Last month I discussed user accounts and explained the difference between workgroup and domain accounts. This month I explain how you can set up user accounts, and I discuss the options you can configure to manage users.
Adding a New User
To set up a new user account, open User Manager for Domains (in the Administrative Tools group). To set up a user account when logged on locally to a Windows NT workstation, use the User Manager utility instead. From the User drop-down menu, select New User. Screen 1, page 210, shows the dialog box for adding a new user. You must specify a username, which can contain as many as 20 upper- and lower-case characters. When a user logs on, the username is not case sensitive, but NT preserves case. You cannot use certain characters (e.g., punctuation). For a list of illegal characters, click Help, Contents, and select Manage User Accounts/Creating a New User Account. The apostrophe is legal, but it can cause problems with SQL Server logins, so you might have to coordinate with your database administrator. Avoid putting spaces in a username so that you do not have to enclose the username in quotation marks when you use it in a batch file. Avoid names with hyphens and underscores because of incompatibilities with Internet email.
Assigning SIDs and Usernames
When you add a user to the accounts database, NT creates a security ID (SID). A SID is a long, computer-generated string that uniquely identifies each user account. The system associates security permissions with SIDs rather than usernames.
If a person leaves the department or company, you can change the person's username to accommodate a new employee. Suppose you have a programmer, Brian, who quits, and you replace him with another programmer, Cindy. To add Cindy as a user, you must give her the same group memberships and permissions as Brian. You can copy Brian's account for the new account, and then delete Brian from the account database. But you must take ownership of Brian's files, and then let Cindy take ownership of them. (You can let someone take ownership, but you cannot give ownership.) An easier method is to change the username on the account from Brian to Cindy. The SID remains the same, but Cindy then owns the files.
Changing usernames is easy. From the main User Manager dialog box, click User, Rename. Enter the new name, and click OK. Assign the user a new password. If you temporarily disabled the account to ensure that no one could log on to it until you reassigned it, you will need to reenable the account.
Configuring a New User
To configure a new user, you must assign a full name, description, and password, as Screen 1, page 210, shows. You can use any name and description you think is appropriate because these labels merely help identify the user. Passwords are case sensitive, so be sure to turn off Caps Lock. A password can be as many as 14 characters, and the same character restrictions apply as for usernames. NT hides the password as you type it, and you must type it twice for verification.
Password options. You need to set certain password options. When you add a new user, NT enables the User Must Change Password at Next Logon option by default. The user must choose a new password, and the administrator-assigned password becomes invalid. Therefore, the administrator cannot log on as the user, and the system remains secure.
For low-security accounts (e.g., temporary employee accounts, public-access accounts), you might enable the User Cannot Change Password option. In these cases, you do not want a user to be able to change the password and lock out others.
In NT, you cannot vary the length of time for which each password is valid. You can assign passwords that never expire, or you can specify all passwords to expire in a certain number of days. To override a password expiration policy, you must use the Password Never Expires option. Administrators frequently use this option for accounts such as the Replication account and the SQL Executive account. These accounts are not true user accounts; NT services use these accounts to log on behind the scenes. Therefore, these accounts do not interact with the desktop and cannot request a new password if the old one expires. Services typically start with account name and password verification. If the password expires, you must assign a new password and then reconfigure the service. Hackers can use these service accounts to break in, so use a password that is difficult to crack.
The system associates security permissions with SIDs, so if you delete an account, you lose the account's security information. Rather than delete accounts, you need to disable them temporarily. Select the Account Disabled check box to preserve the account with the associated SID until you can reassign it. Be sure to reenable the account after you change the username.
Other options. The User Properties dialog box lets you configure many options. Screen 1 shows the icons for configuring groups, user profiles, logon hours, workstation logon access, accounts, and dialin options.
The Groups icon lets you assign members to local or global groups, as Screen 2 shows. You can also designate a global group as the user's primary group. The primary group concept applies only if you are running Services for Macintosh on your NT network and supporting Mac users, or in some POSIX applications. NT requires each user to have a designated primary group. Users automatically belong to the Domain Users group, which is also their primary group by default. To remove a user from the Domain Users global group, you must assign the user to another global group, make that group the user's primary group, and then remove the user from Domain Users. A user can belong to as many as 1000 local and global groups, but typically belongs to only a few.
The Profile icon takes you to the User Environment Profile dialog box. When you want to set a roaming or mandatory profile for a user, you can specify the path to the user profile. You set a roaming profile for a network path, with the format \\server\profiles\newuser. You also specify the name of the logon script in this dialog box. In the logon script text box, enter a file or relative path to the domain controller's Netlogon share. A useful trick when specifying the user's home directory is to use the %username% variable in the local path text box, as Screen 3 shows, to create a directory with the user's name on the workstation where the user logs on. Or if you prefer centralized control of home directories, you can designate a directory on the server, using the format \\server\users\%username%.
The Hours icon controls the hours during which users can connect to a server. Limiting users' connection time lets systems administrators schedule backups and system maintenance. Screen 4 shows a configuration that prevents a user from connecting between 1 a.m. and 3 a.m. Monday through Saturday, and between 1 a.m. and 8 a.m. on Sunday. When you disallow users from logging on, they cannot log on to the network or connect to network resources, but they can log on to their computers with a local or workgroup account. (For more information about local and workgroup accounts, see "Windows NT User Accounts," June 1998.) By default, connected users can stay connected when the logon hours expire, but new users cannot log on. You can set a policy that forcibly disconnects users from the server when the logon hours expire. You set this option from the User Manager menu: Select Policies, Account, Forcibly disconnect remote users from server when logon hours expire. This policy option is useful when you perform backups and other maintenance. Users cannot connect to the servers, and they cannot log on to the domain if they log off. However, the option does not log users off their workstations, so they can continue to work locally.
The Logon To icon controls which workstations the user can log on to the domain with. Typically, users can log on anywhere, but you might have guest users or interns who need access to only a few workstations. This option lets you give a user access to only eight workstations, which is sufficient for a restricted user.
The Account icon has two functions. First, you can set up an account with a predefined expiration date, as Screen 5 shows. This option is useful for temporary employees and interns. Second, you can configure an account as global or local. Global accounts are the norm, and you set them up as regular domain accounts for users in the domain. You do not use a local account for users in your domain. Users cannot use local accounts to log on directly at a computer in your domain. A local account is a special account for a user from a domain where you do not have a trust relationship. When you configure a user's account as local, you give only that user permission to connect to your domain over the network from a computer in the user's domain. Other users from that domain cannot access your domain. If you have to set up several local accounts for users from another domain, you might want to set up a trust relationship with the domain.
You need to use the local account option sparingly, because it can constitute a security risk. Users sometimes share their local accounts. Thus, the local account becomes an easy way into your domain. Before you establish a trust relationship with a domain, cancel the local accounts. If users can connect via a trust relationship and a local account, they might have permissions problems. For example, a user's local account might have restrictions that prevent the user from gaining access through the trust relationship. Additionally, if a user has an open connection via a local account, you might not be able to establish a trust relationship.
The Dialin icon lets you define whether a user can dial in using a Remote Access Service (RAS) connection. Even if a user has a valid NT account, the user cannot dial in without this permission. You must also set the Call Back option, as Screen 6 shows. The default setting is No Call Back, which means a user connects as soon as the system validates the RAS dial-in. The other two options cause the RAS server to hang up and call back the user, for security and cost reasons. You can assign a preset callback number, or the caller can set the callback number. For more information about RAS, see "Remote Access Service," May 1997.
Put Your Knowledge to Work
Now you know what properties you can set for a user account. You can use these properties to balance the conflicting requirements of providing access to resources and maintaining security.