Sams Teach Yourself MCSE Windows NT Server 4 in 14 Days
(Publisher: Macmillan Computer Publishing)
Author(s): David Schaer, et al
ISBN: 0672311283
Publication Date: 12/15/97

7.3.1. Automatically Created User Accounts

During the installation, accounts for the administrator and guest are automatically created. If you chose to install IIS during the installation, an account is also created for anonymous Internet access. The accounts created automatically on the KNOWLEDGE domain are shown in Figure 7.3.

Figure 7.3.  User Manager for Domains showing the user accounts for the Knowledge domain.

Built-In User Accounts

Both the administrator and guest accounts are built-in accounts and as such cannot be deleted from the system.

The Administrator Account The administrator account created during the installation is a true superuser. The administrator is automatically granted membership in the Administrators and Domain Admins groups. The built-in administrator account cannot be disabled, deleted, or removed from the administrators group.

The administrator account can be renamed. In fact, renaming the administrator account is considered a good practice to enhance security. The administrator account is a frequent target of hacker attacks, and renaming it helps prevent this.

The Guest Account The guest account is used to give access to the system from across the network to users whose names are not in the account database. For example, if the guest account in the KNOWLEDGE domain were enabled, users who tried to access the system from across the network would be aliased as guest. They would receive whatever rights were granted to the guest account.

The guest account is a member of the Domain Guests group. Do not overly empower the guest account by making it a member of a powerful group such as Domain Admins.

Like the administrator account, the guest account is built-in and cannot be deleted. it can, however, be renamed. Renaming the guest account does not prevent it from being used; to prevent it from being used it must be disabled. By default, the guest account is disabled on NT servers.

7.3.2. Creating User Accounts

You create user accounts through User Manager for Domains (see Figure 7.4).

Figure 7.4.  Creating a new user account.

1.  From the menu bar select User | New User.

2.  Enter the user name: This is the logon ID that will be used by the user. It is not case-sensitive, and can be up to 20 characters in length. The name must be unique to the SAM database where it will be entered; it cannot match another user or group name in the same domain.

The remaining items can be performed optionally during the installation.

•  Full Name: This is the descriptive name of the user. This will be helpful later in assigning permissions to the account when the logon ID is not descriptive as to the user name.

•  Description: This field is commonly used to describe the function of the user account.

•  Password: The password is case-sensitive and may be up to 14 characters in length.

The following option fields can be toggled on or off:

•  User Must Change Password at Next Logon: The user will be forced to change her password at the next logon. The user will be directed to the Change Password dialog box.

•  User Cannot Change Password: This parameter is often set for service accounts and for accounts shared by multiple people.

•  Password Never Expires: The user will not be required to change her password. This will override the option User Must Change Password at Next Logon.

•  Account Disabled: The administrator can choose to create an account to use as a template for other accounts. By disabling the template account, no one will be able to log on using the template account.

Always disable an account instead of deleting it if the account owner might return or the resources of the account will be assigned to a new user.

Clicking the appropriate icons will access details on group memberships, profile, logon hours, station restrictions, account type and expiration, and dial-in authorization. The following list explains the icons:

•  Groups: By default, all new users are made members of the Domain Users group (see Figure 7.5). A user receives access to resources based on the collective permissions granted to her account and to the groups to which she belongs.

Figure 7.5.  Assigning group memberships.

•  Profile: The User Environment Profile dialog box (see Figure 7.6) controls the location the system will look for roaming or mandatory profiles and logon scripts. If an NTFS partition is used, a home directory can also be created. The user will be the only one to receive access rights to the directory.

If the account you are creating will be used as a template, substitute the variable %USERNAME% for the account name when setting the profile or home directory. When the user account is copied as a template the new user name will be applied automatically.

Figure 7.6.  Entering the UNC path to the user’s profile.

•  Hours: You can assign the hours during which the user is allowed to log on. By default all hours are allowed (see figure 7.7). If a user stays logged on beyond his approved hours he will be disconnected only if the administrator has specified the option to do so in the global Account Policies. If he stays logged on, he will not be allowed to make any new connections and will receive a warning message every 10 minutes.

Figure 7.7.  Valid logon hours for user MorganS.

•  Logon to: You can restrict the user to specific workstations by specifying them by computer name. By default, all workstations are allowed (see figure 7.8).

By using computer names instead of physical addresses, a conflict does not develop if the network card is replaced.