The fundamental purpose of a network operating system (NOS) is to create a productive environment for users while maintaining a high level of security. This also is the primary goal of all network administrators.
Windows NT Server 4.0 qualifies as an advanced NOS because it not only provides file directory and print services to its users, but also functions as an application server for Microsoft BackOffice and other server-based applications that run as services on Windows NT. The advanced security features of Windows NT Server have the potential to make network administration a very complex and demanding occupation. Fortunately, Microsoft provides a powerful and flexible tool, User Manager for Domains, for managing the users of a Windows NT Server network. User Manager for Domains lets network administrators create and manage individual user accounts and user groups, and manage the security policies that affect the user accounts and groups.
This chapter explains how to
User accounts are the foundation on which network security is built; groups define collections of users. The following terms are basic to managing user and group accounts:
You can employ User Manager for Domains to manage accounts within any domain to which the user has administrative access. Individual users have administrative access if they are members of any of the three Windows NT user groups shown in table 12.1.
Table 12.1 Windows NT User Groups That Have Permission to Administer User Accounts and Groups
| Windows NT User Group |
Group Description |
| Administrators | A local group whose members can perform all user and group management functions. |
| Domain Admins | A global group that, in most cases, is a member of the Administrators local group. As a member of the Domain Admins group, the user is automatically given local Administrator privileges. |
| Account Operators | A restricted account whose members can manage most properties of user accounts and groups. A member of this group can't manage the following Windows NT Server groups: Administrators, Domain Admins, Account Operators, Server Operators, Print Operators, and Backup Operators. Members of this group also can't manage the account of domain administrators and can't alter domain security policies. |
The following sections describe how to take full advantage of the User Manager for Domains application.
You can start User Manager for Domains (called User Manager from here on for brevity) from the taskbar or from the command line.
To start User Manager from the taskbar's Start menu, choose Programs, Administrative Tools, and User Manager for Domains to open User Manager's window. By default, information for the domain where your user account is defined appears in the window (see fig. 12.1).
12.1
Viewing user information for the default domain in User Manger's main window.
To start User Manager from the Run dialog, follow these steps:
12.2
Starting User Manager from the command line with a specific domain name.
Alternatively, you can run User Manger from the Windows NT command prompt by typing the same commands as those shown in step 2.
All Microsoft Network products, including Windows for Workgroups, Windows NT Workstation, and Windows NT Server, use the Universal Naming Convention (UNC) to indicate a specific server. This requires that the server name to be prefaced by two backslashes, as in \\fred.
You can display a specific server in User Manager only if the computer maintains its own security database. Otherwise, the domain information for your user account is displayed. If the specified server is a primary or backup domain controller, the domain information is displayed instead of that for the specific server. For more information on domains and security databases, see Chapter 16, "Distributing Network Services with Domains."
Unlike applications that are limited to a single instance, such as Explorer, User Manager allows multiple simultaneous instances. Multiple instances of User Manager is a valuable time-saving feature for administrators of large networks or multiple domains.
The most effective method for running multiple instances of User Manager is to create program icons for each domain or computer that you administer. Each program icon contains the name of the domain or computer as the command-line argument to the program command line. By creating multiple instances of User Manager in this manner, you can administer each domain simply by double-clicking the program icon.
The easiest method for creating multiple copies of User Manager with assigned domains is to follow these steps:
12.3
12.4If you choose to manage multiple domains of computers from the same instance of User Manager, changing domains is an easy task. To select a new domain or server, follow these steps:
12.5
If you're administering a domain or a server through a low-speed connection such as Switched-56, partial T1, or a modem, you achieve better performance and response if User Manager's Low Speed Connection setting is enabled. When you administer a domain, the lists of user accounts, groups, or computers are displayed. The low bandwidth of some WAN connections impedes the speed at which the lists can be produced and managed. Marking the Low Speed Connection check box of the Select Domain dialog improves the management of remote domains by restricting the operation of User Manager in the following ways:
User Manager remembers the last 20 domains or servers previously administered. The Low Speed Connection setting is set or reset automatically when one of the last 20 domains or computers is selected. The last connection speed setting is applied regardless of whether the Low Speed Connection check box of the Select Domain dialog is marked or cleared.
To start User Manager in a low- or high-speed mode, you can include the command-line parameter /l (low speed) or /h (high speed) in the Open text box of the Run dialog, from the command prompt, or in the command-line entry of a User Manager shortcut.
Every user of a Windows NT Server network must have a user account, which consists of all the information that defines a user to the Windows NT network. The user account defines the resources on Windows NT computers and domains that can be accessed by the user.
A user account consists of the typical user name and password, as well as how, when, and where a user can attach to the network; what resources the user can access; and what security rights the user has for the accessible resources. The user account also defines the local and global groups of which the user is a member.
When upgrading an existing Windows NT 3.x server, the user accounts and groups are preserved during the upgrade. For example, a clean Windows NT 4.0 installation does not contain the group Power Users. When upgrading an existing server, this group is preserved and migrated into the new Windows NT Server 4.0 installation.
The following sections describe the built-in user accounts, how to add new accounts, and how to modify account properties to take full advantage of Windows NT Server 4.0's support for networked users.
When you install Windows NT, two built-in accounts-Administrator and Guest-are established when a domain is created. Unlike named user accounts, the Administrator and Guest accounts can't be deleted. These two accounts are installed on the primary domain controller.
The Administrator account is set up by default to allow the installer to manage and configure the Windows NT Server 4.0 software immediately after installation. The user who manages the domain's overall configuration uses the Administrator account. The Administrator account has more control over the domain and its servers than any other user account on the Windows NT network.
During installation of the primary domain controller, the Windows NT Server 4.0 Setup program prompts for the password of the built-in Administrator account. Remember and protect this password. If you forget or lose the Administrator password, the Administrator account is unusable.
After you install the primary domain controller, it's good practice to create another account that contains administrative-level privileges. After you create this account, use it to manage the domain, and reserve the built-in Administrative account for emergency purposes.
The Administrator account is added as a member of the following built-in user groups:
The Administrator account can't be removed from these built-in groups. Detailed descriptions of these user groups appear later in the "Managing User Groups" section.
The Administrator account is the most powerful user on the network, having total access to and control over all resources within the domain for which the account is created. To create a user account with the same power as an Administrator, the user account must be included in all three of the groups of which the Administrator is a member.
One strategy that's often used in large networks is to assign two user accounts to network administrators-one with administrative permissions and one with only user permissions. The administrative account is used only when performing network management, and the user account is utilized at all other times. The objective is to prevent inadvertent changes to network configuration as a result of conventional user activities.
Some of the Administrator capabilities include managing security policies; establishing domain trust relationships; creating, modifying, and deleting user accounts; creating shared directories and printers; modifying operating system software; and installing and updating devices and partition disks. This is only a small sample of the capabilities available to an administrative account with full Administrator privileges.
The Guest account is at the opposite end of the permissions spectrum from the Administrator account. The Guest account is provided for occasional or one-time users. The built-in Guest account is a part of the Domain Guests built-in group and inherits a very limited set of permissions from that group.
The Guest account isn't the same as the Internet Guest account, IUSER_SERVERNAME, that's created when you install Internet Information Server (IIS) 2.0. The Internet Guest account allows anonymous logon to the server on which IIS is installed and, by default, includes membership in the Domain Users and Guests groups. If you're using IIS for a private intranet, you can delete the Internet Guest account. Additional information on Internet and intranet accounts is provided in Chapter 19, "Setting Up the Internet Information Server," and Chapter 20, "Administering Intranet and World Wide Web Sites."
Although the Guest account can't be removed from the system, the account is disabled by default during installation. This means that the administrator must explicitly enable the account for the Guest account to be used. In practice, this account usually is enabled only if there are resources on the network that must be accessible by individuals who don't have formal accounts that enable file and other resource sharing. As an example, persons without the need to access server files might be allowed to use the Guest account to use a shared printer.
The Guest account initially contains an empty password. An empty password allows users from untrusted domains to log on to your domain as Guest and access any resources that are accessible to the Guest account. The Guest account can be changed by an administrative account to add a password, if desired.
Your network isn't useful without users, and your network is equally unsecure and unproductive if you use only the two built-in accounts. This means that new user accounts must be added for each network user, with the possible exception of Guest users. Following are the two methods for adding a new user account:
Add a new user by choosing New User from User Manager's
User menu to open the New User dialog. To add a new user
account, fill in the dialog's text boxes, mark the appropriate security
check boxes, and click the Add button to create the user
account. Figure 12.6 shows the New User dialog with text box entries, before
security options are selected.
12.6
Creating a new account with the New User dialog.
The New User dialog contains many controls that the network administrator must assign values to. The New User dialog contains the following controls:
= + [ ] / \ ; : < > ? * [dp] [pr]
The user name entered in the New User dialog is used whenever the user logs on to a Windows NT computer or a Windows NT network. The user name is case-sensitive and must be entered with the exact spelling as when the account was created. Establishing a consistent naming policy for all users benefits network administrators and network users.
There are several common naming conventions, such as using the first initial of the first name with the last three letters of the last name (for example, Fred Flintstone would have a user name of ffli). Microsoft uses the first name, followed by as many letters of the last name as are required to create an unique user name, which also is used as the employee's Internet e-mail alias (firstlast@microsoft.com). Whatever naming scheme you choose, make sure that it's consistent.
When adding a new user, a set of five buttons appears at the bottom of the New User dialog (refer to fig. 12.6). These buttons allow the account administrator to specify additional properties for a user account. The buttons that control these properties are Groups, Profile, Hours, Logon To, Account, and Dialin. These properties are explained later in the "Managing User Account Properties" section.
To ease the task of setting up new user accounts, User Manager allows you to copy an existing user account as a template to create a new account. In large networks, a system administrator creates template accounts that contain all the attributes of a user in a particular department. When a new user account must be created, the appropriate template account is copied and the appropriate account information is changed to reflect the details pertinent to the new user.
As noted earlier, template accounts usually are disabled so that users can't access the network or network resources through template accounts.
To copy a user account, perform the following steps:
12.7
Copying an existing user account to a new user account.
User Manager allows account administrators to modify user accounts individually or modify multiple accounts simultaneously.
An individual user account can be modified by
Either method displays the User Properties sheet (see fig. 12.8), which looks similar to the New User dialog. The only significant difference between the User Properties sheet and the New User dialog is the addition of an Account Locked Out check box. This check box is disabled unless the account is now locked out because of an excessive number of incorrect logon attempts. This check box is used to clear a locked-out account.
12.8
The User Properties sheet for modifying individual user accounts.
You can modify multiple user accounts simultaneously by any one of the following methods:
12.9
Selecting users belonging to a particular group.
After the user accounts to be modified are selected, press Enter or
choose Properties from the Users menu
to display the User Properties sheet (see fig. 12.10).
12.10
The User Properties sheet for selected user accounts.
When modifying multiple accounts, only the options common to all the users are displayed. The additional account property buttons located at the bottom of the dialog allow the administrator to assign common attributes to all the selected user accounts.
Additional user account properties are accessed and managed through the set of buttons located at the bottom of the New User and Copy of Username dialogs and the User Properties sheet described in the preceding sections.
These property buttons allow the account administrator to specify additional properties for a user account. The buttons that control these properties are Groups, Profile, Hours, Logon To, Account, and Dialin. The dialogs that appear when you click each button are described in the following sections.
A user account is assigned to group membership by clicking the Groups button to display the Group Memberships dialog (see fig. 12.11). This dialog allows the account administrator to assign and revoke group membership privileges.
12.11
Assigning users to groups with the Group Memberships dialog.
The Group Memberships dialog shows all the groups that the account belongs to in the Member Of list. All the groups to which the account does not belong appear in the Not Member Of list.
To assign a user to one or more groups, take one of the following actions:
To remove a group membership from the user account, take one of the following actions:
In the Group Memberships dialog, the setting for the user account's primary group applies only to users accessing a Windows NT network through Services for Macintosh. To set the primary group, select a group from the Member Of list and click the Set button.
See "Connecting Macintosh Clients," (Ch 11)
A group that's set as the user account's primary group may not be removed from the account's membership list. To remove the group from the user account, another group must be set as the primary group before the previously selected primary group can be removed.
To further define a user's profile, the Profile button lets you select custom settings for one or more users. Clicking the Profile button displays the User Environment Profile dialog, shown in figure 12.12.
12.12
Setting user environment parameters in the User Environment Profile dialog.
User profiles provide power and flexibility for system administrators and users when configuring a network environment. User profiles are typically stored in a common folder on a Windows NT server. Windows NT Workstation clients also can have individual user profiles to supplement the user profile stored on the Windows NT server.
Windows NT Server 4.0's user profiles apply to Windows 3.1, Windows for Workgroups 3.1+, Windows NT 3.5+ and 4.0, and Windows 95 clients. Windows 95, however, provides its own mechanism for establishing networked user profiles and system policies, which offer several features not included in Windows NT Server 4.0's user profiles.
See "Server-Stored User Profiles,", and "Server-Stored System Policies,"
(both Ch 10)
User profiles specify the startup information when individual users log on to Windows NT. This information includes the user environment (environment variables, paths, and mapped drives), program groups, and available applications. When a user profile is stored on a central NT server, the user environment is the same regardless of the computer the user logs on from. When the user profile is stored on individual NT machines, the environment reflects the settings stored on each machine.
User profiles also can contain mandatory settings that you assign; users aren't allowed to alter these settings. This procedure ensures a standard working environment for each user and relieves the problems that result from erroneous changes made to a user profile, such as deleting a Start menu folder or shortcut.
The user profile is specified in the User Profile Path text box, which contains the location of a user profile located on a Windows NT server. If the text box is empty, the profile is stored locally on each machine that the user logs on to.
Two types of user profiles are available:
To assign a profile to a user account, type the profile path and file name in the User Profile Path text box. Be sure to follow the UNC naming convention. For example, to store a profile named Profile.usr on the computer BEDROCK in the folder Users, type \\bedrock\users\profile.usr.
You can create the profile file ahead of time by using the User Profile Manager. If the specified profile file doesn't exist when the user first logs on, the file is created automatically by using the default profile that exists on the workstation the user logs on from. Any changes are saved automatically to the profile file.
When using mandatory user profiles, the following rules apply:
- Mandatory profiles are added in the same manner, with the exception of the file extension (.MAN).
- Unlike an individual user account, a mandatory user account must be created by the account administrator with User Profile Manager. This account must then be placed in the location specified in the profile path. If a profile isn't created, users with mandatory profiles aren't permitted to log on to Windows NT.
Logon scripts are optional batch files that are run whenever a user logs on to a Windows NT network. Logon scripts are tailored to the client operating system that's used to log on to the network. All client operating systems for Intel PCs, except OS/2, use the .BAT extension for the script file (OS/2 uses the .CMD extension).
Logon scripts aren't as flexible as user profiles but can be used instead of user profiles or with user profiles. By default, all logon scripts are stored in the folder \\SERVERNAME\Winnt\system32\Repl\Import\Scripts, where SERVERNAME is the UNC server name of the primary domain controller for the domain you're administering. Because all scripts are stored in a central spot, only the name of the script file needs to be entered in the Logon Script Name text box. You can change the location of the Scripts folder by using Server Manager.
If a relative path is entered in the Logon Script Name text box, such as \Users\Logon.bat, it's appended to the stored folder path. Using the preceding example, the logon script is run from the folder \\SERVERNAME\Winnt\system32\Repl\Import\Scripts\Users\Logon.bat.
Logon scripts can be assigned on an individual basis, or the same logon script can be assigned to multiple users.
The home folder is the default folder in which a user is placed when starting a DOS-command session.
Windows NT 4.0, like Windows 95, has adopted the term folder to replace directory; thus, this chapter uses the term home folder, which is likely to be adopted by most users of Windows 95 client PCs.
The home folder also is used as a repository for user files. The home folder can be a folder located on the client's local fixed disk or on a network drive.
To set up a home folder on a local machine, perform the following steps:
In the User Environment Profile dialog (accessed by clicking the Profile button), select the Local Path option. Type the local path (for example, c:\users\default) in the Local Path text box.
In a network environment, where a user can log on from multiple machines, the home folder should be located on a networked drive so the user can have access to it from any machine. A system administrator can set up shared network drives for users to log on to. To set up a home folder on a networked drive, perform the following steps:
In the User Environment Profile dialog, select the Connect option. From the drop-down list box, select the drive letter of the client machine to contain the home folder. In the To text box, type a complete path for the home folder using the UNC naming convention (for example, \\bedrock\home\fred). This makes the home folder available to the user on any machine that the user logs on from.
If the home folder doesn't exist, Windows NT creates the folder. Also, the folder is protected so that only the specified user (and administrators) have access to the folder contents.
When multiple users are selected in User Manager's window, the User Environment Profile dialog changes to reflect the selection of multiple users within groups (see fig. 12.13). If all the user profiles to be modified are to share the same profile file name, logon script, and home folder, you make the same dialog entries as for individual accounts, as described in the preceding section.
12.13
The User Environment Profile Dialog for multiple user accounts.
You can streamline the process for creating individual user profiles based on a single profile for multiple users by utilizing the environment variable, %USERNAME%. Windows NT Server 4.0 automatically replaces %USERNAME% with the user's logon ID. Assume that each user is to have an individual user profile with the file name derived from the user's first name. For the user names FFLINT, WFLINT, and BRUBBLE, supplying the path \\BEDROCK\Profiles\%USERNAME%.usr has the same effect as creating three individual user profiles-\\BEDROCK\Profiles\FFLINT.usr, \\BEDROCK\Profiles\WFLINT.usr, and \\BEDROCK\Profiles\BRUBBLE.usr. The variable %USERNAME% is expanded and replaced with the actual user name when any of the multiple users specified in the Users list of the User Environment Profile dialog log on to the Windows NT network. The %USERNAME% environmental variable can be used in any of the text boxes of the User Environment Profile dialog.
Take care when using the %USERNAME% variable with long file names-the variable name is replaced with the actual user name. This may cause problems when DOS, Windows 3.1+, and Windows NT 3.5 clients log on to the network. DOS, Windows 3.1+ (including Windows for Workgroups 3.1+), and Windows NT 3.5 are limited to 8.3 DOS file names. If your network includes clients other than Windows 95 and Windows NT 3.51+, make sure that the folder and profile names follow the 8.3 naming convention. In particular, the user name must not exceed eight characters in length.
When administering a large network, you might want to restrict the hours during which an account has access to the network. For example, certain workers may be able to access network resources only during normal business hours-Monday through Friday from 8 a.m. to 5 p.m.-whereas other users have unrestricted network access.
You manage logon hours for a user account by clicking the Hours button at the bottom of the New User and Copy of Username dialogs and the User Properties sheet to display the Logon Hours dialog (see fig. 12.14).
12.14
Managing user logon time limitations with the Logon Hours dialog.
The Logon Hours dialog displays a weekly schedule of times allowed for user logon. The dark areas indicate valid logon times. Logon hours are permitted by selecting the desired hours and clicking Allow. Similarly, restricted hours are specified by selecting the hours and clicking Disallow.
You can use any of the following four methods to select logon times in the Logon Hours dialog:
Clicking the day of week label-for example, Sunday-selects the entire day. Clicking the top of an hour column selects that hour every day of the week. Clicking the column square above Sunday selects the entire week. Clicking a specific hour selects that hour.
After the logon hours are set, click OK to save the logon hours for that account.
When managing logon hours for multiple users, select the desired users from User Manager's window and click the Hours button from the User Properties sheet. The Logon Hours dialog changes slightly from the single-user version, as shown in figure 12.15.
12.15
Managing logon hours for multiple users.
If all the selected users don't have the same logon hours, a message box appears with the warning The selected users have different Logon Hours settings. If you continue the operation, all the user logon hours are reset and new logon hours are set in the same manner previously described for setting the logon hours for an individual user account.
Although logon hours restrict when users can log on to a Windows NT network, users may be logged on when their logon time expires. The action that occurs in this situation is determined by the Account Policy set up by the domain administrator. (Setting up account policies for terminating after-hour connections is discussed later in the section "Removing Users from the Network When Logon Hours Expire.")
The following two actions can occur when a logged-on user's logon time expires:
Typically, logged-on users remain logged on, but they're denied the ability to make any new connections or to access additional network resources. The domain administrator can choose to forcibly disconnect logged-on users on expiry of their specified logon times. When you choose this option, all logged-on users receive a warning to log off the connected resource before the expiry time. Any users who don't log off before the logoff time are automatically disconnected.
The option to forcibly log off applies only to users of client PCs running Windows NT Workstation or Windows 95. All non-Windows NT or Windows 95 computers are not disconnected when the logoff time expires. Non-Windows NT/95 computers can't access any new network resources but can continue to use without restriction the resources to which they're then connected.
You can restrict which clients on the network users can log on. This is accomplished by clicking the Logon To button from the New User and Copy of Username dialogs and the User Properties sheet to display the Logon Workstations dialog shown in figure 12.16.
12.16
Restricting client logon access through the Logon Workstations dialog.
The workstations from which a user is permitted to log on is restricted to clients running Windows NT Workstations or Windows 95. Users of non-Windows NT or Windows 95 clients aren't affected by these settings.
By default, all new accounts-unless the account is a copied account and the account being copied has restricted access-can log on from all clients. If client logon access needs to be restricted, follow these steps:
Select the User May Log On To These Workstations option. Type up to eight client computer names in the text boxes. Click OK to establish the restriction.
When multiple users are selected from User Manager's window, the Logon Workstations dialog displays information that applies only to all selected users. By selecting the option User May Log On To All Workstations or by restricting client access, all selected users are affected.
You assign specific user account information by clicking the Account button at the bottom of the New User and Copy of Username dialogs and the User Properties sheet to display the Account Information dialog shown in figure 12.17.
12.17
Altering user accounts through the Account Information dialog.
The Account Information dialog lets you determine the expiration date of the account and the type of account.
By default, a user account never expires. In situations where an expiration date is needed (such as when an employee leaves the company or for temporary employees), the account becomes inactive at the end of the day specified in the End Of date edit box.
The Account Type section specifies whether the account is global or local according to the following rules:
Select Global Account if the user account must be recognized by other domains that trust the user logon domain. Select Local Account if the user logs on to the domain from an untrusted domain or if user access is to be restricted to the logon domain.
The Account Information dialog can be invoked for multiple users. When multiple users are selected, only the properties common to all accounts are selected. Setting any of the options changes all selected accounts.
Windows NT Server 4.0 has eased the burden of granting dial-in permissions to users. In previous versions, dial-in permissions had to be assigned from the Remote Access Administration utility. Now dial-in permissions can be assigned directly from the User Manager by selecting the Dialin button in the New User and Copy of Username dialogs or the User Properties sheet.
By default, users do not have dial-in permission. Dial-in permission must be granted to each user. Figure 12.18 shows the Dialin Information dialog.
12.18
Setting callback properties in the Dialin Information dialog.
If your network's users need dial-in permission, simply mark the Grant Dialin Permission to User check box. Next, the Call Back options must be set. Three choices are available:
No Call Back Set By Caller Preset To
If you select Set By Caller, the user is prompted to enter an optional number that the server can use to call back the user. This option is very valuable for users who travel a great deal, need to access the network for information while on the road, and want to minimize telephone charges.
The Preset To option is limited because the server calls back to a specific number each time the user dials into the network. This option should be used only for strict security purposes where the user, usually a telecommuter, is always at a specific location.
Wizards are Microsoft's approach to automating multistep operations necessary to achieve a specific objective. Wizards, which originated in Microsoft Access and later migrated to all members of the Microsoft Office suite, are intended primarily to aid new users of Microsoft productivity applications.
Windows NT Server 4.0 offers eight Administrative Wizards of varying usefulness to Windows NT network administrators. The Add User Account Wizard guides you through the addition of a new user account. To use the wizard properly, however, you must have a fundamental understanding of Windows NT's implementation of user accounts and groups. Thus, the Add User Account Wizard is likely to play a limited or non-existent role in the day-to-day administration of Windows NT 4.0 servers.
To give the Add User Account Wizard a trial run, which requires that you have Domain Administrator privileges, follow these steps:
From the Start menu choose Programs, Administrative Tools, and then Administrative Wizards to open the Getting Started with Windows NT Server window (see fig. 12.19).
12.19
Selecting the Add User Account Wizard from the Administrative Wizards window.
Double-click the Add User Accounts icon to open the first dialog of the Add User Account Wizard, which displays the server's domain name (see fig. 12.20). Use the Domain Name drop-down list if you want to add the new user to another domain with which your server has a trust relationship. Click the Next button.
See "Implementing Domains and Trusts Between Domains," (Ch 16)
12.20
Selecting the domain for the new user in the first Add User Account Wizard dialog.
Type the full name of the user, the user's logon ID, and an optional user description in the three text boxes (see fig. 12.21). Click the Next button.
12.21
Adding user account information in the second Add User Account Wizard dialog.
Assign and confirm a password for the new user in the Password and Confirm Password text boxes (see fig. 12.22). Use the default option, which requires users to change their password at the next logon, unless you have a specific reason for doing otherwise. Click the Next button.
12.22
Specifying a temporary user password in the third Add User Account Wizard dialog.
By default, the new user is added to the Domain Users group. To add the user to another group, select the group in the Available Groups list, and then click the Add button (see fig. 12.23). You can remove a user from an added group by selecting the entry in the Selected Groups list and clicking the Remove button. (The Wizard won't let you remove the user from the Domain Users group.) Click the Next button.
12.23
Adding the new user to an additional user group in the fourth Add User Account Wizard dialog.
Mark the check boxes to set up one or more of the options shown in figure 12.24. Options not available are disabled. The option to set up a Microsoft Exchange Server account for the user is enabled only if you have Microsoft Exchange Server installed. Click the Next button.
12.24
Selecting user account options in the fifth Add User Account Wizard dialog.
The options you specified in step 6 determine the sequence of wizard dialogs. As an example, if you selected Home Directory in step 6, the dialog shown in figure 12.25 appears. Click the On Another Computer option button, specify the user's drive letter mapping in the Connect Drive list for the user's home folder on the server, and type the UNC path to the server share for the home folder in the To text box. (You receive an error message if the share doesn't exist.) Click the Next button. If you selected more than one option in step 6, additional dialogs appear to aid you in setting up the additional options.
12.25
Specifying a home directory and its user share mapping.
You must have previously created the share for the user's home folder and assigned appropriate permissions for the share. The usual location for home folders is in the \Users folder of the server. Ordinarily, only domain administrators and the user have permissions to users' home folders.
You can add restrictions to the user's account by selecting The Following Restrictions option to enable the four check boxes shown in figure 12.26. If you specify one or more restrictions, additional dialogs appear to help you define the restrictions. Click the Next button.
12.26
Specifying user account restrictions, if applicable.
When you complete the dialogs for user restrictions (if any), the last dialog that appears indicates that the wizard is about to complete the task (see fig. 12.27). Click the Finish button to create the account.
12.27
Confirming the completion of account information entry in the last Add User Account Wizard dialog.
The account for the new user isn't created until you click the Finish button. You can use the Back button to review your prior steps or cancel the account entry at any point in the process by clicking the Cancel button.
A message box (see fig. 12.28) confirms the creation of the new user account. Click No to exit the Add User Account Wizard or Yes to add another account.
12.28
The message box that confirms the addition of the new user account.
The domain account policy determines password and lockout restrictions
for all users in the domain. Choose Account from User
Manager's Policies menu to open the Account Policy dialog
(see fig. 12.29). The following sections describe how to set domain-wide
policies for passwords and account lockout.
12.29
Setting account policies for all domain users with the Account Policy dialog.
The domain administrator can define the following types of password restrictions:
Maximum Password Age determines how long account passwords are in effect before they expire. The options are Password Never Expires or Expires In n Days (the default). Minimum Password Age determines how long a user account is forced to retain a new password. The objective is to prevent users from entering a dummy password when their password expires and then immediately changing it back to the old password. The options available are Allow Changes Immediately (the default) or Allow Changes In n Days. Minimum Password Length determines the minimum allowable length for all passwords. The options available are Permit Blank Password (the default) or At Least n Characters. To maintain a secure network, require passwords of at least six (preferably at least eight) characters. Password Uniqueness tells Windows NT Server whether to keep a history of previously used passwords. The objective is to prevent users from reusing the same password when a password expires. The available options are Do Not Keep Password History (the default) or Remember n Passwords. For maximum security, set n to 8 or greater.
At the bottom of the Account Policy dialog is a Users Must Log On in Order to Change Password check box. If this option is selected and a user's password expires, the user of the account must ask the account administrator to change the password.
The Account Lockout Policy setting determines the actions that are taken if a user forgets his password, or illegal attempts are made to access the network, as evidenced by multiple failed attempts to log on. In this event, either of the following actions can be chosen:
No Account Lockout. If this option is selected, any user can try an unlimited number of times to log on to the network. Account Lockout. If this option is selected, the domain administrator sets up lockout parameters to deter repeated illegal logon attempts. The following sections explain the lockout parameters.
One of following two options applies to the Account Lockout setting:
Lockout After n Bad Logon Attempts locks out the user account after n failed logon attempts occur. This option forces the account user to wait until the account is unlocked, either through administrative or automatic intervention. Reset Count After n Minutes automatically resets the number of bad logon attempts to zero after n minutes of account inactivity since the last bad logon attempt.
One of following two options applies to the Lockout Duration setting:
Forever (Until Admin Unlocks). When this option is selected, the account is locked out indefinitely until the administrator manually resets the account. Duration n Minutes. When this option is selected, the account automatically unlocks after n minutes of locked time.
When users are logged on to a Windows NT network and their logon hours expire, the domain administrator can either continue to let them access the network resources to which they're already logged on, or forcibly disconnect all users running Windows NT Workstation or Windows 95 from the network. This option is the same as the option described earlier in the section "Logging Off Users Who Are Logged On When Logon Hours Expire," except that all domain users are affected by this option.
If the option Forcibly Disconnect Remote Users from Server When Logon Hours Expire is selected in the Account Policy dialog, remote users whose logon hours expire are prompted to disconnect from the network. If users don't log off, the server will disconnect them automatically.
The preceding sections of this chapter make many references to user groups. User groups define the rights and privileges that are assigned to the users in those groups. At the bottom portion of User Manager's window is a scrollable, alphabetically sorted list of the standard (built-in) groups of Windows NT Server 4.0 (see fig. 12.30).
12.30
Built-in user groups available in User Manager's window.
Two types of groups are shown in the Groups list-global groups and local groups. A global group is depicted with a world globe in the background. A local group is depicted with a workstation in the background.
User Manager lets domain administrators create, modify, and delete groups; assign user accounts to groups; and remove user accounts from groups. The following sections describe the 11 built-in user groups of Windows NT Server 4.0 and explain the management of user groups.
The actions that a user account can perform depends on the group memberships assigned to the user account, the rights and privileges the user account inherits from the group(s), plus specific permissions assigned to the account by the account administrator. Windows NT Server 4.0 has 11 built-in user groups, each with a pre-established set of permissions for use of network resources. Descriptions of a few of these groups, by necessity, appear earlier in this chapter but are repeated here for completeness. Following is a brief description of each built-in user group, in the approximate order of decreasing privilege:
The Administrators group is the most powerful local group in the domain. The administrators are responsible for the overall configuration of the domain and the domain's servers. Domain Admins is a global group that's a member of the Administrators group. By default, members of the Domain Admins group are as powerful as the Administrators group. The Domain Admins group can be removed from the Administrators group, if necessary, to restrict the group's authority. Users is a local group that provides the capabilities that most users need to perform normal tasks. Members of this group have no rights to administer servers running Windows NT Server 4.0. Domain Users is a global group that's a member of the local Users group. By default, all new accounts are automatically added to this group, unless the account is specifically removed by the account administrator. Account Operators is a local group that allows its members to use the User Manager application to create new groups and accounts. Members of this group have limited capabilities to administer accounts, servers, and groups in the domain. Members of this group can't modify or delete accounts or groups belonging to the Administrators, Domain Admins, Account Operators, Backup Operators, Print Operators, or Server Groups. Account operators can't administer account policies. Backup Operators is a local group that can back up and restore files on the domain's primary and backup controllers. Members of this group also can log on to a server and shut down the server, presumably for backup operations. Print Operators is a local group that allows its members to create and manage printer shares in the domain. These members also can log on to a server and shut down the server. Server Operators is a local group that allows its members to manage the domain's primary and backup controllers. This group's members also can manage folder and print shares, as well as administer server functions such as setting system time for the entire domain. Replicator is a local group that supports the capability to perform folder replication functions. Only accounts needed to log on to the Replicator services of the primary and backup domain controllers should be members of this group. Domain Guests is a global group that's a member of the local Guests group. This group is intended for user accounts that have more limited rights than a member of the Domain Users group. Guests is a local group with very limited capabilities. This group is used for occasional or one-time users.
The Power Users group of Windows NT 3.51 isn't included as a built-in group of Windows NT 4.0. When upgrading a Windows NT 3.x server to Windows NT 4.0, the Power Users group is migrated to 4.0.
The built-in user groups are adequate for most Windows NT Server 4.0 networks. If you have a large, complex network, you might want to define your own user groups by, for example, organizational function or department. As an example, members of the Finance, Marketing, Sales, and Production departments might have their own group. Similarly, vice presidents, directors, managers, and supervisors might be assigned to their own group.
To add a local group to the domain, follow these steps:
From User Manager's User menu, choose NewLocal Group to display the New Local Group dialog (see fig. 12.31).
12.31
Adding a new local group with User Manager.
In the Group Name text box, type a group name that's no longer than 20 characters. A Group Name is required. Type a group description in the Description text box. Although this is optional, a meaningful description is useful as your network grows and more groups are added.
To add user accounts to the new group, click the Add button to display the Add Users and Groups dialog (see fig. 12.32). To add users to the local account, follow these steps:
Select the account entry in the Names list and click the Add button, or double-click the entry in the Names list to add the account to the Add Names list. (A description of each option in the Add Users and Groups dialog follows.) Repeat step 1 for each additional account you want to add to the new group. Click OK to add the accounts to the new group and close the Add Users and Groups dialog.
12.32
Adding new user accounts and global groups to a local group.
Local groups can include users and global groups from the domain of the local group. Local groups also can include global users and global groups from other domains that are trusted by the local groups' domain.
The purpose of the options in the Add Users and Groups dialog is as follows:
List Names From. This drop-down list lets you select the domain from which to add names or groups. The default setting is the domain for the local group. Names. This list displays all the users and global groups of the domain that's being viewed. The items in this list are candidates for inclusion in the new local group. Members. To view the members of a global group, select the global group from the Names list and click the Members button. Search. This button is used to find a domain name-a useful feature if your network contains many domains.
The process for adding a new global group is identical to adding a local
group, except that rather than choose New Local Group,
you choose New Global Group from the User
menu to display the New Global Group dialog (see fig. 12.33). Unlike local
groups, which can contain global groups and users, a global group can contain
only users.
12.33
Adding a new global group with User Manager.
If a new group needs to be created, and the group will have similar rights and members as another group, it's easier to copy a group than to add a new group and manually set up the group's attributes. To copy a group, follow these steps:
Select a group to copy in User Manager's window. From the User menu chooseCopy.The Add New Local Group or Add New Global Group dialog appears, depending the type of group you selected in step 1. Type a new name and description for the group. Modify the group's membership, as necessary. Click OK to create the new group and close the dialog.
Only user-defined groups may be deleted from the domain. The built-in groups of Windows NT Server 4.0 can't be deleted.
Be careful when deleting groups from a domain. A deleted group can't be restored by an undo process.
Each group you create receives a unique security identifier (SID). If you delete a group and re-create a group with the identical name, the new group receives a different SID and doesn't inherit the original group's attributes.
To delete a group from a domain, follow these steps:
Select the group to delete from the Groups list of User Manager's window. From the User menu chooseDelete. A warning message appears (see fig. 12.34).
12.34
Warning shown when deleting a group from a domain.
Click OK to proceed with the transaction, or click Cancel to abort the operation. If you click OK, a second message asks the operator to confirm the decision. Click Yes to delete the group.
Determining when to add a local group or a global group to a domain can often be difficult. Use the following guidelines to determine whether to create a new global or local group:
Use global groups when user accounts from this domain need to access resources of this domain and other domains. Use local groups when user accounts from this domain or other domains need to be used in resources of this domain. A local group should also be used when global groups from this domain or other domains need to be used in resources from this domain.
Although one domain trusts another domain, the trust relationship doesn't grant users access to resources in the trusting domain. The easiest method for allowing users from other domains access to your resources is to add a global group from the outside domain to a local group in your domain.
User Manager lets you create global groups in other domains if the other domain trusts your domain. You can set up a global group in the external domain, select the user accounts needed from the outside domain, and then assign that global group to a local group in your domain.
See "Establishing Trusts," (Ch 16)
The Group Management Wizard is a tool for creating new groups and adding users to the new group. You also can use the Group Management Wizard to change the membership of or delete existing groups.
The Group Management Wizard makes entering information into the New Global User or New Local User dialog a multistep process. Thus, it's questionable whether this wizard is of significant benefit to Windows NT network administrators.
To decide for yourself whether use of the Group Management Wizard is worthwhile, follow these steps:
From the Start menu choose Programs, Administrative Tools, and then Administrative Wizards to open the wizard selection dialog; then double-click the Group Management icon to display the first Group Management Wizard dialog. The wizard lets you create a new group and add members or modify the membership roster of an existing group. To create a new group, accept the default Create a New Group and Add Members option (see fig. 12.35). Click the Next button.
12.35
Choosing between creating a new group and working with an existing group in the first Group Management Wizard dialog.
If you choose to modify an existing group, you select the computer on which the group was created, and then select the group to modify. You can delete the group or, in a succeeding dialog, modify the membership of the group.
Type the name of the new group (spaces are allowed in the group name) and an optional description in the two text boxes (see fig. 12.36). Click the Next button.
12.36
Naming and describing a new group in the second Group Management Wizard dialog.
If you're working at the server on which the group is to be created, accept the default option, On My Computer (see fig. 12.37); otherwise, select On Another Computer. Click the Next button.
12.37
Specifying the location of the new group in the third Group Management Wizard dialog.
If you select a computer that's a domain controller, the message shown in figure 12.38 appears. Click OK to continue.
12.38
The message that notifies you the computer on which the group is to be created is a domain controller.
You can choose between creating a Global Group (the default) and a Local Group (see fig. 12.39). Unless you have a specific reason for creating a Local Group, accept the default and click Next.
12.39
Choosing between a new Global Group or Local Group in the fourth Group Management Wizard dialog.
All users appear in the Available Members list. Select each user you want to join to the new group and click the Add button to add the user to Selected Members list (see fig. 12.40). When you've added all the members, click Next.
12.40
Adding users to the new group in the fifth Group Management Wizard dialog.
The last dialog (see fig. 12.41) confirms the name and the domain for the new group. Click Finish to add the new group to the domain.
12.41
Confirming the addition of the new group in the last Group Management Wizard dialog.
A message confirms addition of the new group (see fig. 12.42). If you've had enough group management wizardry for the moment, click No. If you want to give the Group Management Wizard another try, click Yes.
12.42
The message indicating that, at last, the group has been created.
Each user's capabilities are determined by the rights and privileges assigned to the user. A user's rights refer to the entire system or domain. All rights are assigned by User Manager. The rights assigned to a user directly affect the tasks that a user can perform on the network.
Permissions assigned to a user refer to the specific files, folders, and hardware devices that are accessible to a user. For additional information on user permissions, see Chapter 13, "Sharing and Securing Network Resources."
A Windows NT network has two categories of rights: basic and advanced. Table 12.2 lists the user rights of Windows NT Server 4.0 and the built-in groups that receive these rights.
Table 12.2 Basic Rights for the Built-In Windows NT Groups
User Rights Groups Rights Are Assigned To Access this computer from network Administrators, EVERYONE Add workstations to domain Administrators, Backup Operators, Server Operators Backup files and directories Administrators, Backup Operators, Server Operators Change the system time Administrators, Server Operators Force shutdown from a remote system Administrators, Backup Operators, Server Operators Load and unload device drivers Administrators Log on locally Account Operators, Administrators, Backup Operators, Print Operators, Server Operators Manage auditing and security log Administrators Restore files and directories Administrators, Backup Operators, Server Operators Shut down the system Account Operators, Administrators, Backup Operators, Server Operators Take ownership of files or other objects Administrators Bypass traverse checking EVERYONE Log on as a service Replicators Assign user rights Administrators Create and manage local groups Administrators, Users Create and manage user accounts Administrators Create common groups Administrators Format computer's hard disk Administrators Keep local profile Administrators, EVERYONE Lock the computer Administrators, EVERYONE Manage auditing of system events Administrators Override the lock of the computer Administrators Share and stop sharing directories Administrators Share and stop sharing printers Administrators
The term EVERYONE is not a group, but a Windows NT convention for indicating that all users in all groups have this right.
When you create a new user group, the user rights can be added and removed from the group to customize the set of rights received by members of the new group. To add or delete rights from group membership, follow these steps:
In User Manager's window, choose User from thePolicy menu to display the User Rights Policy dialog (see fig. 12.43).
12.43
Assigning user rights to groups and accounts in the User Rights Policy dialog.
The Right drop-down list at the top of the dialog displays rights that you can assign to or remove from Windows NT Server 4.0 groups. By default, only basic rights are listed in the list. To see advanced rights, mark the Show Advanced User Rights check box at the bottom of the dialog, and then select the right you want to examine. When you select a user right from the Right drop-down list, the Grant To list changes to reflect the groups to which the right is assigned. To add new groups to the right, click the Add button to display the Add Users and Groups dialog with a list of users and groups in the domain. Select the groups and users to which you want to assign the right. To remove a user right from a group or user, select the right, select the user or group to be removed in the Grant To list, and then click the Remove button. When all your changes are complete, click OK to effect the changes and close the dialog.
In this chapter, you learned to utilize User Manager to configure user accounts and groups. The administrator of a Windows NT Server 4.0 network has total control of all users and network resources. You can tailor each user group and user account to meet the operational need of each user, department, or division, commensurate with the required level of security for the network. This chapter also described how to use the Add User Account Wizard and Group Management Wizard as alternatives to direct manipulation of user accounts and groups with User Manager for Domains.
For more information related to the content of this chapter, see the following chapters:
Chapter 10, "Configuring Windows 95 Clients for Networking," describes how to implement Windows 95's unique networked user logon and system policies. Chapter 13, "Sharing and Securing Network Resources," describes user permissions for the common types of networked resources. Chapter 16, "Distributing Network Services with Domains," describes how Windows NT Server 4.0 domains are used in wide area networking.
© 1996, QUE Corporation, an imprint of Macmillan Publishing USA, a Simon and Schuster Company.
