1 chapter overview creating user and computer objects maintaining user accounts creating user...
TRANSCRIPT
1
Chapter Overview
Creating User and Computer Objects Maintaining User Accounts Creating User Profiles
2
Creating User and Computer Objects
Each user needs a user account to log on to a domain or to a computer.
Each regular network user needs a unique user account.
3
Introducing User Accounts
Microsoft Windows 2000 has three types of user accounts: Local user accounts Domain user accounts Built-in user accounts
4
Local User Accounts
Enable users to log on to (and access resources on) only the computer where the user account is located
Reside in the computer's local security database
Are not for use on computers that require access to domain resources
5
Local User Accounts (Cont.)
6
Domain User Accounts
Domain user accounts allow users to log on to the domain and access resources anywhere on the network.
When a user logs on, Windows 2000 Authenticates the user Creates an access token for the user
7
Domain User Accounts (Cont.)
Domain user accounts are user objects in the Active Directory database, which is located on domain controllers.
Domain user accounts are replicated to all other domain controllers in the domain.
8
Domain User Accounts (Cont.)
9
Built-In User Accounts
Are created automatically by Windows 2000
The two most commonly used: Administrator: used to manage the overall
computer and domain configuration Guest: allows occasional users to log on and
access resources
10
Built-In User Accounts (Cont.)
Other built-in user accounts: IUSR_computername IWAM_computername TsInternetUser
11
Creating Domain User Accounts
Use the Active Directory Users And Computers console to create and manage domain user accounts. This tool is automatically installed on all
domain controllers. You can install this tool on other computers
running Windows 2000 that are not domain controllers.
12
Active Directory Users And Computers Console
13
Creating a User Object in a Domain To create a user object in a domain:
1. Select Start, point to Programs, point to Administrative Tools, and then click Active Directory Users And Computers.
2. In the scope pane, right-click the Users folder, click New, and then click User.
3. Configure the options in the New Object – User dialog box, and then click Next.
4. Configure password options, and then click Next.
5. Click Finish to create the new user object.
14
The New Object – User Dialog Box
15
Configuring Password Options
16
Simplifying the Creation of User Accounts
If you often create user objects with the same properties, create a user template object to simplify your work.
Then copy the template object to create a new user object.
17
Setting User Account Attributes
After you create a user account, you can configure its attributes. Use the Properties dialog box for the user
object in Active Directory Users And Computers.
To open the dialog box, either double-click the user object, or right-click the user object and then click Properties.
18
The Properties Dialog Box of a User Object
19
Setting Personal Attributes Four of the tabs in the Properties dialog
box contain personal information about the user but are not directly related to the operation of the user object or the Active Directory service.
These tabs are General Address Telephones Organization
20
The Address Tab
21
Setting Account Properties
The Account tab in the Properties dialog box contains several configurable user account attributes, including User logon name Password options Account expiration options Logon hours
22
The Account Tab
23
Setting Logon Hours
You can restrict the times a user can log on to the domain.
By default, access is permitted for all hours on all days.
When you click Logon Hours in the Account tab, the Logon Hours dialog box appears.
24
The Logon Hours Dialog Box in the Account Tab
25
Setting the Computers That Users Can Log On From
You can restrict the computers that a user can log on to the domain from.
By default, a user can log on from any computer in the domain.
When you click Log On To in the Account tab, the Logon Workstations dialog box appears.
26
The Logon Workstations Dialog Box in the Account Tab
27
Lesson Summary There are three types of Windows 2000 user
accounts: Local user accounts Domain user accounts Built-in user accounts
Use Active Directory Users And Computers to create and manage domain user accounts.
You can configure numerous user account attributes, including
Personal attributes Account properties Logon hours The computers a user can log on from
28
Maintaining User Accounts
User accounts require maintenance. In order to maintain and modify user
accounts, you need permission to administer the user objects.
29
Disabling, Enabling, Renaming, and Deleting User Accounts Disable a user account when a user will
not need the account for a long time, such as for a leave of absence. You can enable the user account when the
user returns. Rename a user account when a user's
name has changed or if you want to reassign the account to a different user.
Delete a user account when an employee leaves the company.
30
Disabling, Enabling, Renaming, and Deleting User Accounts (Cont.)
To use Active Directory Users And Computers to disable, enable, rename, or delete a user account:
1. Open Active Directory Users And Computers, and then expand the
console tree until the user account is visible.
2. Click the user account, and then from the Action menu, click the appropriate
command.
31
Disabling, Enabling, Renaming, and Deleting User Accounts (Cont.)
32
Resetting Passwords and Unlocking User Accounts
These tasks are performed when a user cannot log on to the domain or the local computer because of a password or account lockout problem.
Members of the Administrators group, by default, have the permissions necessary to reset passwords and unlock user accounts.
33
Resetting Passwords Necessary when a user forgets a password To reset a password:
1. Open Active Directory Users And Computers, and then expand the tree until the user account is visible.
2. Click the user account, click Action, and then click Reset Password.
3. Type a new password for the user, and retype it in the Confirm Password box.
4. Select the User Must Change Password At Next Logon check box, and then click OK.
34
The Reset Password Dialog Box
35
Unlocking User Accounts
Necessary when a user exceeds a specified number of failed logon attempts
To unlock a user account:1. Open Active Directory Users And Computers, and then expand the tree until the user account is visible.2. Right-click the user account, click Properties, and then click the Account tab.3. Clear the Account Is Locked Out check box.
36
Lesson Summary
Use Active Directory Users And Computers to disable, enable, rename, and delete user accounts.
Disabling a user account prevents the user from logging on, but leaves all of the account information intact.
Use Active Directory Users And Computers to reset user account passwords and to unlock user accounts.
37
Creating User Profiles
A user profile stores a user's current desktop environment, application settings, and personal data.
A home folder is a folder on a server that is assigned to a user for storing personal data.
38
Understanding User Profiles
On computers running Windows 2000, user profiles automatically create and maintain desktop settings for each user's work environment on the local computer.
A new user profile is created for each user logging on to the computer for the first time.
39
Understanding User Profiles (Cont.)
User profiles provide several advantages to users: More than one user can work on the same
computer, with all users maintaining their own desktop settings.
When users log on to their workstations, they receive the same desktop settings that they had when they logged off.
Customization of the desktop environment by one user does not affect another user’s settings.
40
Understanding User Profiles (Cont.)
You can use user profiles to Create a default user profile Set up a mandatory user profile Specify default user settings for all user
profiles
41
Profile Types
Local user profile Created by Windows 2000 the first time a
user logs on to the computer Stored on the computer's local hard disk
Roaming user profile A copy of your local user profile that is
stored on a shared server drive Lets you have your own desktop settings no
matter which computer on the network you use
42
Profile Types (Cont.)
Mandatory User Profile A roaming profile that the user cannot
change Used to enforce particular desktop settings
for individuals or for a group of users Can be changed by the user during a logon
session, but the changes are not saved to the user profile when the user logs off
43
User Profile Contents Settings
A user profile contains configuration preferences and options for each user—a snapshot of a user's desktop environment.
Structure Local user profiles are stored on the system
drive (usually drive C) in the \Documents and Settings folder.
Roaming user profiles are stored in a shared folder on the server.
44
The Directory Structure of a User Profile
45
Using Local Profiles
The use of local profiles on a computer running Windows 2000 is transparent to the user.
Users change their local user profiles without even knowing it, simply by changing their desktop settings.
46
Using Roaming Profiles
A roaming user profile is a copy of a local user profile that is stored on a network server.
You can implement roaming user profiles to support users who work at multiple computers, enabling them to have their personal desktop settings no matter which computer on the network they log on to.
47
Creating Roaming User Profiles
Create roaming user profiles on a file server that is frequently backed up.
For better logon performance, place roaming user profiles on a member server instead of on a domain controller.
You must have permission to manage the user accounts that you want to assign roaming user profiles for.
48
Creating Roaming User Profiles (Cont.) To create a roaming user profile:
1. On the server, create a folder and share it.2. Open Active Directory Users And Computers.3. Locate the user object.4. Right-click the user object, click Properties,
and then click the Profile tab.5. Type the path to the shared folder on the
server. You can use the %USERNAME% variable in
place of the user's logon name. 6. Click OK.
49
The Profile Tab in the Properties Dialog Box of a User Object
50
Standard Roaming User Profile
Is a single roaming user profile shared by multiple users
Provides a standard desktop environment for multiple users with similar job functions
Simplifies troubleshooting
51
Creating a Standard Roaming User Profile To create a standard roaming user profile:
1. Create a user profile template with the appropriate configuration.
2. Create a shared folder on a server.3. In Control Panel, double-click System, and
then click the User Profiles tab.4. Copy the user profile template to the shared
folder, and specify the users who are permitted to use the profile.
5. For each user, specify the path to the profile template on the Profile tab in the user
object's Properties dialog box.
52
Copying a User Profile Template
53
Using Mandatory Profiles
A mandatory user profile cannot be changed by the user.
The user can modify desktop settings while logged on, but any changes made during the session are not saved to the user profile.
You create a mandatory user profile by renaming the Ntuser.dat file (in the folder containing the roaming profile) to Ntuser.man.
54
Creating Home Folders
A home folder is a folder where users can store personal documents.
A home folder can be stored on a client computer or in a shared folder on a server.
All users' home folders are typically stored in a central location on a network server.
55
To create a home folder: 1. On a server, create and share a folder that will
store the home folders of all users.
2. For this shared folder, assign the Full Control permission to the Users group (and remove the Full Control permission from the Everyone group).
3. In Active Directory Users And Computers, access the Profile tab of each user object's Properties dialog box.
4. In the Profile tab for each user, click Connect and specify a drive letter to connect to.
5. In the To box, specify the path to the user's home folder.
You can use the %USERNAME% variable in place of the user's logon name.
6. Click OK.
Creating Home Folders on a Server
56
Specifying a Path to a Home Folder
57
Lesson Summary A user profile is a collection of folders and files
that make up the desktop environment for a specific user.
A local user profile is stored on the local drive, whereas a roaming user profile is stored on a network server.
A mandatory user profile is a read-only roaming user profile that the user cannot change.
Home folders provide an additional storage location for users' personal documents.