Common user configuration techniques

This month I'll explain how to manage and manipulate user accounts for current and new users. Many of the solutions I'll discuss rely on Microsoft Windows NT Server 4.0 Resource Kit utilities. You'll want to install the resource kit not only for these utilities but also for the accompanying text.

Before you manipulate user accounts, you need to create an Emergency Repair Disk (ERD) with user account information. To add this information, add /s to the rdisk.exe command (i.e., rdisk /s). Your ERD is a security risk, so you'll want to securely store it.

How can I create a list of all user accounts?

The best way to produce a list of all user accounts in a domain or on a machine is to use the Microsoft Windows NT Server 4.0 Resource Kit addusers.exe utility. You can use this utility to add users who are listed in a detailed text file.

You can also use this utility to export current users and groups into a comma-separated file. A comma-separated file uses commas to separate fields. (Commas are the default characters, but you can use other characters to separate fields.) When a spreadsheet or database reads the file, the program replaces the commas with a new field.

Start the addusers.exe utility and type

addusers /d <file name>

You can then import the file into a spreadsheet or database.

You'll need to specify comma as the delimiter. If you want to use a different separator character, add the /s:character switch. For example, add /s:$ to the addusers command to set $ as the separator.

To obtain information (e.g., time and date of last logon) about members of a domain, you can use the resource kit usrstat.exe utility. Start the utility and type

usrstat <domain>

The resource kit utility showmbrs.exe shows all the users in a group. Members of a domain are automatically members of the domain's Domain Users group. (Domain Users includes computer accounts.) Start the utility and type

showmbrs <b>"</b><domain>\domain users<b>"</b>

(Use quotation marks only if the group name has a space.) This approach might be useful in the future, but it currently doesn't work if the group has more than nine members.

If you don't have the resource kit, you can use NET commands to show users in the current domain. Go to the command line and type

net user /domain

To obtain information about each user, type

net user <username> /domain

You can create the file allusers.list with the output from the showmbrs command. Type

showmbrs <b>"</b><domain>\domain users<b>" </b>> allusers.list

How can I add a user from the command line?

The easiest way to add a user from the command line is to type

net user <username> <password> /add (/domain)

In addition to creating the account from the command line, you can create a template user account directory structure and automate users' addition to groups. Many organizations have a basic structure with Word and Excel directories and some template files. To automate this function, use a script such as Listing 1 shows. This script is only a basic skeleton to use as a foundation. You can modify it to perform more sophisticated additions.

How can I move users from one machine to another?

If you want to replace a domain's Primary Domain Controller (PDC) with a new machine, the easiest method is to install the new machine as a Backup Domain Controller (BDC) and then promote it to PDC. This method eliminates the need to add or remove users.

To merge two domains or move accounts, you need to use the Microsoft Windows NT Server 4.0 Resource Kit addusers.exe utility. Log on as an administrator on the machine with the accounts you want to move. (Log on to the PDC for domain accounts.) Use the addusers.exe program to create a list of all accounts. Start the addusers.exe utility and type

addusers /d users.list

This command creates a comma-separated file with details of accounts and groups. Figure 1 shows an example output, with User, Global, and Local sections.

If you don't want global or local group information (e.g., administrator information), edit the file to remove these sections. If you don't remove these sections and the group already exists on the machine, you'll receive either Error 2223: Error creating global group: "Domain Admins," for a global group, or Error creating local group: "Administrators" (group already exists), for a local group. The addusers.exe utility tries to add users to an existing local but not global group.

You might want to move only select user accounts. Delete any users (from the User section) you don't want the utility to create on the new machine.

Copy the file to the machine or network drive you want to create accounts on. Log on as an administrator on the machine with the accounts you want to add. (Log on to the PDC for domain accounts.) Start addusers.exe and type

addusers /c users.list

This command reads the file and creates the accounts. These accounts will have blank passwords that users must change when they log on.

If you need to transfer numerous accounts across domains, you'll want to establish a trust relationship between the domains. This method is a good long-term solution.

How can I configure a user to log off automatically?

Basic User Manager functionality lets you set a user's working hours. Moreover, you can employ user account policies to force Windows NT to log out users who are logged on past their regular working hours. You must perform this function as an administrator on the Primary Domain Controller (PDC).

Start User Manager for Domains. From the Start menu, select Programs, Administrative Tools, User Manager for Domains. Double-click the user (e.g., savillj) and click Hours. By default, users have unlimited logon time. Each square in the Logon Hours dialog box represents 1 hour, as Screen 1 shows. Click the hour you want the system to log off the user (e.g., 8:00 p.m.) and drag the cursor to when you want the system to let the user log on again. Click Disallow. You can drag between days, so you can disallow 6:00 p.m. to midnight every day and then disallow midnight to 8:00 a.m. every day. Click OK to close the Logon Hours dialog box, and click OK to close the User dialog box.

To change the policy for a machine or domain, from User Manager's Policies menu, select Account to open the Account Policy dialog box, as Screen 2 shows. At the bottom of the dialog box, select the check box that says Forcibly disconnect remote users from server when logon hours expire. Click OK.

This automatic disconnect isn't a true logoff. The user is still logged on to the workstation but is disconnected from the network. Thus, the user can't access network resources.

How can I grant user rights from the command line?

To grant user rights (e.g., Logon Locally), start User Manager and select User Rights from the Policies menu. If you want to grant rights from the command line to use with account generation or scripts, you can use the Microsoft Windows NT Server 4.0 Resource Kit, Supplement Two ntrights.exe utility. This program uses a series of code words for each user right. Table 1 lists code words and corresponding user rights.

To give a user the right to log on locally, start ntrights.exe and type

ntrights +r SeInteractive
LogonRight -u <domain>\<username>

To grant this right on a remote machine, use the -m switch and type

ntrights +r SeInteractiveLogon
Right -u <domain>\<username>-m \\<machine name>

How can I configure default settings for new users?

When a new user logs on for the first time, the system copies the default user profile (ntuser.dat) into the new user's profile. You can edit the ntuser.dat file to set default settings for a user. Editing ntuser.dat lets you alter information under the HKEY_CURRENT_USER Registry key.

To change default settings for a new user on a workstation, start a Registry editor (e.g., regedt32.exe) and select HKEY_USERS on Local Machine. From the Registry menu, select Load Hive and go to %systemroot%\Profiles\Default User (e.g., D:\WINNT\Profiles\Default User). Select ntuser.dat and click Open. When the program asks for a key name, you can enter any name (e.g., defuser). (When you add a new key, give everyone at least read access or the key won't copy to new profiles.) Then, select the username (e.g., defuser) in the HKEY_USERS on Local Machine window and make the changes. For example, you could alter defuser\Control Panel\Desktop\Wallpaper to change the wallpaper. After you make the changes, select the hive name, select Unload Hive from the Registry menu, and close the Registry editor.

You can also configure a default ntuser.dat for a domain. Follow the steps previously outlined, but log on to the workstation as a user. The user will then receive new settings, which you can export to the Primary Domain Controller (PDC) as a file.

To export settings, log on to the same machine, as an administrator. Start the System applet in Control Panel. (From the Start menu, select Settings, Control Panel, System.) Select the User Profiles tab to see a list of the profiles the machine stores. Select the profile that has the default settings you want to use for the domain. Then, click Copy To.

In the Copy To dialog box, which Screen 3 shows, enter the location of the PDC's Netlogon share (e.g., %systemroot%\system32\Repl\Import\Scripts). This location assumes you have only a PDC and no Backup Domain Controllers (BDCs), and that your directory replication isn't configured. If you have BDCs, replicate the %system32\Repl\Export\Scripts to the BDCs and to the %system32\Repl\Export\Scripts directory on the PDC. In this scenario, specify Export rather than Import, because the replication process copies data from the Export directory to the Import directory (e.g., H:\WINNT\system32\Repl\Export\Scripts--if drive H is mapped to the PDC's c$ share, which is the default that points to the root of the C drive). If your boot partition (the drive that %systemroot% resides on) is a drive other than C, use that drive instead (e.g., e$ for drive E).

In the Permitted to use section of the Copy To dialog box, click Change. Select Everyone and click Add, OK. Click OK to start the copy. When the process finishes, check for the ntuser.dat file in the new location.

If you have trouble exporting a profile, you might not have sufficient privilege on the Protected Storage System Provider\SID key. To solve this problem, start a Registry editor (e.g., regedt32.exe) and select the HKEY_CURRENT_USER on Local Machine window. Go to Software\Microsoft\Protected Storage System Provider\SID, select Permissions from the Security menu, and click Add. Select the user (e.g., Domain Admins) and access type (READ), and click Add, OK.

To export another user's profile, log on as an administrator and start regedt32.exe. Select the HKEY_USERS on Local Machine window and select Load Hive from the Registry menu. Go to the user's profile area in %systemroot%\Profiles (e.g., D:\WINNT\Profiles\batman), select ntuser.dat, and click OPEN. Enter the user's name (Batman in this example), and click OK. Go to user name\Software\Microsoft\Protected Storage System Provider\SID. Select Permissions from the Security menu and click Add. Select Domain Admins and access type READ, and click Add, OK. Select Unload Hive from the Registry menu, and close the Registry editor.

How can I tell which user has which security ID (SID)?

Start a Registry editor and go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList. Select each SID in the list and look at the ProfileImagePath, as Screen 4 shows. The user's name appears at the end of this string.

If you know the SID but want to know the user's name, you can use the Microsoft Windows NT Server 4.0 Resource Kit, Supplement Two reg.exe utility. Start the reg.exe utility and type

reg query <b>"</b>HKEY_LOCAL_MACHINE\<br>
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\<br>
<SID>\ProfileImagePath<b>"</b>

If you have numerous SIDs to check, you can write a script that automatically checks usernames from SIDs. (For more information about SIDs, see Mark Russinovich, "NT Rollout Options," June 1998.)

How can I let non-administrators issue AT commands?

By default, only administrators can issue AT commands. However, you can give other users (e.g., Server Operators) permission to issue these commands. Start a Registry editor (e.g., regedt32.exe) and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. From the Edit menu, select New, DWORD Value. Enter the name

SubmitControl

and press enter. Double-click the newly created key and set the value to 1. Exit the Registry editor and reboot the machine.

What user variables are available?

Table 2 lists variables you can use in logon scripts and other batch files. You can use these variables only on Windows NT clients and servers.