Reviewing the basics
I've received a lot of email from readers about problems they encounter when creating or managing user accounts. Many administrators have trouble because they inadvertently omit important configuration items or fail to follow consistent practices. For these reasons, I've decided to review the basic processes of creating and managing user accounts and share some useful hints to make the processes easier.
A user account contains a name and password for logging on to either a local computer or a domain. In Active Directory (AD), a user account can also contain information such as the user's full name, email address, phone number, department, and physical address. User accounts also serve as a means for granting permissions, applying logon scripts, assigning profiles and home directories, and linking other working-environment properties to a user.
Local vs. Domain User Accounts
When users log on to a computer instead of the domain, they use a local account. In a workgroup (i.e., peer-to-peer—P2P) environment, local accounts provide logon capabilities for local computer users and give remote users access to a computer's resources. Certain users might have access to data on a server, for example, and would use a local user account to log on to that machine.
However, most user accounts in a corporate setting are domain accounts, which offer logon rights and permissions across the domain. Unless the domain account restricts them from doing so, users can use a domain account to log on to the domain from any workstation. After they're logged on, users receive specific permissions to network resources from the domain account.
Not just users have domain accounts, however. On a domain, accounts represent a physical entity, which could be a computer, a person, or a group. User accounts, computer accounts, and group accounts are all security principals—directory objects that automatically receive SIDs, which in turn determine access to resources on the domain.
The two most important uses of a domain account are to authenticate the identity of users and to authorize or deny access to resources on the domain. Authentication enables users to log on to computers and domains with an identity that the domain has authenticated. The domain grants or denies access to domain resources based on the permissions that users have obtained through membership in one or more domain groups.
Built-in Domain Accounts
When you create a domain, Windows automatically creates several user accounts. In Windows 2000, the built-in accounts are Administrator and Guest. Windows Server 2003 domains have a third built-in account named HelpAssistant, which is created automatically the first time the Remote Assistance feature runs. Each of these built-in accounts has a different set of permissions.
The Administrator account has Full Control permissions for all resources on the domain and can assign permissions to domain users. By default, the Administrator account is a member of the following groups:
- Domain Admins
- Domain Users
- Enterprise Admins
- Group Policy Creator Owners
- Schema Admins
Some administrators rename or disable the Administrator account to make it more difficult for malicious users to gain access to a domain controller (DC). You can instead have administrators log on with user accounts that have membership in the same groups, which gives them sufficient rights to administer the domain. If you disable the Administrator account, you can still use the account to access the DC when necessary by booting the DC into Safe Mode (the Administrator account is always available in Safe Mode).
The Guest account lets people who don't have an account log on to the domain. Additionally, users whose accounts are disabled can use the Guest account to log on. The Guest account doesn't require a password, but you can set permissions for the account, just as you can for any user account. The Guest account is a member of the Guests and Domain Guests groups. Obviously, inherent dangers exist in letting anyone without a real account log on to your domain, so most administrators don't use this account. In fact, in Windows 2003, the Guest account is disabled by default. Unless you have some urgent reason to use the account, you should leave the Guest account disabled. To disable the Guest account in Win2K, right-click its listing in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, then choose Disable from the shortcut menu.
The HelpAssistant account is new with Windows 2003. The Remote Desktop Help Session Manager service creates and manages the account when you request a Remote Assistance session.
Creating Domain User Accounts
You create domain user accounts from a DC within AD. Open the Active Directory Users and Computers snap-in, then expand the appropriate domain (if more than one domain exists). Unlike Windows NT 4.0, Windows 2003 and Win2K separate the user account creation and account configuration processes: First, you create the user and the associated password, then you configure the user details, including group memberships.
To create a new domain user, right-click the Users container, then choose New, User to open the New Object - User dialog box, as Figure 1 shows. Enter the user's name and logon name. Windows automatically adds the current domain suffix to the logon name, which is called a user principal name (UPN) suffix. You can create additional UPN suffixes and select the one you want to use for a new user from the drop-down list. You can also enter a username (by default, the same name) to let users log on to the domain from NT 4.0 and Windows 9.x machines.
Click Next to configure the user's password, as Figure 2 shows. By default, Windows forces users to change the password the next time they log on, so you can use a standard company password for each new user, then let the user create a new password the first time he or she logs on. Next, select the password options you want to impose for this user. Finally, click Next to see a summary of your choices, then click Finish to create the user in AD.
Configuring User Account Properties
To configure or modify the properties for a domain user, double-click the user listing you want to configure. As Figure 3 shows, you have many configuration categories to choose from.
The Member Of tab controls the user group memberships (and therefore a user's permissions and rights across the domain). By default, Windows places a new user in the Domain Users group. For many users, this is sufficient, and you don't have to do anything else. For other users, such as department heads and members of the IT staff, you should provide group memberships that let these users perform the tasks they need to be able to do. To add group memberships, click Add, then select the appropriate groups for the user you're creating (or editing). If you feel the built-in groups don't provide the exact set of permissions you require, you can also create your own groups.
Creating User Templates
Windows lets you copy users, which makes the process of creating new users fast and efficient. The best way to take advantage of this feature is to create a series of user templates, then copy those accounts to real accounts. Because permissions and rights are the most important (and potentially dangerous) properties, create user templates in categories that match the group memberships you assign. Start with a template for a standard user (i.e., a member of the Domain Users group only), then create templates that have a particular combination of group memberships. For example, you can create a user template named Power with membership in the Power Users group, unlimited logon hours, and other attributes, or a user template named DialUp with preconfigured dial-up settings for your company. Then, as you create new users, you can select the appropriate template and modify it.
I've discovered a few tricks for creating and copying user templates:
- Give the templates filenames that start with 0 so that they appear together at the top of the list of user files.
- Give all the templates the same password.
- Disable all template accounts (right-click the file, then choose Disable).
To create a new user from a user template, right-click the template listing, then choose Copy. In the Copy Object - User dialog box, enter the username and logon name for the new user you're creating, then click Next to configure the new user's password, as follows:
- Enter the standard company password and assign it to the new user.
- Clear the Password never expires and Account is disabled options.
- Select the User must change password at next logon option.
- Click Next, then click Finish.
Don't bother with the Member Of tab because the system has already copied the group memberships from the user template. In fact, unless you want to record the user's telephone and address information, you don't have to do anything on any of the remaining tabs. The system copies all common user attributes. However, you can add other attributes for automatic copying or prevent certain attributes from being copied by modifying the AD schema. I'll discuss that process in a future column.