User accounts are basic elements of system security. To protect local and network resources from unauthorized access, you need a method to identify and authenticate users. In Windows 2000, the process of creating a new user account on a domain differs from the same task in Windows NT. In Win2K, the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in integrates user management into Active Directory (AD). For information about Win2K MMC snap-ins, see "The Mighty Win2K Microsoft Management Console, Part 1," September 2000 and "The Mighty Win2K Microsoft Management Console, Part 2," October 2000. (For information about creating user accounts in NT, see Michael D. Reilly, Getting Started with NT, "Windows NT User Accounts," June 1998, and Paula Sharick, "Windows NT Authentication," January 1997.)
Creating a User Account
To create a new user account on a Win2K domain, open the Active Directory Users and Computers snap-in on a domain controller (DC). To open the snap-in, click Start, Programs, Administrative Tools, Active Directory Users and Computers. Right-click the Users object in the snap-in's left pane and select New, User to open the New Object-User dialog box, which Figure 1, page 176, shows. Notice that the options in NT's New User dialog box, which Figure 2, page 176, shows, aren't available in Win2K's corresponding dialog box. NT provides icons that open additional new user Properties sheets, whereas Win2K uses a wizard.
Enter the user's first name, last name, and full name, then enter the user's logon name in the User logon name text box. If multiple domains exist in your organization, select the new user's domain from the drop-down list in the text box to the right of the User logon name text box. The username automatically appears in the User logon name (pre-Windows 2000) text box; legacy versions of Windows require this information. (The pre-Win2K logon name format omits the Win2K domain suffix and instead uses the domain name followed by a backslash.) Click Next.
On the next screen, enter and confirm the user's password. You can select from the following password options, which are the same options that NT's New User dialog box offers.
- User must change password at next logon forces the user to replace the password you assigned with one the user chooses.
- User cannot change password prevents the user from changing the password you assigned.
- Password never expires stops the system from imposing an automatic password-expiration interval on the user.
- Account is disabled prevents users from logging on with the account. (I use disabled accounts as templates.)
Click Next to view a summary of the new user's logon information. If the information is correct, click Finish; otherwise, click Back and make any necessary adjustments.
After you click Finish, the new user name appears in the snap-in's right pane. (Press F5 to refresh the listing and move the new user listing into alphabetical position.) Double-click the user listing to open the user Properties dialog box, which Figure 3, page 176, shows.
The number of tabs in the user Properties dialog box might seem a bit overwhelming, but most of the tabs fall into three categories: configuration options for Win2K Server Terminal Services users, configuration options for logging on to the domain, and additional user information that isn't connected to the logon process but that you can use to find users in AD.
Configuration Options for Terminal Services Users
The Environment, Sessions, Remote control, and Terminal Services Profile tabs in the Properties dialog box contain settings for users who log on to a Terminal Services server. Terminal Services configuration is beyond the scope of this article, but Christa Anderson's excellent articles (e.g., "Preparing for Windows 2000 Server Terminal Services," http://www.win2000mag.com, InstantDoc ID 8998), appear regularly in Windows 2000 Magazine and online and are wonderful sources of information about the topic.
Configuration Options for Logging on to the Domain
Four of the Properties dialog box's tabs—Account, Profile, Member Of, and Dial-in—contain configuration options for the user's regular logon and security settings. Some of this information is a repetition of the data you entered when you created the user account.
The Account tab. Use the Account tab to configure basic logon options. On this tab, you can edit the user logon name that you specified during account creation. To restrict the hours during which the user can log on, click Logon Hours and select the desired times to permit or deny logon, as Figure 4 shows. Click Log On To to open the Logon Workstations dialog box, on which you can specify which workstations the user can log on to.
Next, you can scroll through a list of Account options, which are far more diverse than the options available in NT. The list contains the four password options that the New Object-User dialog box provides, and you can also enable the following options:
- Store passwords using reversible encryption—select this check box for users who will log on from platforms that can't handle reversible encryption of passwords. (Macintosh computers are the usual targets of this policy.)
- Smart card is required for interactive logon—select this check box for users who will log on from computers with smart-card readers. (To accommodate the smart-card logon, the system will prompt the user for a PIN.)
- Account is trusted for delegation—select this check box to let the user assign responsibility for managing and administering a portion of the domain namespace to another user, group, or organization.
- Account is sensitive and cannot be delegated—select this check box to notify the system that another account can't assign this account for delegation.
- Use DES encryption types for this account—select this check box to use Data Encryption Standard (DES), rather than Win2K's Kerberos standard, as the encryption type for this user's logon. (DES is the common standard for dial-in authentication.)
- Do not require Kerberos preauthentication—select this check box if the user employs a Kerberos implementation other than Win2K's default, which is Kerberos 5.0.
The final option on this tab is the Account Expires text box. If you created a user account to provide temporary access to your system—for example, for an outside contractor or consultant on a particular project—you can enter an expiration date for that account.
The Profile tab. Use the Profile tab to specify a location for the user's profile and home folder. These features are optional but are handy tools that you should take advantage of.
By default, the system uses the local profile, but for a roaming user, you might want to create a server-based profile that is available no matter which computer the user logs on from. To assign a server-based profile to a user, enter the full path to that profile in the Profile path text box. Use the format \\server\shareusername (e.g., \\ivensdc1\userprofilesjbernardi).
In the Logon script text box, enter the name of the logon script you want to assign to the user. By default, logon scripts reside in the Netlogon share in \%systemroot%\SYSVOL\sysvol\DomainName\scripts. Note that the Help file for the text box states an incorrect path for the Netlogon share.
In the Profile tab's Home folder section, you can specify a path for the home folder. This folder becomes the default container for user files and software, as well as the location of the command prompt when the user opens a command-prompt window. (Opening a command prompt is a good way to determine the home folder location on a workstation.) By default, the home folder is the local drive (usually the C drive) on which you installed the OS, and Win2K stores user files in the local My Documents folder.
You can specify a local home folder path in the Local path text box, but doing so has no particular advantage. However, specifying a network path provides several advantages. First, by default, Win2K will save user documents to the server you specified rather than to the local My Documents folder, so your regular backup process will back up those documents—assuming that you back up your file servers, of course. (Most administrators know that users don't back up local documents, regardless of your inducements, explanations, or threats.) Second, roaming users who don't always log on to the domain from the same computer can always access their files.
The Profile tab provides two text boxes in which you can specify a network path for the home folder. In the Connect text box, select a drive letter to map to the network location. In the To text box, select an existing shared folder on a server that the user can access. Be sure to set appropriate permissions for that share.
The Member Of tab. The Member Of tab contains the groups to which the user enjoys membership. By default, Win2K automatically makes all users members of the Domain Users group. Click Add to open the Select Groups dialog box and choose additional groups to which you want to assign the user as a member. (Next time, I'll explain how to make this type of decision.)
The Dial-in tab. Use the Dial-in tab to set options for remote-access users, including users who dial in to the network and users who access the network through a VPN. The dialog box is self-explanatory, but keep in mind that you must set up and configure RRAS on your network before you can enable dial-in settings. (For information about RRAS in Win2K, see Sean Daily, Watch Your RAS, "What's New in Win2K's RAS?" Winter 1999.)
Additional User Information
The Address, Telephones, and Organization tabs hold information that isn't connected to user settings, permissions, or logon authentication data. Instead, the data you enter in these tabs' self-explanatory fields provide the kind of information that a personal information manager (PIM) stores. The data you enter on this group of tabs becomes part of AD's user database, and you can base a search on this information. For information about searching for users according to Properties information, see the sidebar "Filtering Users."
Creating user accounts is an important task in Win2K, and the process is straightforward, provided you know which options to use and where to find them. Next time, I'll cover Win2K groups, which you can use to set permissions and otherwise manipulate multiple user accounts simultaneously.