|
Chapter 5
The User Environment
- • Creating A User Account
- • Setting The Expiration Date On A User Account
- • Setting Workstation Logon Restrictions
- • Setting Restrictions On Logon Hours
- • Renaming A User Account
- • Copying A User Account
- • Disabling A User Account
- • Deleting A User Account
- • Changing The Rights Assigned To A User
- • Creating A Group And Adding Members To The Group
- • Viewing And Removing Group Members
- • Adding Rights To A Group
- • Removing Rights From A Group
- • Changing User Passwords
- • Setting The Password Expiration Date
- • Enabling The Password History
- • Setting The Minimum Password Age
- • Setting The Number Of Allowed Bad Logon Attempts
- • Clearing A Locked Account
- • Defining A User’s Home Directory
- • Creating And Assigning A Profile
- • Returning A User’s Personal Profile Back To Default
- • Creating A Domain-Wide User Policy
- • Adding A User-Specific Policy To An Existing Configuration
- • Deleting A User Policy
Administrator’s Notes...
Administrating the user environment in any reasonably large Windows NT installation is something with which the Windows NT administrator quickly becomes proficient. When creating user accounts, you should give careful consideration to the user environment. Assigning appropriate properties during the creation of user account templates is considerably more productive than creating accounts and then configuring the required properties, especially as the number of accounts increases.
User Accounts
For NT workstations configured as a workgroup, user accounts are managed with the User Manager administration tool. For NT servers in a domain, the User Manager For Domains tool is used. Shown in Figure 5.1, User Manager For Domains is identical to User Manager, with a few additional features.
Figure 5.1 The User Manager For Domains tool.
Windows NT user accounts are identified by the username, which may be up to 20 characters long. Letters, numbers, and some special characters may be used in the username. Each user account may be assigned a password of up to 14 characters, or the password may be blank, if the account policy is configured to allow this. Passwords may be constructed of letters, numbers, and some special characters. Windows NT can be configured to retain a password list of up to the last 24 passwords used so that users are unable to keep reusing the same passwords when forced to change them by the account policy.
When a user account is created, a Security ID, or SID, is assigned to the account. This is used by Windows NT internally to identify the user accounts. Windows NT creates the SID by using a hashing algorithm based on three 32-bit numbers generated from the following information:
- • Computer name.
- • System time on the computer.
- • User mode execution time of the process used to create the SID.
Using this method ensures a unique SID is generated for each account.
Once generated, the SID is never changed, so if a user account is renamed, the account will still be recognized by Windows NT and retain its rights and permissions. However, if the user account is deleted and then added using the same username and password, the account would have a different SID than the original, so it would not gain the permissions or rights of the original account. In this case, the required permissions and rights would have to be re-created. To avoid this headache, always make sure that a user account will not be required at a later date before deleting it.
Account Policies
User account configurations are set by the account policy in force for either a specific computer in a workgroup or for the entire domain. The domain account policy has several more options available than the workgroup. Figure 5.2 shows the Account Policy dialog box for a Windows NT domain. The following section explains the policies and the differences between the two configurations.
Figure 5.2 The Account Policy dialog box.
|
FEEDBACK
)
)
){kind=link}
){kind=link}