15. Setting Up User Accounts
The account is used to log on to a domain to use network resources or to log on to a computer
to use the computer resources.
As well as accounts that are created by the administrator, there is the Guest account (disabled
by default) for the user who has occasional access, and the Administrator account that can perform all
tasks.
An NT server can be a Primary Domain Controller (PDC), a Backup Domain Controller (BDC) or just a Member Server.
Only one PDC can exist per domain (for 2000 users memory required is 40Mb), but as many BDCs as you like.
The BDC has a read only directory database which is synchronise with the PDC every 5 minutes (by default). Therefore
a BDC can validate logons. To force synchronisation, in the DOS prompt, type 'net accounts /synch'. One should
use the DOS prompt from 'Start | Programs | Command Prompt' rather than the DOS you get from boot up.
In a Peer-to-peer network a directory database exists on each station.
A Trust relationship is the logical link that combines domains into one administrative unit.
You can create domain user accounts from any computer running NT Workstation or Windows 95/98 by
installing Windows NT Server Administrative Tools on the computer.
Planning user accounts requires the following information:
- Naming Conventions - names must be unique and up to 20 characters except " / \ [ ] : ; | = , + * ?
< >.
- Passwords, Logon Hours and Workstation restrictions - you can restrict which computer
a user can log on from.
- Home Folder Location - this could be on the server or the workstation. NT does not limit
disk space usage on a server. Network traffic will be less if the home folder is on the station, but
central backing up will not be possible.
You create a new user via User Manager for Domains. Click New User on the User menu and add the
details in the boxes. You can make the user change the password at the next login, not allow
the user to change the password, make sure the password never expires or disable the account
if you wish to assign the account to new person without having to rebuild the account.
When a user logs on they pick up a Security Access Token (SAT). If an administrator makes any changes, these
only apply when the user next logs on.
The log on hours can be highlighted (filled in) in the week chart as allowed access or disallowed access.
The log on to box is used to decide which stations the user can use to log on to the domain.
The Account box is used to set when the account expires. The global account option is
for those who are regular users within the domain, whereas the local account is for users who
are from an untrusted domain who need to access a resource in your domain.
The Dialin box is used to allow a user to use Remote Access Server (RAS) to log on. There
can be call-back with a caller-set number, a preset number (for security) or there could
be no call back at all.
You use the User menu to rename or delete accounts.
A default user profile is created when the user first logs on and contains information such as the printer
and network connections and the user's desktop environment. The profiles are stored in each user directory
C:\winnt\profiles as a file called ntuser.dat, change this to ntuser.man makes this
a mandatory profile. This can be used to restrict users to certain parts of the windows environment. Logon
scripts (in batch files or executable files) can also be used to configure network and printer connections
for non-NT clients.
There are two types of roaming user profiles stored on the network server. Roaming mandatory
user profile and Roaming personal user profile. Windows 95 profiles are different from NT profile and
must be created on Windows 95 machines.
Creating a profile is carried out as follows:
- Create a user account as a test user account.
- Log on as the test account.
- The profile is automatically created as you make desktop changes.
- Log off.
- Log on as administrator.
- Create a folder on a server to store the profiles.
- In Control Panel, double-click System and select the User Profiles tab.
- Select the profile that you wish to copy and click Copy to.
- Type the network path to the folder.
- Click Change the Permitted to Use and select the user, click OK.
- Change the name to Ntuser.man if the profile is to be mandatory.
- In User Manager for Domains double-click the user account and in the User properties box select profile.
- In the User Profile box type the UNC path to the network profile user e.g. \\server_name\Profiles\user_name.
The environment tab is used to set the user profile path, the login script name and location and the path
for the home directory. To create a home folder or personal user profile use the %username% variable
e.g. \\server_name\users\%username%.
|