to another domain to be granted access to resources.

Local groups are more limited. They are used to provide access for a user who is not a member of a trusted domain. This can be used by a user in another Windows NT domain or by a user from another operating-system type. The local account cannot be used to log on locally to a Windows NT computer and is provided so that you can give access through the network. Because the local account is provided so that you can give access to your domain to special-case users, you cannot place local accounts into a global group and export them to another domain.

Allowing Dial-Up Access

If you want the user to be able to dial into the network using the remote access service (RAS), click the Dialin button in the New User dialog box to bring up the Dialin Information dialog box (see Figure 40.14). Here you can select the callback option. Callback means that after a user dials into the network, the server will disconnect the phone and then dial the user's computer back. This can be used for security purposes or for cost savings.

Figure 40.14. The Dialin Information dialog box can be used to control dial-up access to the network for this account.

graphics/40fig14.gif

These are the Call Back options:

No Call Back ” This is the most common form, which enables a user to log in using a modem and, after validation, begin working.
Set By Caller ” The caller can specify the telephone number that the server will use to perform the callback function.
Preset To ” The administrator can set the telephone number that will be used for the callback.

If security is not a great issue for this user's account, you can select the No Call Back option. If the user is a mobile user and you want the long-distance charges to be paid by the server's end of the telephone line, use the function to allow the caller to specify the callback number. If security is an important issue for this account, use the third option so that you can specify the number that will always be called back. This prevents users from other locations from using this account to dial in to your system and establish an RAS session.

Replication Between Domain Controllers

Modifications to the SAM database are always made on the primary domain controller. Periodically, the PDC will check the database to determine whether any changes have been made. The default value for this time interval is 5 minutes. When changes to the database are detected , the PDC will send a message to each BDC informing the BDC that it holds changes that need to be applied to the BDC's copy of the database. The BDC can then poll the PDC to get the updates. The process is called directory synchronization.

To prevent a large number of BDCs from making synchronization requests at the same time, the PDC staggers the messages it sends out when there are multiple BDCs. By default, the PDC sends the message to only 10 BDCs. When the first 10 BDCs have finished the synchronization process, the PDC sends the message to the next 10 BDCs that need to be informed, and so on.

Full and Partial Synchronization

There are two types of synchronization: full and partial. When a BDC is created during a Windows NT Server installation, one of the first tasks it must perform is to download a copy of the full SAM database. This is an example of full synchronization. When it's complete, the BDC is able to respond to logon requests from clients .

When changes are made on the PDC, they are not immediately propagated to the domain's BDCs. Instead, a change log file 64KB in size is used to buffer the modifications. Each change record is stamped with a serial number and a version number. The change log is a circular file. That means that when it becomes full, it simply wraps back on itself, overwriting the oldest record in the file.

When the PDC sends out notifications that changes exist in the database, it does so only to those BDCs that it knows do not have the most recent data. The PDC can do this because it keeps track of the serial numbers of the most recent records updated to each BDC. This partial synchronization prevents unnecessary replication traffic. When a BDC polls the PDC for the changes it needs, it receives only those changes that it has not already gotten during a previous poll, based on the serial number.

A full replication can still occur under this process. For example, a BDC can be taken offline for an extended period. Or the network link between the BDC and the PDC might be unavailable due to a network problem. Again, using the serial numbers of the records it already has, the BDC can determine whether any changes have been overwritten in the PDC's change log, and it can then request a full synchronization so that it will have a complete copy of the database.

Logon Failures Related to Synchronization

One common function administrators or help-desk personnel perform is that of adding a new user account or changing the password for an account when the user cannot log on. As simple a matter as this might seem, the role played by backup domain controllers can be an issue when this is done in a Windows NT network.

When a password is changed or an account added, it is done on the master copy of the database that resides on the PDC. Remember that the BDC does not immediately receive updates that are made on the SAM. If you add a new account or if you modify a user account, whether it be to change the password or remove a lockout condition, the user who is validated at a remote location by a backup domain controller might not be able to immediately log on because the BDC might not be aware of the change.

You could just tell the user to wait and try again, but this is not the kind of response that builds up trust between users and the help-desk personnel or the administrator. Instead, Windows NT allows you to force the synchronization process to begin. To do this, you must invoke the Server Manager, which is found in the Administrative Tools folder. From the Computer menu select Synchronize Entire Domain. A pop-up dialog box informs you that this process can take a few minutes. Click the Yes button to proceed. The PDC then begins sending out messages to the BDCs, informing them that it is time to synchronize. Windows displays a message informing you that the synchronization process has begun.

After a few minutes, you can check the Event Viewer to find out whether the synchronization process has completed. You should check both the BDC and the PDC for these messages. The Event Viewer utility enables you to connect to another computer to check messages in its log files, so this can be done from one location by the administrator. When synchronization has finished, you can instruct the user to try the new password or account again.