Read an Excerpt
Lesson 1: Introduction to User Accounts
Windows NT security is based on the concept of user accounts. A user account is the user's unique credential that allows the user to access resources. This lesson provides an overview of user accounts.
After this lesson, you will be able to:
- Describe the types of user accounts.
- Describe the difference between a domain user account and a local user account.
Estimated lesson time: 10 minutes
Each person who will regularly use the network and participate in a domain, or who will log on to a local computer to access local resources, must have a user account. With user accounts, you can control how a user gains access to the domain or a local computer. For example, you can limit the number of hours a user can log on to the domain.
Types of User Accounts
There are three types of user accounts; one is the type of accounts that you create, and two are built-in user accounts that are created automatically when Windows NT Server or Windows NT Workstation is installed. The two built-in accounts are the Guest account and the Administrator account.
The following table describes the three types of user accounts.
Accounts that you create
A user account enables the user to log on to the local computer or domain and, with the appropriate permissions, allows access to networkresources. User accounts contain information about the user, including the user's name and password.
The built-in Guest account is used to give occasional users the ability to log on and gain access to resources on the local computer. For example, an employee who needs to access the computer for a short time can use the Guest account. The Guest account is disabled by default.
The built-in Administrator account is used to manage the overall computer and domain configuration and resources. The Administrator account is used when performing administrative tasks, such as creating or modifying user and group accounts, managing security policies, creating printers, and assigning permissions and rights to user accounts to access resources.
Where Accounts Are Created
A computer's operating system determines the type of accounts that you can create and manage, as well as the tool that you use to create and manage them:
- On computers running Windows NT Workstation, the account management tool is User Manager. It is used to manage the accounts of that computer only. Accounts created with User Manager are local accounts.
- On computers running Windows NT Server, the account management tool is User Manager for Domains. It is used to manage accounts on the local domain or on any computer, member server, or other domains to which you have access. Accounts created with User Manager for Domains can be local accounts or domain accounts.
Domain User Account
A domain user account contains information that defines a user to the domain. With a domain user account, a user can log on to the domain and gain access to domain resources from any computer on the network using a single user account and password.
A domain user account is always created in User Manager for Domains. Although a domain user account can be created from any computer running User Manager for Domains, the account is always created in the master directory database on the primary domain controller (PDC).
A copy of the master directory database is stored on all backup domain controllers (BDCs). The copy is automatically synchronized every five minutes with the master directory database on the primary domain controller.
Create domain user accounts for all users.
You can install User Manager for Domains on a computer running Windows NT Workstation or Windows® 95 by installing the Windows NT Server client-based administration tools.
Local User Account
A local user account contains information that defines a user to the local computer. With a local user account, a user can log on to and access local resources. To access resources on another computer, the user must have a separate user account on the other computer.
Although User Manager for Domains allows you to create accounts for the domain and for local computers, User Manager only allows you to create an account for the local computer.
Local user accounts should only be created within a workgroup, as shown in the following illustration.
The following information summarizes the key points in this lesson:
- Windows NT security is based on the concept of user accounts.
- The Administrator account is a built-in account on all computers running Windows NT. It is used for overall management of computer resources and configuration.
- The Guest account is a built-in account on all computers running Windows NT. It provides occasional users the ability to use local computer resources. It is disabled by default.
- A domain user account gives a user the ability to log on to and access domain resources from any computer on the network using a single user account and password.
- Create a domain user account for all users.
- A local user account gives a user the ability to log on to the local computer and access local resources. To access resources on another computer, the user must have a separate account on the other computer.
- Create local user accounts only in a workgroup environment.
For more information on
Creating user accounts
Chapter 2, "Working With User and Group Accounts," in Microsoft Windows NT Server Concepts and Planning.
Installing client-based network administration tools
Chapter 11, "Managing Client Administration," in Microsoft Windows NT Server Concepts and Planning.
Lesson 2: Planning New User Accounts
Before you create user accounts, determine the requirements for each user based on the security level of your network. This lesson explores the strategies for creating new user accounts in networks with minimum, medium, and high levels of security.
After this lesson, you will be able to:
- Describe five elements of good user account planning.
- Plan a strategy for creating new user accounts.
- Explain how password requirements affect security levels.
- Describe the function and possible locations of a home folder.
Estimated lesson time: 30 minutes
Elements to Consider in Planning New User Accounts
To streamline the administration process, and to implement the most appropriate security measures for your organization, consider these elements in determining your planning strategy:
- Naming convention. Use a convention that ensures unique but consistent user account names.
- Password requirements. Select your password enforcement options, including whether a user can, or must, change his or her own password.
- Logon hours. Determine the hours that each user is allowed to log on.
- Workstation restrictions. Determine the computer names of the Windows NT computers that the user is permitted to work from. You can limit the choices. By default, the user can use any workstation.
- Home folder location. Determine location of home folders on the local computer or on a server for centralized backup and administration.
A naming convention establishes how users will be identified on the network. A consistent naming convention makes it easy for you and your users to remember user names and locate them in lists.
To decide your naming convention, consider the following points:
- User names must be unique. Domain user accounts must be unique to the domain. Local user accounts must be unique to the local computer.
- User names can contain up to 20 uppercase or lowercase characters except for the following: " / \ [ ] : ; | = , + * ? < >. You can use a combination of special and alphanumeric characters.
- If you have a large number of users, establish a naming convention that accommodates employees with duplicate names. Two suggestions for handling duplicate names are:
- Use the first name and the last initial, and then add additional letters from the last name to accommodate duplicate names. For example, if you have two users named Eric Lang, use EricL as one user name, and use EricLa for the other.
- Add numbers to the user name. For example, EricL1 and EricL2.
- In large organizations, it is useful to identify temporary employees by their user account. For example, to identify temporary employees, use a "T" and a dash in front of the user name, as in, for example, T-EricL....