Manage user accounts on a P2P network
Editor’s Note: Many IT professionals work as consultants for small businesses. Small businesses that run peer-to-peer (P2P) networks have unique IT tasks and problems. Peer-to-Peer Networks is a new Windows IT Pro series that addresses these topics.
Supporting a peer-to-peer (P2P) network requires tools and knowledge that are different from the tools and knowledge you use to maintain a domain. One of the most obvious differences is in user management. The absence of Active Directory (AD) for user lists and security settings on P2P networks means that you must configure each computer individually, instead of performing all tasks at one computer. However, because most P2P networks are rather small, this task isn’t as time consuming as it might seem. If your client or company supports more computers on a P2P network than it can easily manage, it might be time to investigate a domain.
In this article I discuss some of the tasks involved in managing user accounts on a P2P network, including methods for managing some user tasks without leaving your own computer. I chose to highlight problems that administrators and consultants frequently ask about when I present seminars, as well as problems that readers email me about after reading my books. I use the terms P2P (the description of the networking method) and workgroup (the Windows terminology for a network group that is connected by a P2P topology) throughout this discussion, because I hear both terms from IT professionals.
Note that some of the functions I discuss aren’t available in Windows Vista Home versions or in Windows XP Home Edition—all of which some small business networks use. To learn more about the specific restrictions, search the OSs’ Help files or Microsoft’s Web site for each Windows version.
Duplicating Users on Multiple Computers
Life as a workgroup administrator is easier if you ensure that every user who accesses shares on another computer has a local account on that remote computer. If a remote user lacks a local account, Windows launches the dialog box that Figure 1 shows, in which the user must enter the username and password for an account that exists on the remote computer.
This remote logon method works if the Guest account on the remote computer is disabled (which is the Guest account’s default state). However, remote access is more complicated if the Guest account is enabled, because you have to reset the Guest account to permit users to perform tasks (the Guest account has very few permissions by default). In addition, most of my experiences on small-business P2P networks don’t match Microsoft’s documentation, which often incorrectly describes the Guest account’s default state.
Some administrators like to force the user to log on to a remote computer because this method seems more secure than providing automatic access to remote computers. However, in practice, this method is almost always less secure. Most small businesses that adopt this paradigm have a common decorating scheme—little notes taped to monitors with the usernames and passwords required to access remote computers. Because small businesses that use P2P networks are typically rather self-contained, the risk of an outsider coming in, sitting down at a computer, and accessing a remote computer that contains the company data is relatively small. Letting users select a computer from the Network folder and connect automatically doesn’t pose the same risk you’d find in a large enterprise that might be sprawled all over a building or have multiple sites, where visitors aren’t easily noticed.
When you create a user account on a remote computer, use the same logon name and password as for local logon. Windows examines the logon credentials of the user trying to access a computer and searches the target computer to find a match for the logon name and password. If a match exists, Windows grants the user access to the computer. If no match exists, or if only the username matches but the password doesn’t match, the connection dialog box in Figure 1 appears.
In most small businesses that use workgroups, only one computer stores the company data. Even though this computer isn’t running a Windows Server product (which is a definite financial advantage of workgroups), the computer acts as a data file server. This computer gets backed up every night. With a data file server that all users access, you only need to duplicate users on that computer. If you store data files on multiple computers, you need to establish a user account for every remote user on each of those computers.
To configure a remote user’s account to match the required permissions, place the user account in the appropriate local group. When Windows examines credentials to see whether a remote user exists on the target computer, the OS ignores group membership. If the user accesses only data files, and those data files are in a discrete shared folder, a quicker and easier solution is to make the user a restricted user and change the share permissions to allow Full Control for Everyone. Windows 2000 and earlier versions set Full Control for Everyone permissions automatically when you create a share; later versions of Windows don’t. You can also configure shares for Full Control for specific users, even if those users are logging on with a restricted account. After you create local user accounts for remote users, you can select the appropriate usernames and apply the necessary permissions to each folder.
To limit access to a company’s financial information, accounting software applications provide a method for permitting and restricting user access to specific types of data and transaction entry. All users who work in these applications need Full Control permissions on the folders that contain the data files for a company’s accounting software, so they can write, modify, and create items in order to do their daily work. You can then use the software’s user permissions feature to restrict specific activities.
Creating Users on Remote Computers
You can use the Control Panel users applet (i.e., User Accounts and Family Safety in Vista, User Accounts in XP, or Users and Passwords in Win2K and earlier) or the Computer Management console to create and configure user accounts for remote users. However, the users applet isn’t a convenient method because you must work from the local computer, one computer at a time. In addition, the users applet’s available configuration settings are limited. Even worse, after you use this tool you still need to use the Computer Management console to fine-tune the settings (e.g., password rules, group membership).
The Computer Management console’s Local Users and Groups section lets you create users easily. To create a new user, right-click the My Computer icon on the desktop, select Manage, double-click Local Users and Groups, click Users, and select New User from the Action menu. The user configuration settings are more granular and more powerful than those in the users applet.
As Figure 2 shows, you can change the password rule so that the password never expires. This option is preferable for workgroups because if a user is configured for periodic password changes, those changes need to be replicated on all the remote computers the user accesses. If a user thinks his or her password has been compromised, the user can (and should) use the users applet to change the password, and then make the same changes on every remote computer. IT consultants who support P2P networks can either instruct clients to call so that the consultant can administer the changes, or they can teach users how to make the necessary change on all the computers a user accesses.
The biggest benefit of using the Computer Management console is that you can access the console on remote computers to create users anywhere on the network without ever leaving your desk. In the Computer Management console, right-click Computer Management (Local) and select Connect to another computer. Enter the remote computer’s name (or use the Browse button to find the computer), then click OK.
Another benefit of using the Computer Management console is that you can also configure share permissions for remote computers, as Figure 3 shows. As you add and configure users, you can use the console’s \Shared Folders\Shares section to give users the permissions they need to work on remote computers. Right-click a share listing, select Properties, then click the Share Permissions tab to configure permissions.
To access the Computer Management console on remote computers, you need an administrator account on those computers. Because most administrators and consultants use the built-in administrator account and password to set up each computer, use that account to log on to your computer so that you can access all the remote consoles. If you use another logon name with administrative rights, Windows asks you to enter the username and password of a user with administrative permissions on the remote computer.
Controlling and Troubleshooting Logons
P2P networks offer many of the logon control features that domains offer. However, you can’t configure an entire P2P network in one fell swoop, because you lack the global “view” of the network that AD provides. You must configure computers one at a time. In the following sections, I discuss some of the common tasks you face when configuring user logons.
Configuring logon screens. By default, XP and Vista computers that aren’t part of a domain don’t present the classic Windows Security logon dialog box that requires the user to press Ctrl+Alt+Del and then enter a username and password. Many administrators and consultants (including me) prefer the classic logon’s security to XP and Vista’s default Welcome window, with its user list and cute pictures. To configure an XP computer to present the user with the classic Windows Security logon, open the Control Panel User Accounts applet. Then, select Change the way users log on or off and clear the Use the Welcome Screen checkbox.
In Vista, you can force the use of Ctrl+Alt+Del. However, after the user presses Ctrl+Alt+Del, the list of users and their accompanying pictures still displays, and logon proceeds as it did before the configuration option was changed to force the Ctrl+Alt+Del sequence. You can't force the classic logon dialog box to display, and you can't override the Welcome screen that displays all the usernames. Still, using the Ctrl+Alt+Del key sequence does protect the computer from Internet intruder logons. If you want to add this layer of security, open a command window and type
In the User Accounts dialog box that opens, click the Advanced tab and select the Require users to press Ctrl+Alt+Delete checkbox. (Note that this command is also available in XP for those who prefer the command line to clicking through links to get to an applet and drilling down to the available options.)
Resetting passwords. All users can change their passwords in the users applet. Changing the password doesn’t change anything else in a user's configuration. Resetting a password is different from changing a password, because when a user’s password is reset, the user loses access to encrypted files, encrypted email messages, and passwords that are stored on network resources and Web sites. All of those services must be reconfigured with the new password.
Password resets are necessary when a user forgets the password and can’t log on to a computer. (It’s amazing how often this happens, and this situation can be avoided by having users create password reset disks—which is a topic that I’ll cover in a future article in this series.) To reset a user’s password, log on with an administrative account and open the users applet.
In Win2K, select the user and click Set Password. Enter the new password twice (to confirm it) and click OK. Then click OK to close the Users and Passwords dialog box.
In XP, select the user and click Change the Password. Enter the new password twice (to confirm it) and optionally enter a password hint. (Remember that any user sitting at the computer can see the password hint.) Click Change Password to complete the task.
In Vista, select Manage Another Account to see all the accounts on the computer. Select the user and click Change the Password. Enter the new password twice (to confirm it) and optionally enter a password hint (remember that users can see the password hint.) Click Change Password to complete the task.
A Look Ahead
In the many years that I've been writing for Windows IT Pro, I've received an enormous amount of email from readers. Some of this mail comes come from IT professionals who work with small businesses as consultants, and a great deal of my mail is from IT professionals who want to begin providing consulting services for small businesses. Many IT problems and tasks are unique to P2P networks. A common problem for business owners is managing user accounts on P2P workgroups, and consultants often instruct their clients on these issues instead of visiting the client every time a user configuration task arises. This article explains how to duplicate users on multiple computers, create users on remote computers, and control and troubleshoot logons. In future articles, I plan to focus on tasks and configuration options related to user security and policy application, as well as other P2P topics.