1
Chapter 6
WORKING WITH USER
ACCOUNTS
Chapter 6: WORKING WITH USER ACCOUNTS 2
CHAPTER OVERVIEW
• Understand the differences between local user and
domain user accounts.
• Plan, create, and manage local and domain user
accounts.
• Create and manage user accounts by using
templates, importation, and command-line tools.
• Manage user profiles.
• Understand the purpose and function of profiles.
• Troubleshoot user authentication issues.
Chapter 6: WORKING WITH USER ACCOUNTS 3
UNDERSTANDING USER ACCOUNTS
• Local user accounts stored in the Security Accounts
Manager (SAM) database on that system
• Can be used only on that system
• Domain user accounts
• Stored in Active Directory on domain controllers
• Can be used on any system in Active Directory
Chapter 6: WORKING WITH USER ACCOUNTS 4
WORKGROUPS
• No centralized database of user accounts
• User account must exist in the SAM of each system
the user accesses
• Impractical in environments with more than 10 users
Chapter 6: WORKING WITH USER ACCOUNTS 5
DOMAINS
Chapter 6: WORKING WITH USER ACCOUNTS 6
PLANNING USER ACCOUNTS OVERVIEW
• Account naming
• Choosing passwords
• Designing an Active Directory hierarchy
Chapter 6: WORKING WITH USER ACCOUNTS 7
ACCOUNT NAMING
• Account names can be up to 256 characters
• Account names authentication credential can be
between 1 and 20 characters (letters and/or
numbers).
• For names longer than 20 characters the first 20
must be unique.
• Account names are not case sensitive.
• The following characters cannot be used in the
account name:
•"/\[]:;|,+=*?@
Chapter 6: WORKING WITH USER ACCOUNTS 8
STRONG PASSWORDS
• Cannot be easily guessed or broken by a password
cracking program.
• Use password policy:
• Enforce strong password (PASSFILT.DLL)
•Must be six characters long
•At least three (3) of the following four (4) classes:
• Upper case
• Lower case
• Westernized Arabic numeral (0 – 9)
• Special characters
•Cannot contain user name or any part of full name
• Example: Up2Lower5
Chapter 6: WORKING WITH USER ACCOUNTS 9
ACCOUNT PASSWORD POLICY
Chapter 6: WORKING WITH USER ACCOUNTS 10
DESIGNING AN ACTIVE DIRECTORY HIERARCHY
• Create an organizational unit (OU) structure
• Place users in appropriate OU
• Provides for features such as group policy
Chapter 6: WORKING WITH USER ACCOUNTS 11
WORKING WITH LOCAL USER ACCOUNTS
Chapter 6: WORKING WITH USER ACCOUNTS 12
CREATING A LOCAL USER ACCOUNT
Chapter 6: WORKING WITH USER ACCOUNTS 13
MANAGING LOCAL USER ACCOUNTS
Chapter 6: WORKING WITH USER ACCOUNTS 14
WORKING WITH DOMAIN USER ACCOUNTS
Chapter 6: WORKING WITH USER ACCOUNTS 15
CREATING A DOMAIN USER ACCOUNT
Chapter 6: WORKING WITH USER ACCOUNTS 16
MANAGING DOMAIN USER ACCOUNTS
• From the Action menu, you can:
• Reset a user account password.
• Rename, disable, and delete an account.
• Modify group membership.
• Send e-mail and open a user’s homepage.
Chapter 6: WORKING WITH USER ACCOUNTS 17
THE GENERAL TAB
Chapter 6: WORKING WITH USER ACCOUNTS 18
THE ADDRESS TAB
Chapter 6: WORKING WITH USER ACCOUNTS 19
THE TELEPHONES TAB
Chapter 6: WORKING WITH USER ACCOUNTS 20
THE ORGANIZATION TAB
Chapter 6: WORKING WITH USER ACCOUNTS 21
THE ACCOUNT TAB
Chapter 6: WORKING WITH USER ACCOUNTS 22
THE PROFILE TAB
Chapter 6: WORKING WITH USER ACCOUNTS 23
THE MEMBER OF TAB
Chapter 6: WORKING WITH USER ACCOUNTS 24
THE TERMINAL SERVICES PROFILE TAB
Chapter 6: WORKING WITH USER ACCOUNTS 25
THE ENVIRONMENT TAB
Chapter 6: WORKING WITH USER ACCOUNTS 26
THE REMOTE CONTROL TAB
Chapter 6: WORKING WITH USER ACCOUNTS 27
THE SESSIONS TAB
Chapter 6: WORKING WITH USER ACCOUNTS 28
THE DIAL-IN TAB
Chapter 6: WORKING WITH USER ACCOUNTS 29
THE COM+ TAB
Chapter 6: WORKING WITH USER ACCOUNTS 30
MANAGING MULTIPLE USERS
Chapter 6: WORKING WITH USER ACCOUNTS 31
MOVING USER OBJECTS
Chapter 6: WORKING WITH USER ACCOUNTS 32
CREATING MULTIPLE USER OBJECTS
• Using object templates
• Using Csvde.exe
• Using Dsadd.exe
Chapter 6: WORKING WITH USER ACCOUNTS 33
USING OBJECT TEMPLATES
• Can be an existing user account or an account
created specifically for copying.
• Not all properties are copied.
• A new SID is generated for the new object
• Generic user object templates should be assigned a
password and disabled to prevent use of the
account.
Chapter 6: WORKING WITH USER ACCOUNTS 34
IMPORTING USER OBJECTS USING CSV
DIRECTORY EXCHANGE
• Useful for creating large numbers of users at a time.
• Step 1:
• Create a comma-separated value (CSV) text file of
user information.
• Step 2:
• Use Csvde.exe to import the user information from the
CSV file into Active Directory.
Chapter 6: WORKING WITH USER ACCOUNTS 35
CREATING USER OBJECTS WITH DSADD.EXE
• Command-line utility
• Can be used in batch files or scripts
• Can be used to add other objects as well as users
Chapter 6: WORKING WITH USER ACCOUNTS 36
MODIFYING USER OBJECTS WITH DSMOD.EXE
• Command-line utility
• Can be used in batch files or scripts
• Can be used only to modify existing objects
Chapter 6: WORKING WITH USER ACCOUNTS 37
MANAGING USER PROFILES
• Allows each user to have a customized working
environment
• Preserves application settings, shortcuts, and
preferences
• Ensures that users do not affect each other’s work
environment
Chapter 6: WORKING WITH USER ACCOUNTS 38
USER PROFILE CONTENTS
• User-stored documents and files
• Application configurations and settings
• Desktop and environment settings
• Control Panel settings and configurations
Chapter 6: WORKING WITH USER ACCOUNTS 39
USER PROFILE DIRECTORY STRUCTURE
Chapter 6: WORKING WITH USER ACCOUNTS 40
USING LOCAL PROFILES
• Stored on the local system
• Available only when the user logs on to that system
• Can be modified by the user as needed
Chapter 6: WORKING WITH USER ACCOUNTS 41
USING ROAMING PROFILES
• Allows a user to have the same working environment
from any client computer she
logs on to.
• Central storage provides for easier backup.
Chapter 6: WORKING WITH USER ACCOUNTS 42
USING MANDATORY PROFILES
• Can be either local or roaming.
• User can make changes, but changes are not saved
when user logs off.
• Renaming Ntuser.dat to Ntuser.man designates
profile as mandatory.
Chapter 6: WORKING WITH USER ACCOUNTS 43
MONITORING AND TROUBLESHOOTING USER
AUTHENTICATION
• Using password policies
• Using account lockout policies
Chapter 6: WORKING WITH USER ACCOUNTS 44
USING PASSWORD POLICIES
• Provides a mechanism to control password use in
the organization.
• Should strike a balance between usability and
security.
• Creating a password policy that is too demanding
increases password-related support calls.
Chapter 6: WORKING WITH USER ACCOUNTS 45
USING ACCOUNT LOCKOUT POLICIES
• Account Lockout Threshold
• Account Lockout Duration
• Reset Account Lockout Counter After
Chapter 6: WORKING WITH USER ACCOUNTS 46
ACTIVE DIRECTORY CLIENTS
• Windows 2000, Windows XP, and Windows Server
2003 include full Active Directory client capabilities.
• Windows 95, Windows 98, Windows Me, and
Windows NT 4 require additional client software to
gain full Active Directory functionality.
Chapter 6: WORKING WITH USER ACCOUNTS 47
AUDITING AUTHENTICATION
• Allows you to track failed and successful logon
attempts
• Can form part of a security policy
• Creates minimal system overhead in all but largest
environments
Chapter 6: WORKING WITH USER ACCOUNTS 48
SUMMARY
• Local user accounts are stored on the local system and can
provide users with access only to local resources. Domain
user accounts are stored on Active Directory domain
controllers and can provide users with access to resources
all over the network.
• User objects include the properties related to the
individuals they represent.
• A user object template is an object that is copied to
produce new users. If the template is not a “real” user, it
should be disabled. Only a subset of user properties is
copied from templates.
• Windows Server 2003 includes command-line tools that
you can use to create and manage Active Directory objects,
including Csvde.exe, Dsadd.exe, and Dsmod.exe.
Chapter 6: WORKING WITH USER ACCOUNTS 49
SUMMARY (continued)
• A user profile is a collection of folders and data that
make up the desktop environment for a specific user.
• Windows Server 2003 generates an individual user
profile for each person who logs on to the system.
Local user profiles are stored on the local drive,
whereas a roaming user profile is stored on a network
server.
• A mandatory user profile is one that never changes,
providing the same desktop configuration each time
the user logs on.
• Auditing for authentication allows you to track logon
activity for the network.