Managing User Accounts

On some administrative screens such as in User Manager for Domains, a domain name may precede a user name. The domain name indicates where the user's account was created and where it resides within the overall domain structure. For example, user JohnL from the Sales domain might appear as SALES\JohnL. This name would distinguish him from a different JohnL in another domain, such as ENGINEERING\JohnL.

Two built-in user accounts are created automatically when Advanced Server, Windows NT Server, or Windows NT Workstation is installed: the Administrator account and the Guest account.

Built-in Administrator User Account

The Administrator account is the one you use when you first set up a new domain controller, member server, or workstation. You use this account before you create an account for yourself.

The Administrator user account is a member of the Administrators local group on a domain controller, workstation, or member server. The Administrator account can never be deleted, disabled, or removed from the Administrators local group, ensuring that you never lock yourself out of the computer by deleting or disabling all the administrative accounts. This feature distinguishes the Administrator account from other members of the Administrators local group

The built-in Administrator account gives a user automatic rights to perform domain management tasks on a domain controller or on a workstation or member server that belongs to that domain. During installation, the domain administrator is prompted for a password to the Administrator account. This password should be guarded carefully, not only for security purposes but also because if the password is forgotten or the person who knows the password becomes unavailable, the built-in Administrator account is unusable. The password can be changed but it does not expire.

The user who sets up a workstation can assign a password to the Administrator account or leave it blank. In the latter case, anyone can use the account without a password. After the PDC is set up, the built-in Administrator account can be renamed but it never can be deleted or disabled.

	NOTE: Following installation of Advanced Server/9000, it is a good idea to create additional administrative accounts with administrative-level capabilities, while reserving the built-in Administrator account for emergency purposes. When administrative users have separate accounts, their actions can be audited on an individual user account basis rather than trying to audit the Administrator account.

For information about built-in groups and rights, see "Using Groups to Assign User Capabilities" later in this chapter.

For information about auditing, see Chapter 7, "Monitoring Events."

Built-in Guest User Account

The Guest account is for use by individuals who wish to log on but who do not have an account on the computer or domain or in any of the domains trusted by the computer's domain. A user whose account is disabled (but not deleted) also can use the Guest account.

The Guest account does not require a password and can be used for two types of guest logons: local guest logons and network guest logons. You can configure each domain and computer to allow both types of guest logon, only one type, or neither type. The Guest account is disabled by default when Advanced Server/9000, Windows NT Server, or Windows NT Workstation is installed, but you can enable it.

You can set rights and permissions for the Guest account like any other user account. By default, the Guest account is a member of the built-in Guests group which allows a user to log on to a workstation or member server (the right to log on locally) only. Rights other than this one, as well as any permissions, must be granted to the Guests local group by a member of Administrators or Account Operators local groups.

Guests have no predefined rights on a domain controller.

A local guest logon occurs when a user logs on interactively at a computer running Windows NT Workstation or at a member server running Windows NT Server and specifies Guest as the user name in the Logon Information dialog box. Because the Guest account on these computers (but not on domain controllers) has the built-in right to log on locally, the guest user can then work at that computer (subject to the rights and permissions you have granted the Guest account) and use it to access the network.

A network guest logon occurs when a user attempts to make a network connection to another computer and that computer does not recognize the user's user name, domain name, or password.

If the user is logged on to a client computer that is a member of a workgroup, the client computer name is treated as a domain name by the computer to which it is connecting. The computer being connected to might not recognize the user's account for any of the following reasons:

A network guest logon is approved only if the Guest account of the destination computer is enabled and has no password set. The guest user then has all rights, permissions, and group memberships on the computer that are granted to the Guest account, even though the guest user has not specified Guest as his or her user name.

	NOTE: To allow local guest logons but not network guest logons, enable the Guest account, but revoke its Access This Computer From Network user right in User Manager for Domains. To allow network guest logons but not local guest logons, enable the Guest account, and revoke its Log On Locally user right. (Be sure Guest has the Access This Computer From Network right.)

For information about managing user accounts, see "Managing Properties for One User Account" in User Manager for Domains Help.

For information about logon validation, see Chapter 2, "Managing Advanced Server Domains."

To create additional user accounts or modify existing accounts, use User Manager for Domains.

When adding a user account, you will be asked to provide a user name; it can be up to 20 characters and it must be unique to the domain or computer that is being administered. It can contain any uppercase or lowercase characters except the following:

" / \ [ ] : ; | = , + * ? < >

A user name cannot consist solely of periods (.) and spaces.

Be consistent in the way you enter user names because when Advanced Server presents lists of user accounts, they usually are sorted by user name. It is a good idea to establish a standard for user names, such as a shortened combination of the first and last names (JeffHo for Jeff Howard).

You also will be asked to provide the user's full name. It is a good idea to establish a standard for full names so that they always begin with either the last name (Howard, Jeff ) or the first name (Jeff Howard). The full name also can affect the sort order because the user account list in the User Manager for Domains window optionally can be sorted by full name instead of user name.

For information about creating user accounts, see "Creating a New User Account" in User Manager for Domains Help.

Adding Several Accounts at One Time

User accounts can contain a considerable amount of information. Typing that information for each user can be time consuming, but with Advanced Server Directory Services there are ways in which you can make creating user accounts easier. You can create a new account by copying an existing account and then changing the user name, full name, and initial password, and any other information that must be changed. You also can create one or more template accounts. These accounts are not used by real users but serve only as bases for the real accounts you create. For greater security, you can disable your template accounts to ensure that no user can log on using them. The copies that you make from your template accounts are enabled by default

For information about adding user accounts, see "Creating a New User Account" and "Copying a User Account" in User Manager for Domains Help.

Selecting User Accounts

The user account list in the User Manager window includes all of the user accounts of the displayed domain. One or more user accounts can be selected from this list by using the Select Users command.

	NOTE: When Low Speed Connection is selected, the Select Users command is unavailable.

For more information, see "Selecting User Accounts," "Managing Properties for One User Account," and "Managing Properties for Multiple User Accounts" in User Manager for Domains Help.

Copying Existing Accounts

It often is quicker and more convenient to copy an existing user account than to create a new one. By copying, you ensure that the group memberships and many other properties are copied to the new account.

When a user account is copied, its description, group memberships, logon hours, logon workstations, and account information are copied exactly.

To have the system automatically enter the account user name into the home directory path, use %USERNAME%. For more information, see "Using %USERNAME% in the Home Directory Path" later in this chapter.

	NOTE: When copying an account that is a member of the Administrators local group, the User Cannot Change Password setting is not copied.

User Manager for Domains does not copy rights and permissions granted to a user account. However, it is recommended that these be provided only to groups and not granted directly to user accounts. Because the group memberships of the original account are copied to the new user account, the new user account will usually have the same capabilities and access to resources as the original account.

For information about how to copy user accounts, see "Copying a User Account" in User Manager for Domains Help.

For information about user profiles, see Chapter 4, "Managing User Work Environments."

Specifying a Home Directory

A home directory contains a user's files and programs; it can be assigned to an individual or be shared by many users. Because home directories collect user files in one location, they make it easy for an administrator to back up user files and delete user accounts. Specify a home directory by adding a directory path to the user account. Home directories must be added to a shared directory with appropriate access.

The home directory is a user's default directory for the File Open and Save As dialog boxes, for the command prompt, and for all applications that do not have a working directory defined.

User Manager for Domains automatically applies directory permissions if it creates the home directory. When one user account is being administered and a new home directory is created, that user is granted Full Control. When two or more user accounts are being administered and a new home directory is created, Full Control is granted to Everyone.

User Manager for Domains does not automatically apply permissions if the directory already exists. In this case, you must apply the permissions using Windows NT Explorer.

If the user account does not specify a home directory, the default home directory for upgraded computers is \uSERS\DEFAULT on the user's local drive where Windows NT is installed. If Windows NT Workstation or Windows NT Server has been installed for the first time, the default home directory is the root of the drive where Windows NT is installed. (To change the default home directory to a shared network directory or to another local directory on the user's workstation, use User Manager for Domains.)

	NOTE: If an Advanced Server domain user also has an HP-UX system account, it may be useful for the administrator to make the network home directory the same as the HP-UX system home directory.

For information about adding home directories, see "Managing the User Environment" in User Manager for Domains Help.

An Advanced Server/9000 user account can be associated with an HP-UX system user account on an HP-UX system that is running Advanced Server/9000. To create this type of association, use the mapuname command. After you map an Advanced Server/9000 user account to an HP-UX system user account, any file that the Advanced Server/9000 user creates will be owned by the HP-UX system user account.

Having both Advanced Server/9000 and HP-UX system user accounts allows your HP-UX system files to be owned by your HP-UX system user account and to be accessed through your Advanced Server/9000 user account. HP-UX system user accounts should be assigned to Advanced Server/9000 users on the HP-UX systems where their home directories reside. Advanced Server/9000 users who are not mapped to HP-UX system user accounts are mapped by default to the lmworld user account.

Assigning HP-UX system user accounts to Advanced Server/9000 user accounts with the mapuname command ensures that HP-UX system user accounts are created only when necessary. It also gives administrators complete control over the mapping of Advanced Server/9000 user accounts to HP-UX system user accounts. However, it does require that HP-UX system user accounts be created and assigned manually.

HP-UX system user accounts can be created and assigned automatically to new Advanced Server/9000 user accounts. To do so, set the CreateUnixUser value in the Registry to 1. The CreateUnixUser value is in HKEY_LOCAL_MACHINE and its path is as follows:

\SYSTEM\CurrentControlSet\Services\AdvancedServer\userServiceParameters

When an Advanced Server/9000 user account is created, an HP-UX user account will be created and assigned automatically to that user on every Advanced Server in the domain that has this value set to 1.

The HP-UX system user account name that is assigned to the Advanced Server/9000 user account will be the same as or similar to the Advanced Server/9000 user account name. Differences can arise in cases of long, duplicate, or special character Advanced Server/9000 user account names.

Additional Registry values that control the automatic creation of HP-UX system user accounts are as follows:

For more information about the Advanced Server Registry, see Advanced Server Administration.

If an Advanced Server/9000 user is mapped to a non-existent HP-UX system user account, or if the HP-UX system account for an Advanced Server/9000 user is deleted, the Advanced Server/9000 user will not have access to any shared resources on the HP-UX system. To ensure that the Advanced Server/9000 user can continue to access the system, delete the account mapping or re-map the user to another HP-UX system user account.

	NOTE: For more information about the mapuname command, type man mapuname at the Advanced Server/9000 command prompt.

A user profile consists of work environment settings that are loaded by the system during logon for a given user. These settings include all the user-specific settings of a user's Windows environment, such as screen colors, network connections, printer connections, mouse settings, shortcuts, window size and position. User profiles are identified by the user name.

Local user profiles are created automatically on the computer at logon the first time a user logs on to a computer running Windows NT Workstation or Windows NT Server. Each user's individual user profile is available to that user on successive logons at that computer.

Roaming user profiles are available on computers running Windows NT Workstation or Windows NT Server. To enable roaming user profiles, an administrator enters a user profile path into the user account. The first time the user logs off, the local user profile is copied to that location. Thereafter, the server copy of the user profile is downloaded each time the user logs on (if it is more current than the local copy). Both the local and server copies are updated each time the user logs off.

Mandatory user profiles are roaming profiles that are created for the user and cannot be changed by the user. When the user logs off, the local user profile is not saved and a copy of the local user profile is not copied to the server.

User profiles are available on computers running Windows 95 however a user pro file created on Windows 95 is not available to the user on a computer running Windows NT and vice versa, even if the user profile is stored on a server.

For more information about user profiles, see Chapter 4, "Managing User Work Environments."

Specifying a User Profile Location

In the User Environment Profile dialog box, assign a roaming or mandatory profile to a user account by typing its full path and user profile folder name in the User Profile Path box.

\\server\share\profile name

For information about adding a user profile location, see "Managing the User Environment" in User Manager for Domains Help.

Using %USERNAME% in the Home Directory Path

In the Home Directory box, %USERNAME% can be substituted for the last entry in the path. The system later substitutes the user name of the user account. This substitution is useful when multiple user accounts are selected.

For example, you have selected eight user accounts. In the Home Directory box, you might select Connect, specify a drive letter of K, select the To box, and type \\SALES\home\%username%. When you choose OK to save the User Environment Profile, the actual user name will be substituted for each %USERNAME% entry.

For information about logon scripts and user profiles, see Chapter 4, "Managing User Work Environments."

A right authorizes a user to perform certain actions on a computer system, such as backing up files and directories, logging on to a computer interactively, or shutting down a computer system. Rights exist as capabilities for using either domain controllers at the domain level or workstations or member servers at the local level. Rights can be granted to groups or to user accounts, but are best reserved for use by groups. Rights also can be granted to the special built-in groups Everyone, Interactive, and Network (for more information about these groups, see "Special Groups" later in this chapter).

A user who logs on to an account that belongs to a group to which the appropriate rights have been granted can carry out the corresponding actions. When a user does not have appropriate rights to perform an action, an attempt to carry out that action is blocked by Advanced Server/9000.

	NOTE: Rights apply to the system as a whole and are different from permissions, which apply to specific objects. A permission is a rule associated with an object (usually a directory, file, or printer), and it regulates which users can have access to the object and in what manner. Most often the creator or owner of the object sets the permissions for the object.

Because all rights are not associated with a specific object and are applied at the domain (domain controllers) or local (workstation or member server) level, they sometimes can override permissions set on an object. For example, a user logged on to a domain account that is a member of the Backup Operators group has the right to perform backup tasks for all servers of the domain. Doing so requires the ability to read all files on those servers, even files on which their owners have set permissions that explicitly deny access to all users, including members of the Backup Operators group. A right — in this case, the right to perform a backup — takes precedence over all file and directory permissions.

Setting User Rights

Members of the Administrators local group in a domain or on a local computer (member server or workstation) have the built-in ability to grant rights to users for the domain or the computer, respectively. The easiest way to provide rights to a user is to add a user's account to a built-in group that has the desired rights. (Each built-in group conveys certain rights and capabilities to its members.) However, when you create new local groups, or if a special situation occurs, it is possible to grant a right to, or remove it from, a user or a group account.

	NOTE: When you administer the User Rights policy for a domain, the computers referred to in the following table are the primary and backup domain controllers of the domain; when you administer the User Rights policy on a workstation or member server, the computer referred to is the workstation or member server.

The following table describes the user rights that can be managed in Windows NT with the User Rights command on the Policies menu. Only the user rights in bold italic apply to Advanced Server/9000.

* In Advanced Server/9000, this right cannot be revoked from the Administrators local group.

If Show Advanced User Rights is selected, some additional rights (described in the following table) can be managed with the User Rights policy. Many of these advanced rights are useful only to programmers writing applications to run on Windows NT Server or Windows NT Workstation, and typically are not granted to a group or user. None of these rights apply to Advanced Server/9000 computers.

For information about setting user rights, see "Managing the User Rights Policy" in User Manager for Domains Help.

For information about adding users to groups, see "Using Groups to Assign User Capabilities" later in this chapter.

For information about granting rights to new groups, see "Granting Rights to a Local Group" later in this chapter.

For information about the capabilities of built-in groups, see "Built-in Local Groups — Controlling What Users Can Do" later in this chapter.

By default, users can connect to a server 24 hours a day, seven days a week. To restrict this access, use the User Properties dialog box.

When you select a user account in User Manager for Domains and view user properties, you can select Hours in the User Properties dialog box to change the settings for that user. The Logon Hours dialog box displays a one-week calendar, with logon hours displayed in one-hour increments across seven days. A box represents each hour. For example, the first box in each row represents the hour from midnight through 12:59 A.M., and the last box in each row represents the hour from 11:00 P.M. through 11:59 P.M.

	NOTE: The logon hours are in the time zone of the primary domain controller, not in the time zone of the workstation or server to which the user is logging on or connecting.

The filled boxes indicate when the user is allowed to connect to domain servers; the empty boxes indicate when a user is prohibited from connecting.

When a user is connected to a server and the logon hours are exceeded, the user either will be disconnected from all server connections or will be allowed to remain connected but denied any new connections, depending on the status of an option in the Account Policy dialog box.

For information about setting logon hours, see "Managing Logon Hours" in User Manager for Domains Help.

You can define an account expiration date and specify the account type for user accounts.

When an account has an expiration date, the account is disabled at the end of that day. (Expired accounts are not deleted, only disabled.) When an account expires, a logged on user remains logged on but can establish no new network connections and cannot log on again after logging off.

A local account is a user account provided in a domain for a user whose regular account is not in a trusted domain. Local accounts provide access to resources in a single domain, and resources can be used only by connecting to a domain controller over the network.

By default, a new user account is a global user account.

Users of local accounts first must log on to the network using a workgroup computer account or a global domain account and then connect to a domain controller in the domain where the local account resides.

When the user connects to the domain controller, the user's credentials (domain name, user name, and password) are passed to the domain controller. This controller first checks the domain name and, because the domain is not trusted, determines whether the user has a local or global user account by the same name and if the password specified in the user's credentials matches the password for the local account. If the account is found but the passwords do not match, the user is prompted for the local account password.

Creating a User Account as Local

A user account can be created as a local account to give domain access to a user who:

For example, a local account would be required for a user who is a member of a workgroup or whose domain account is located in a LAN Manager 2.2 domain which does not recognize trust relationships.

You easily can return the account type to global if necessary. For example, if you created an account for a user whose workstation is a member of a workgroup, and the workstation later joined the domain.

The default setting for a new user account is Global Account. When you add a new local user account, you can change the default setting in the Account Information dialog box.

For information on managing user accounts, see "Creating a New User Account" and "Managing Account Information" in User Manager for Domains Help.

Any user account — including built-in user accounts — can be renamed. Because it retains its security identifier (SID), a renamed user account retains all its other properties, such as its description, password, group memberships, user environment profile, logon hours, logon workstations, account information, and any assigned permissions and rights.

For information about renaming a user account, see "Renaming User Accounts" in User Manager for Domains Help.

To prevent a user from logging on, you can disable or delete the user account.

To prevent accidental deletions, it is a good idea to disable a user account first, and then to delete the disabled accounts periodically.

	NOTE: Internal processes in Advanced Server/9000 refer to a user account's SID rather than its user name. If you delete a user account that had Read access to a certain shared directory and then create another user account with the same user name, the new account will not have access to the directory. You must reapply permissions to the shared directory.

For information about disabling and deleting user accounts, see "Disabling and Enabling User Accounts" and "Deleting User Accounts" in User Manager for Domains Help.

When Windows NT Workstation is installed on a computer or Windows NT Server is installed as a member server, the built-in Administrator account is created automatically. The Administrator account is used by the person who manages the computer's overall configuration.

If a computer participates in a domain, the Domain Admins global group is by default a member of the computer's Administrators local group, and members of the Administrators group can administer the computer. However, a member of Administrators can remove the Domain Admins global group from the computer's Administrators group.

Administrators group members do not have automatic access to every file on the computer. If a file's permissions do not grant access, the administrator cannot use the file.

Every file on a Windows NT volume has an owner who can set permissions on the file. If needed, an administrator can take ownership of a file and thus have access to it. But if the administrator does so and auditing of files is selected, this event is recorded in the security log and the administrator cannot give ownership back to the original owner.

To manage workstation or member server accounts instead of domain accounts, in User Manager for Domains, type the computer name as \\computername instead of selecting or typing a domain name. With the workstation or member server selected as the domain, you can perform all the functions using User Manager for Domains that can be performed at the computer itself.

For information about selecting a computer instead of a domain, see "Selecting a Domain" in User Manager for Domains Help.

For information about file auditing, see Chapter 7, "Monitoring Events."