Chapter Overview



Creating User and Computer Objects
Maintaining User Accounts
Creating User Profiles
1
Creating User and Computer Objects


Each user needs a user account to log on to a
domain or to a computer.
Each regular network user needs a unique
user account.
2
Introducing User Accounts

Microsoft Windows 2000 has three types of
user accounts:



Local user accounts
Domain user accounts
Built-in user accounts
3
Local User Accounts



Enable users to log on to (and access
resources on) only the computer where the
user account is located
Reside in the computer's local security
database
Are not for use on computers that require
access to domain resources
4
Local User Accounts (Cont.)
5
Domain User Accounts


Domain user accounts allow users to log on
to the domain and access resources
anywhere on the network.
When a user logs on, Windows 2000


Authenticates the user
Creates an access token for the user
6
Domain User Accounts (Cont.)


Domain user accounts are user objects in the
Active Directory database, which is located on
domain controllers.
Domain user accounts are replicated to all
other domain controllers in the domain.
7
Domain User Accounts (Cont.)
8
Built-In User Accounts


Are created automatically by Windows 2000
The two most commonly used:


Administrator: used to manage the overall
computer and domain configuration
Guest: allows occasional users to log on and
access resources
9
Built-In User Accounts (Cont.)

Other built-in user accounts:



IUSR_computername
IWAM_computername
TsInternetUser
10
Creating Domain User Accounts

Use the Active Directory Users And
Computers console to create and manage
domain user accounts.


This tool is automatically installed on all domain
controllers.
You can install this tool on other computers
running Windows 2000 that are not domain
controllers.
11
Active Directory Users And
Computers Console
12
Creating a User Object in a Domain

To create a user object in a domain:
1. Select Start, point to Programs, point to
2.
3.
4.
5.
Administrative Tools, and then click Active
Directory Users And Computers.
In the scope pane, right-click the Users folder,
click New, and then click User.
Configure the options in the New Object – User
dialog box, and then click Next.
Configure password options, and then click Next.
Click Finish to create the new user object.
13
The New Object – User Dialog Box
14
Configuring Password Options
15
Simplifying the Creation of User
Accounts


If you often create user objects with the
same properties, create a user template
object to simplify your work.
Then copy the template object to create a
new user object.
16
Setting User Account Attributes

After you create a user account, you can
configure its attributes.


Use the Properties dialog box for the user object
in Active Directory Users And Computers.
To open the dialog box, either double-click the
user object, or right-click the user object and then
click Properties.
17
The Properties Dialog Box of a User
Object
18
Setting Personal Attributes


Four of the tabs in the Properties dialog box
contain personal information about the user
but are not directly related to the operation of
the user object or the Active Directory
service.
These tabs are




General
Address
Telephones
Organization
19
The Address Tab
20
Setting Account Properties

The Account tab in the Properties dialog box
contains several configurable user account
attributes, including




User logon name
Password options
Account expiration options
Logon hours
21
The Account Tab
22
Setting Logon Hours



You can restrict the times a user can log on
to the domain.
By default, access is permitted for all hours
on all days.
When you click Logon Hours in the Account
tab, the Logon Hours dialog box appears.
23
The Logon Hours Dialog Box in the
Account Tab
24
Setting the Computers That Users
Can Log On From



You can restrict the computers that a user
can log on to the domain from.
By default, a user can log on from any
computer in the domain.
When you click Log On To in the Account tab,
the Logon Workstations dialog box appears.
25
The Logon Workstations Dialog Box
in the Account Tab
26
Lesson Summary

There are three types of Windows 2000 user
accounts:





Local user accounts
Domain user accounts
Built-in user accounts
Use Active Directory Users And Computers to create
and manage domain user accounts.
You can configure numerous user account attributes,
including




Personal attributes
Account properties
Logon hours
The computers a user can log on from
27
Maintaining User Accounts


User accounts require maintenance.
In order to maintain and modify user
accounts, you need permission to administer
the user objects.
28
Disabling, Enabling, Renaming, and
Deleting User Accounts

Disable a user account when a user will not
need the account for a long time, such as for
a leave of absence.



You can enable the user account when the user
returns.
Rename a user account when a user's name
has changed or if you want to reassign the
account to a different user.
Delete a user account when an employee
leaves the company.
29
Disabling, Enabling, Renaming, and
Deleting User Accounts (Cont.)

To use Active Directory Users And Computers
to disable, enable, rename, or delete a user
account:
1. Open Active Directory Users And
Computers, and then expand the console
tree until the user account is visible.
2. Click the user account, and then from the
Action menu, click the appropriate
command.
30
Disabling, Enabling, Renaming, and
Deleting User Accounts (Cont.)
31
Resetting Passwords and Unlocking
User Accounts


These tasks are performed when a user
cannot log on to the domain or the local
computer because of a password or account
lockout problem.
Members of the Administrators group, by
default, have the permissions necessary to
reset passwords and unlock user accounts.
32
Resetting Passwords


Necessary when a user forgets a password
To reset a password:
1. Open Active Directory Users And Computers, and
then expand the tree until the user account is
visible.
2. Click the user account, click Action, and then click
Reset Password.
3. Type a new password for the user, and retype it
in the Confirm Password box.
4. Select the User Must Change Password At Next
Logon check box, and then click OK.
33
The Reset Password Dialog Box
34
Unlocking User Accounts


Necessary when a user exceeds a specified
number of failed logon attempts
To unlock a user account:
1. Open Active Directory Users And Computers,
and then expand the tree until the user account
is visible.
2. Right-click the user account, click Properties,
and then click the Account tab.
3. Clear the Account Is Locked Out check box.
35
Lesson Summary



Use Active Directory Users And Computers to
disable, enable, rename, and delete user
accounts.
Disabling a user account prevents the user
from logging on, but leaves all of the account
information intact.
Use Active Directory Users And Computers to
reset user account passwords and to unlock
user accounts.
36
Creating User Profiles


A user profile stores a user's current desktop
environment, application settings, and
personal data.
A home folder is a folder on a server that is
assigned to a user for storing personal data.
37
Understanding User Profiles


On computers running Windows 2000, user
profiles automatically create and maintain
desktop settings for each user's work
environment on the local computer.
A new user profile is created for each user
logging on to the computer for the first time.
38
Understanding User Profiles (Cont.)

User profiles provide several advantages to
users:



More than one user can work on the same
computer, with all users maintaining their own
desktop settings.
When users log on to their workstations, they
receive the same desktop settings that they had
when they logged off.
Customization of the desktop environment by one
user does not affect another user’s settings.
39
Understanding User Profiles (Cont.)

You can use user profiles to



Create a default user profile
Set up a mandatory user profile
Specify default user settings for all user profiles
40
Profile Types

Local user profile



Created by Windows 2000 the first time a user
logs on to the computer
Stored on the computer's local hard disk
Roaming user profile


A copy of your local user profile that is stored on a
shared server drive
Lets you have your own desktop settings no
matter which computer on the network you use
41
Profile Types (Cont.)

Mandatory User Profile



A roaming profile that the user cannot change
Used to enforce particular desktop settings for
individuals or for a group of users
Can be changed by the user during a logon
session, but the changes are not saved to the user
profile when the user logs off
42
User Profile Contents

Settings


A user profile contains configuration preferences
and options for each user—a snapshot of a user's
desktop environment.
Structure


Local user profiles are stored on the system drive
(usually drive C) in the \Documents and Settings
folder.
Roaming user profiles are stored in a shared folder
on the server.
43
The Directory Structure of a User
Profile
44
Using Local Profiles


The use of local profiles on a computer
running Windows 2000 is transparent to the
user.
Users change their local user profiles without
even knowing it, simply by changing their
desktop settings.
45
Using Roaming Profiles


A roaming user profile is a copy of a local
user profile that is stored on a network
server.
You can implement roaming user profiles to
support users who work at multiple
computers, enabling them to have their
personal desktop settings no matter which
computer on the network they log on to.
46
Creating Roaming User Profiles



Create roaming user profiles on a file server
that is frequently backed up.
For better logon performance, place roaming
user profiles on a member server instead of
on a domain controller.
You must have permission to manage the
user accounts that you want to assign
roaming user profiles for.
47
Creating Roaming User Profiles
(Cont.)

To create a roaming user profile:
1. On the server, create a folder and share it.
2. Open Active Directory Users And Computers.
3. Locate the user object.
4. Right-click the user object, click Properties, and
then click the Profile tab.
5. Type the path to the shared folder on the server.
You can use the %USERNAME% variable in place
of the user's logon name.
6. Click OK.
48
The Profile Tab in the Properties
Dialog Box of a User Object
49
Standard Roaming User Profile



Is a single roaming user profile shared by
multiple users
Provides a standard desktop environment for
multiple users with similar job functions
Simplifies troubleshooting
50
Creating a Standard Roaming User
Profile

To create a standard roaming user profile:
1. Create a user profile template with the
appropriate configuration.
2. Create a shared folder on a server.
3. In Control Panel, double-click System, and then
click the User Profiles tab.
4. Copy the user profile template to the shared
folder, and specify the users who are permitted
to use the profile.
5. For each user, specify the path to the profile
template on the Profile tab in the user object's
Properties dialog box.
51
Copying a User Profile Template
52
Using Mandatory Profiles



A mandatory user profile cannot be changed
by the user.
The user can modify desktop settings while
logged on, but any changes made during the
session are not saved to the user profile.
You create a mandatory user profile by
renaming the Ntuser.dat file (in the folder
containing the roaming profile) to
Ntuser.man.
53
Creating Home Folders



A home folder is a folder where users can
store personal documents.
A home folder can be stored on a client
computer or in a shared folder on a server.
All users' home folders are typically stored in
a central location on a network server.
54
Creating Home Folders on a Server

To create a home folder:
1. On a server, create and share a folder that will store the
home folders of all users.
2. For this shared folder, assign the Full Control permission to
the Users group (and remove the Full Control permission
from the Everyone group).
3. In Active Directory Users And Computers, access the
Profile tab of each user object's Properties dialog box.
4. In the Profile tab for each user, click Connect and specify a
drive letter to connect to.
5. In the To box, specify the path to the user's home folder.
You can use the %USERNAME% variable in place of the
user's logon name.
6. Click OK.
55
Specifying a Path to a Home Folder
56
Lesson Summary




A user profile is a collection of folders and files that
make up the desktop environment for a specific user.
A local user profile is stored on the local drive,
whereas a roaming user profile is stored on a
network server.
A mandatory user profile is a read-only roaming user
profile that the user cannot change.
Home folders provide an additional storage location
for users' personal documents.
57