1

Chapter Overview

Creating User and Computer Objects Maintaining User Accounts Creating User Profiles

2

Creating User and Computer Objects

Each user needs a user account to log on to a domain or to a computer.

Each regular network user needs a unique user account.

3

Introducing User Accounts

Microsoft Windows 2000 has three types of user accounts: Local user accounts Domain user accounts Built-in user accounts

4

Local User Accounts

Enable users to log on to (and access resources on) only the computer where the user account is located

Reside in the computer's local security database

Are not for use on computers that require access to domain resources

5

Local User Accounts (Cont.)

6

Domain User Accounts

Domain user accounts allow users to log on to the domain and access resources anywhere on the network.

When a user logs on, Windows 2000 Authenticates the user Creates an access token for the user

7

Domain User Accounts (Cont.)

Domain user accounts are user objects in the Active Directory database, which is located on domain controllers.

Domain user accounts are replicated to all other domain controllers in the domain.

8

Domain User Accounts (Cont.)

9

Built-In User Accounts

Are created automatically by Windows 2000

The two most commonly used: Administrator: used to manage the overall

computer and domain configuration Guest: allows occasional users to log on and

access resources

10

Built-In User Accounts (Cont.)

Other built-in user accounts: IUSR_computername IWAM_computername TsInternetUser

11

Creating Domain User Accounts

Use the Active Directory Users And Computers console to create and manage domain user accounts. This tool is automatically installed on all

domain controllers. You can install this tool on other computers

running Windows 2000 that are not domain controllers.

12

Active Directory Users And Computers Console

13

Creating a User Object in a Domain To create a user object in a domain:

1. Select Start, point to Programs, point to Administrative Tools, and then click Active Directory Users And Computers.

2. In the scope pane, right-click the Users folder, click New, and then click User.

3. Configure the options in the New Object – User dialog box, and then click Next.

4. Configure password options, and then click Next.

5. Click Finish to create the new user object.

14

The New Object – User Dialog Box

15

Configuring Password Options

16

Simplifying the Creation of User Accounts

If you often create user objects with the same properties, create a user template object to simplify your work.

Then copy the template object to create a new user object.

17

Setting User Account Attributes

After you create a user account, you can configure its attributes. Use the Properties dialog box for the user

object in Active Directory Users And Computers.

To open the dialog box, either double-click the user object, or right-click the user object and then click Properties.

18

The Properties Dialog Box of a User Object

19

Setting Personal Attributes Four of the tabs in the Properties dialog

box contain personal information about the user but are not directly related to the operation of the user object or the Active Directory service.

These tabs are General Address Telephones Organization

20

The Address Tab

21

Setting Account Properties

The Account tab in the Properties dialog box contains several configurable user account attributes, including User logon name Password options Account expiration options Logon hours

22

The Account Tab

23

Setting Logon Hours

You can restrict the times a user can log on to the domain.

By default, access is permitted for all hours on all days.

When you click Logon Hours in the Account tab, the Logon Hours dialog box appears.

24

The Logon Hours Dialog Box in the Account Tab

25

Setting the Computers That Users Can Log On From

You can restrict the computers that a user can log on to the domain from.

By default, a user can log on from any computer in the domain.

When you click Log On To in the Account tab, the Logon Workstations dialog box appears.

26

The Logon Workstations Dialog Box in the Account Tab

27

Lesson Summary There are three types of Windows 2000 user

accounts: Local user accounts Domain user accounts Built-in user accounts

Use Active Directory Users And Computers to create and manage domain user accounts.

You can configure numerous user account attributes, including

Personal attributes Account properties Logon hours The computers a user can log on from

28

Maintaining User Accounts

User accounts require maintenance. In order to maintain and modify user

accounts, you need permission to administer the user objects.

29

Disabling, Enabling, Renaming, and Deleting User Accounts Disable a user account when a user will

not need the account for a long time, such as for a leave of absence. You can enable the user account when the

user returns. Rename a user account when a user's

name has changed or if you want to reassign the account to a different user.

Delete a user account when an employee leaves the company.

30

Disabling, Enabling, Renaming, and Deleting User Accounts (Cont.)

To use Active Directory Users And Computers to disable, enable, rename, or delete a user account:

1. Open Active Directory Users And Computers, and then expand the

console tree until the user account is visible.

2. Click the user account, and then from the Action menu, click the appropriate

command.

31

Disabling, Enabling, Renaming, and Deleting User Accounts (Cont.)

32

Resetting Passwords and Unlocking User Accounts

These tasks are performed when a user cannot log on to the domain or the local computer because of a password or account lockout problem.

Members of the Administrators group, by default, have the permissions necessary to reset passwords and unlock user accounts.

33

Resetting Passwords Necessary when a user forgets a password To reset a password:

1. Open Active Directory Users And Computers, and then expand the tree until the user account is visible.

2. Click the user account, click Action, and then click Reset Password.

3. Type a new password for the user, and retype it in the Confirm Password box.

4. Select the User Must Change Password At Next Logon check box, and then click OK.

34

The Reset Password Dialog Box

35

Unlocking User Accounts

Necessary when a user exceeds a specified number of failed logon attempts

To unlock a user account:1. Open Active Directory Users And Computers, and then expand the tree until the user account is visible.2. Right-click the user account, click Properties, and then click the Account tab.3. Clear the Account Is Locked Out check box.

36

Lesson Summary

Use Active Directory Users And Computers to disable, enable, rename, and delete user accounts.

Disabling a user account prevents the user from logging on, but leaves all of the account information intact.

Use Active Directory Users And Computers to reset user account passwords and to unlock user accounts.

37

Creating User Profiles

A user profile stores a user's current desktop environment, application settings, and personal data.

A home folder is a folder on a server that is assigned to a user for storing personal data.

38

Understanding User Profiles

On computers running Windows 2000, user profiles automatically create and maintain desktop settings for each user's work environment on the local computer.

A new user profile is created for each user logging on to the computer for the first time.

39

Understanding User Profiles (Cont.)

User profiles provide several advantages to users: More than one user can work on the same

computer, with all users maintaining their own desktop settings.

When users log on to their workstations, they receive the same desktop settings that they had when they logged off.

Customization of the desktop environment by one user does not affect another user’s settings.

40

Understanding User Profiles (Cont.)

You can use user profiles to Create a default user profile Set up a mandatory user profile Specify default user settings for all user

profiles

41

Profile Types

Local user profile Created by Windows 2000 the first time a

user logs on to the computer Stored on the computer's local hard disk

Roaming user profile A copy of your local user profile that is

stored on a shared server drive Lets you have your own desktop settings no

matter which computer on the network you use

42

Profile Types (Cont.)

Mandatory User Profile A roaming profile that the user cannot

change Used to enforce particular desktop settings

for individuals or for a group of users Can be changed by the user during a logon

session, but the changes are not saved to the user profile when the user logs off

43

User Profile Contents Settings

A user profile contains configuration preferences and options for each user—a snapshot of a user's desktop environment. 

Structure  Local user profiles are stored on the system

drive (usually drive C) in the \Documents and Settings folder.

Roaming user profiles are stored in a shared folder on the server.

44

The Directory Structure of a User Profile

45

Using Local Profiles

The use of local profiles on a computer running Windows 2000 is transparent to the user.

Users change their local user profiles without even knowing it, simply by changing their desktop settings.

46

Using Roaming Profiles

A roaming user profile is a copy of a local user profile that is stored on a network server.

You can implement roaming user profiles to support users who work at multiple computers, enabling them to have their personal desktop settings no matter which computer on the network they log on to.

47

Creating Roaming User Profiles

Create roaming user profiles on a file server that is frequently backed up.

For better logon performance, place roaming user profiles on a member server instead of on a domain controller.

You must have permission to manage the user accounts that you want to assign roaming user profiles for.

48

Creating Roaming User Profiles (Cont.) To create a roaming user profile:

1. On the server, create a folder and share it.2. Open Active Directory Users And Computers.3. Locate the user object.4. Right-click the user object, click Properties,

and then click the Profile tab.5. Type the path to the shared folder on the

server. You can use the %USERNAME% variable in

place of the user's logon name. 6. Click OK.

49

The Profile Tab in the Properties Dialog Box of a User Object

50

Standard Roaming User Profile

Is a single roaming user profile shared by multiple users

Provides a standard desktop environment for multiple users with similar job functions

Simplifies troubleshooting

51

Creating a Standard Roaming User Profile To create a standard roaming user profile:

1. Create a user profile template with the appropriate configuration.

2. Create a shared folder on a server.3. In Control Panel, double-click System, and

then click the User Profiles tab.4. Copy the user profile template to the shared

folder, and specify the users who are permitted to use the profile.

5. For each user, specify the path to the profile template on the Profile tab in the user

object's Properties dialog box.

52

Copying a User Profile Template

53

Using Mandatory Profiles

A mandatory user profile cannot be changed by the user.

The user can modify desktop settings while logged on, but any changes made during the session are not saved to the user profile.

You create a mandatory user profile by renaming the Ntuser.dat file (in the folder containing the roaming profile) to Ntuser.man.

54

Creating Home Folders

A home folder is a folder where users can store personal documents.

A home folder can be stored on a client computer or in a shared folder on a server.

All users' home folders are typically stored in a central location on a network server.

55

To create a home folder: 1. On a server, create and share a folder that will

store the home folders of all users.

2. For this shared folder, assign the Full Control permission to the Users group (and remove the Full Control permission from the Everyone group).

3. In Active Directory Users And Computers, access the Profile tab of each user object's Properties dialog box.

4. In the Profile tab for each user, click Connect and specify a drive letter to connect to.

5. In the To box, specify the path to the user's home folder.

You can use the %USERNAME% variable in place of the user's logon name.

6. Click OK.

Creating Home Folders on a Server

56

Specifying a Path to a Home Folder

57

Lesson Summary A user profile is a collection of folders and files

that make up the desktop environment for a specific user.

A local user profile is stored on the local drive, whereas a roaming user profile is stored on a network server.

A mandatory user profile is a read-only roaming user profile that the user cannot change.

Home folders provide an additional storage location for users' personal documents.