You can select the User Cannot Change Password check box for accounts over which you want to retain control, such as shared accounts or the user accounts for users who refuse to select hard-to-guess passwords. You can select the Password Never Expires check box for user accounts that you don't want to be subject to the domain-level maximum password age. You can also use this option for server-application service accounts (e.g., Microsoft SQL Server) to prevent the common situation in which you reboot a server one day and none of the important services start because their account passwords have expired. Unfortunately, I've also seen administrators set the Password Never Expires option to make an exception for uncooperative users who have enough clout to refuse to change their passwords regularly.
The Account Disabled check box is a useful control for temporarily protecting user accounts of employees who are on vacation or another type of leave. When you disable an account, NT won't let the user log on, regardless of whether the user knows the correct password. You can disable an account when an employee leaves the company instead of immediately deleting the account. Keeping the account around for about 30 days lets you reconstruct what the user had access to if a replacement is hired or if suspicion arises as to the employee's actions before leaving. Disabling the account also saves you from having to recreate the account if the employee changes his or her mind and comes back a week later.
You can limit which days of the week and which hours each day a user can log on. Given the unpredictable schedule of most users today, setting this policy isn't too practical. However, if you have users who work definite hours (e.g., a bank teller), you can click Hours to obtain the Logon Hours dialog box. In it, you simply select a time period, then click Allow or Disallow. If users try to log on outside the allowed times, NT rejects the attempt. If users log on during the allowed time period and remain logged on into a period in which they're explicitly disallowed, NT lets the users remain logged on by default. You can use a global policy to change this default. In the Account Policy dialog box, select the Forcibly disconnect remote users from server when logon hours expire check box. Be aware that selecting this check box disconnects users from servers but not their workstations. For example, suppose you limit Bob to logging on between 8:00 a.m. and 6:00 p.m. and you select the Forcibly disconnect remote users from server when logon hours expire check box. At 9:00 a.m., Bob logs on to his workstation and connects to several servers for file and printer sharing. Bob remains logged on past 6:00 p.m. At 6:00 p.m., the file and printer sharing servers disconnect him, but he still remains logged on to his workstation. Note, however, that servers disconnect only inactive users when their logon hours expire. If users are interacting with the servers (e.g., keeping a file open, querying a directory every few minutes), the servers won't disconnect the users regardless of their logon hours.
By default, NT lets users log on from any workstation. If you want to limit the computers to which users can log on, you can apply workstation restrictions. Click Logon To in the New User dialog box to bring up the Logon Workstations dialog box, which Figure 3 shows. You can specify up to eight workstations. If users need to log on to more than eight computers, see "NT Gatekeeper: Restrict Workstation Logons," http://www.secadministrator .com, June 2001, InstantDoc ID 20902.
The last user-specific logon policy you can set is the user account's expiration date. By default, user accounts don't expire. However, you can set an expiration date by clicking Account in the New User dialog box and specifying the date in the Account Information dialog box, which Figure 4 shows. Account expiration is useful for temporary contractors or when you know in advance of a user's departure. You just set the expiration date in advance, and NT takes care of the account for you. I've seen some administrators use this option when they have a chronic problem with not being notified when employees leave the company. These administrators set an expiration date of 30 days for each user and require the human resources (HR) department to provide a monthly report that lists all current employees. Based on these reports, the administrators extend the expiration dates of the valid user accounts. That way, if someone leaves but the administrator doesn't get notified, NT automatically closes the account after 30 days.
User Manager for Domains lets you modify user-specific logon policies for many user accounts in one step. Simply press the Ctrl key while clicking each user account you want to change. Then select User, Properties and make the change. This capability comes in handy when you need to select the User Must Change Password at Next Logon check box to make new domain password restrictions take effect.
When viewing a member server's or workstation's local SAM, you won't find all the user-specific policies I just discussed. The Logon To, Hours, and Account Disabled options aren't present. These controls are available only on domain accounts.
Registry Tweaks
In addition to setting global and user-specific policies, you can make registry changes under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon subkey to control the logon process. Specifically, you can tweak the registry to display a legal notice during logon, hide usernames in the logon dialog box, and shorten or extend the password-expiration period.
For legal purposes, displaying a legal notice when users log on is important. This notice tells users that they're entering your system and establishes your right to monitor their actions. For best legal recourse, you should display this warning before they enter their credentials. You create this legal notice by adding two REG_SZ registry values under the Winlogon subkey. In the LegalNoticeCaption entry, add a short string that NT will display in the warning window's title. In the LegalNoticeText entry, add the full text, which you should obtain from your legal department. After you specify these values, NT will display the legal notice whenever the user presses Ctrl+Alt+Del at logon. NT waits for the user to click OK in the warning window before letting the person enter his or her username and password.
During logon, NT automatically fills in the Username field in the logon dialog box with the name of the last user who logged on. If this default is a risk in your environment, you can blank out this field by setting the DontDisplayLastUserName entry to the REG_SZ value of 1.
As I mentioned previously, NT starts displaying a password-expiration notification 14 days before a password's expiration date. If you want to shorten or extend how far in advance NT starts warning users, you can change the PasswordExpiryWarning entry's REG_DWORD value from 14 to the number of days you prefer.
You must make the registry tweaks I just described on each user's computer. If you have numerous machines, you can use the System Policy Editor (SPE) for this task. SPE lets you distribute registry changes to every computer in your domain from a central database. You can also use SPE to implement workstation restrictions that guard the workstation after the user has logged on. For example, you can deploy a password-protected screen saver on user desktops and prevent users from disabling it. For a wealth of how-to information and tips about SPE, go to http://www.winnetmag.com/topics and select System Policies or System Policies Editor (SPE).
Stand Guard
You can protect your network from many risks if you don't let unauthorized users log on in the first place. By understanding and using NT's global, user-specific, and registry-level policies, you can effectively guard entry into your domain.
Register
Larry Heberlein January 15, 2004