Managing Existing User and Group Accounts
from Chapter 9, Microsoft Windows 2000 Administrator's Pocket Consultant by William R. Stanek.
In a perfect world, you could create user and group accounts and never have to touch them again. Unfortunately, we live in the real world. After you create accounts, you'll spend a lot of time managing them. This chapter provides guidelines and tips to make that task easier.
Managing User Contact Information
Active Directory is a directory service. When you create user accounts, those accounts can have detailed contact information associated with them. The contact information is then available to anyone in the domain tree or forest and can be used to search for users and to create address book entries.
Setting Contact Information
You can set contact information for a user account by completing the following steps:
Double-click the user name in Active Directory Users And Computers. This opens the account's Properties dialog box.
Select the General tab, shown in Figure 9-1. Use the following fields to set general contact information:
First Name, Initials, Last Name Sets the user's full name.
Display Name Sets the user's display name as seen in logon sessions and in Active Directory.
Description Sets a description of the user.
Office Sets the user's office location.
Telephone Number Sets the user's primary business telephone number. If the user has other business telephone numbers that you want to track, click Other and then use the Phone Number (Others) dialog box to enter additional phone numbers.
E-Mail Sets the user's business e-mail address.
Figure 9-1: Use the General tab to configure general contact information for the user. This information can then be used in searches and address books.
Web Page Sets the Uniform Resource Locator (URL) of the user's home page, which can be either on the Internet or on the company intranet. If the user has other Web pages that you want to track, click Other and then use the Web Page Address (Others) dialog box to enter additional Web page addresses.
Tip The E-Mail and Web Page fields must be filled in if you want to use the Send Mail and Open Home Page features of Active Directory Users And Computers. For more information, see the section in this chapter entitled "Updating User and Group Accounts."
Select the Address tab. Use the fields provided to set the user's business or home address. You'll usually want to enter the user's business address. In this way, you can track the business locations and mailing addresses of users at various offices.
Note: You need to consider privacy issues before you enter users' home addresses. Discuss the matter with your Human Resources and Legal departments. You may also want to get user consent prior to releasing home addresses.
Select the Telephones tab. Type the primary telephone numbers that should be used to contact the user, such as home, pager, mobile, fax and IP phone.
Other numbers can be configured for each type of telephone number. Click the associated Others button and then use the dialog box provided to enter additional phone numbers.
Select the Organization tab. As appropriate, type the user's title, department, and company.
To specify the user's manager, click Change and then select the user's manager in the Select User Or Contact dialog box. When you specify a manager, the user shows up as a direct report in the manager's account.
Click Apply or OK to apply the changes.
Searching for Users and Creating Address Book Entries
Active Directory makes it easy for you to find users in the directory and then create address book entries using search results. Normally, these are tasks that you'll need to help users with. You do that by completing the following steps:
Click Start, point to Search, and then click For People. This opens the dialog box shown in Figure 9-2.
Click the Look In list box, select Active Directory, and then type the name or e-mail address of the user you want to search for.
Click Find Now to begin the search. If matches are found, the search results are displayed. Otherwise, type new search parameters and search again.
You can view an account's properties by selecting a display name and then clicking Properties.
You can add contact information to an address book by selecting a display name and then clicking Add To Address Book.
Figure 9-2: Search for users in Active Directory, and then use the results to create address book entries.
Configuring the User's Environment Settings
User accounts can also have profiles, logon scripts, and home directories associated with them. To configure these optional settings, double-click a display name in Active Directory Users And Computers and then select the Profile tab, shown in Figure 9-3. In the Profile tab you can set the following fields:
Profile Path The path to the user's profile. Profiles provide the environment settings for users. Each time a user logs on to a computer, that user's profile is used to determine desktop and control panel settings, the availability of menu options and applications, and more. Setting the profile path is covered later in this chapter in the section entitled "Managing User Profiles."
Logon Script The path to the user's logon script. Logon scripts are batch files that run whenever a user logs on. You use logon scripts to set commands that should be executed each time a user logs on. Chapter 4 discusses logon scripts in detail.
Local Path The directory the user should use for storing files. Here, you assign a specific directory for the user's files. If the directory is available to the network, the user can access the directory from any computer on the network.
Figure 9-3: The Profile tab allows you to create a user profile. Profiles let you configure the network environment for a user.
System Environment Variables
System environment variables often come in handy when you're setting up the user's environment, especially when you work with logon scripts. You'll use environment variables to specify path information that can be dynamically assigned. The environment variables you'll use the most are the following:
%SystemRoot% The base directory for the Microsoft Windows 2000 operating system, such as C:\WIN2000. Use it with the Profile tab of the user's Properties dialog box and logon scripts.
%UserName% The user account name, such as WRSTANEK. Use it with the Profile tab of the user's Properties dialog box and logon scripts.
%HomeDrive% The drive letter of the user's home directory, such as C:. Use it with logon scripts.
%HomePath% The full path to the user's home directory on the respective home drive, such as \USERS\MKG\GEORGEJ. Use it with logon scripts.
%Processor_Architecture% The processor architecture of the user's computer, such as x86. Use it with logon scripts.
Figure 9-4 shows how you might use environment variables when creating user accounts. Note that by using the %UserName% variable, you allow the system to determine the full path information on a user-by-user basis. If you use this technique, you can use the same path information for multiple users and all the users will have unique settings.
Figure 9-4: When you use the Profile tab, environment variables can save you typing, especially when you create an account based on another account.
Logon scripts set commands that should be executed each time a user logs on. You can use logon scripts to set the system time, network drive paths, network printers, and more. Although you can use logon scripts to execute one-time commands, you shouldn't use them to set environment variables. Any environment settings used by scripts aren't maintained for subsequent user processes. Also, you shouldn't use logon scripts to specify applications that should run at startup. You should set startup applications by placing the appropriate shortcuts in the user's Startup folder.
Normally, logon scripts contain Windows 2000 commands. However, logon scripts can be
Windows Script Host files with the .VBS, .JS, or other valid script file extensions
Batch files with the .BAT extension
Command files with the .CMD extension
Executable programs with the .EXE extension
One user or many users can use a single logon script, and as the administrator, you control which users use which scripts. As the name implies, logon scripts are accessed when users log on to their accounts. You can specify a logon script by completing the following steps:
Access the user's Properties dialog box in Active Directory Users And Computers, and then choose the Profile tab.
Enter the path to the logon script in the Logon Script field. Be sure to set the full path to the logon script, such as \\ZETA\USER_LOGON\ENG.VBS.
Note: You can specify logon and logoff scripts using other techniques. For complete details, see the section in Chapter 4 entitled "User and Computer Script Management."
Creating logon scripts is easier than you might think, especially when you use the Windows 2000 command language. Just about any command you can type into a command prompt can be set to run in a logon script. The most common tasks you'll want logon scripts to handle are to set the default printers and network paths for users. You can set this information with the NET USE command. The following NET USE commands define a network printer and a network drive:
net use lpt1: \\zeta\deskjet net use g: \\gamma\corp\files
If these commands were in the user's logon script, the user would have a network printer on LPT1 and a network drive on G.
Assigning Home Directories
Windows 2000 lets you assign a home directory for each user account. Users can use this directory to store and retrieve their personal files. Many applications use the home directory as the default for File Open and Save As operations, which helps users find their resources easily. The command prompt also uses the home directory as the initial current directory.
Home directories can be located on a user's local hard disk drive or on a shared network drive. On a local drive, the directory is only accessible from a single workstation. On the other hand, shared network drives can be accessed from any computer on the network, which makes for a more versatile user environment.
Tip Although users can share home directories, it's not a good idea. You'll usually want to provide each user with a unique home directory.
You don't need to create the user's home directory ahead of time. Active Directory Users And Computers automatically creates the directory for you. But if there's a problem creating the directory, Active Directory Users And Computers will instruct you to create it manually.
To specify a local home directory:
Access the user's Properties dialog box in Active Directory Users And Computers, and then choose the Profile tab.
Click the Local Path option button, and then enter the path to the home directory in the associated field. Here's an example: C:\Home\%UserName% .
To specify a network home directory, complete the following steps:
Access the user's Properties dialog box in Active Directory Users And Computers, and then choose the Profile tab.
Click the Connect option button, and then select a drive letter for the home directory. For consistency, you should use the same drive letter for all users. Also, be sure to select a drive letter that won't conflict with any currently configured physical or mapped drives. To avoid problems, you may want to use Z as the drive letter.
Type the complete path to the home directory using the Universal Naming Convention (UNC) notation, such as: \\GAMMA\USER_DIRS\%UserName%. You include the server name in the drive path to ensure that the user can access the directory from any computer on the network.
Note: If you don't assign a home directory, Windows 2000 uses the default local home directory. On systems where Windows 2000 is installed as an upgrade, this directory is \Users\Default. Otherwise, this directory is the root directory.
Setting Account Options and Restrictions
Windows 2000 provides many ways to control user accounts and their access to the network. You can define logon hours, permitted workstations for logon, dial-in privileges, and more.
Managing Logon Hours
Windows 2000 allows you to control when users can log on to the network. You do this by setting their valid logon hours. You can use logon hour restrictions to tighten security and prevent system cracking or malicious conduct after normal business hours.
During valid logon hours, users can work as they normally do. They can log on to the network and access network resources. During restricted logon hours, users can't work. They can't log on to the network or make connections to network resources. If users are logged on when their logon time expires, what follows depends on the account policy you've set for them. Generally, one of two things happens to the user:
Forcibly disconnected You can set a policy that tells Windows 2000 to forcibly disconnect Windows 2000 users when their logon hours expire. If this policy is set, remote Windows 2000 users are disconnected from all network resources and logged off the system when their hours expire.
Not disconnected Users aren't disconnected from the network when they enter the restricted hours. Instead, Windows 2000 simply doesn't allow them to make any new network connections.
Configuring Logon Hours
To configure the logon hours, follow these steps:
Access the user's Properties dialog box in Active Directory Users And Computers and then choose the Account tab.
Click the Logon Hours button. You can now set the valid and invalid logon hours using the Logon Hours dialog box shown in Figure 9-5. Logon Hours features are listed in Table 9-1.
Figure 9-5: Configure logon hours for users using the fields provided.
In this dialog box each hour of the day or night is a field that you can turn on and off.
Hours that are allowed are filled in with a dark bar—you can think of these hours as being turned on.
Hours that are disallowed are blank—you can think of these hours as being turned off.
To change the setting for an hour, click it. Then select either the Logon Permitted or Logon Denied option button.
Table 9-1 Logon Hours Features
Allows you to select all the time periods.
Day of week buttons
Allow you to select all the hours in a particular day.
Allow you to select a particular hour for all the days of the week.
Sets the allowed logon hours.
Sets the disallowed logon hours.
Tip When you set logon hours, you'll save yourself a lot of work in the long run if you give users a moderately restricted time window. For example, rather than explicit 9–5 hours, you may want to allow a few hours on either side of the normal work hours. This will let the early birds onto the system and allow the night owls to keep working until they finish for the day.
Enforcing Logon Hours
If you want to forcibly disconnect users when their logon hours expire, complete the following steps:
Access the group policy container you want to work with, as detailed in Chapter 4 in the section entitled "Managing Site, Domain, and Unit Policies."
Access the Security Options node, shown in Figure 9-6, by working your way down through the console tree. Expand Computer Configuration, Windows Settings, and then Security Settings. In Security Settings, expand Local Policies and then select Security Options.
Double-click Automatically Log Off Users When Logon Time Expires. This opens a Properties dialog box for the policy.
Select the Define This Policy Setting check box and then click Enabled. This turns on the policy restriction and enforces the logon hours. Click OK.
Figure 9-6: Access the Security Options node in Group Policy.
Setting Permitted Logon Workstations
Windows 2000 has a formal policy that allows users to log on to systems locally. This policy controls whether or not a user can sit at the computer's keyboard and log on. By default, on Windows 2000 workstations you can use any valid user account, including the guest account, to log on locally.
As you might imagine, allowing users to log on to any workstation is a big security no-no. Unless you restrict workstation use, anyone who obtains a user name and password can use it to log on to any workstation in the domain. By defining a permitted workstation list, you close the opening in your domain and reduce the security risk. Now not only must hackers find a user name and password, they must also find the permitted workstations for the account.
Note: The permitted logon workstation restrictions only affect Microsoft Windows 2000 and Windows NT computers in the domain. If there are any Microsoft Windows 95 or Windows 98 computers in the domain, they aren't subject to the restrictions, which means you only need a valid user name and password to log on to these systems.
For domain users, you define permitted logon workstations by completing the following steps:
Access the user's Properties dialog box in Active Directory Users And Computers, and then choose the Account tab.
Open the Logon Workstations dialog box by clicking the Log On To button.
Select The Following Computers option button, shown in Figure 9-7.
Figure 9-7: To restrict access to workstations, specify the permitted logon workstations.
Type the name of a permitted workstation and then click Add. Repeat this procedure to specify additional workstations.
If you make a mistake, select the erroneous entry and then click Edit or Remove, as appropriate.
Setting Dial-In Privileges
Windows 2000 lets you set dial-in privileges for accounts using the Dial-In tab of the user's Properties dialog box. As shown in Figure 9-8, dial-in privileges are controlled through Remote Access Policy by default. This is the preferred method of controlling remote access. You can explicitly grant or deny dial-in privileges by selecting Allow Access or Deny Access. In any event, before users can dial in to the network, you'll need to complete the following steps:
Install Remote Access Services using Configure Your Server.
To enable remote access connections, configure the group policy for a site, domain, or organizational unit. You do this using the Network Dial-Up And Connections node. Expand User Configuration, Administrative Templates, and then Network. Then select Network Dial-Up And Connections.
Configure remote access using Routing And Remote Access. In Computer Management, expand Services And Applications, and then select Routing And Remote Access.
Figure 9-8: Dial-in privileges control remote access to the network.
After you grant a user permission to access the network remotely, configure the following additional dial-in parameters using the Dial-In tab of the user's Properties dialog box (see Figure 9-8). Complete the following steps:
If the user must dial in from a specific phone number, select Verify Caller-ID and then type the telephone number from which this user is required to log on. Your telephone system must support Caller ID for this feature to work.
Define callback parameters using the following options:
No Callback Allows the user to dial in directly and remain connected. The user pays the long-distance telephone charges, if applicable.
Set By Caller Allows the user to dial in directly, and then the server prompts the user for a callback number. Once the number is entered, the user is disconnected and the server dials the user back at the specified number to reestablish the connection. The company pays the long-distance telephone charges, if applicable.
Note: You shouldn't assign callback for users who dial in through a switchboard. The switchboard may not allow the user to properly connect to the network.
Always Callback To Allows you to set a predefined callback number for security purposes. When a user dials in, the server calls back the preset number. The company pays the long-distance telephone charges, if applicable, and reduces the risk of an unauthorized person accessing the network.
Note: You shouldn't use preset callback numbers with multilinked lines. The multilinked lines won't function properly.
If necessary, you can also assign static IP addresses and static routes for dial-in connections using Assign A Static IP Address and Apply Static Routes, respectively. For more information on IP addresses and routing, see Chapter 15.
Setting Account Security Options
The Account tab of the user's Properties dialog box has many options designed to help you maintain a secure network environment. Use these options to control how user accounts are used and what options are available. The options are:
User Must Change Password At Next Logon Forces the user to change his or her password when they log on next.
User Cannot Change Password Doesn't allow the user to change the account password.
Password Never Expires Ensures the account password never expires, which overrides the normal password expiration period.
Caution: Selecting this option creates a security risk on the network. While you may want to use Password Never Expires with administrator accounts, you shouldn't use this option with normal user accounts in most cases.
Store The Password Using Reversible Encryption Saves password as encrypted clear text.
Account Is Disabled Disables the accounts, which prevents the user from accessing the network and logging on.
Smart Card Is Required For Interactive Logon Requires the user to log on to a workstation using a smart card. The user can't logon to the workstation by typing a logon name and password at the keyboard.
Account Is Trusted For Delegation Specifies that the user may need object management privileges in Active Directory and that the user is trusted to perform any permissible actions on objects that the user has been delegated the authority to work with.
Note: Most users don't need to be trusted for delegation. Only users with special privileges or Active Directory management needs should be granted this permission.
Account Is Sensitive And Cannot Be Delegated Specifies that the user can't be trusted for delegation. You may want to set this option for all normal user accounts to prevent these users from manipulating Active Directory objects unless specifically permitted to by you or other authorized administrators.
Use DES Encryption Types For This Account Specifies that the user account will use DES (Data Encryption Standard) encryption.
Do Not Require Kerberos Preauthentication Specifies that the user account doesn't need Kerberos preauthentication to access network resources. Preauthentication is a part of the Kerberos version 5 security procedure. The option to log on without it is available in order to allow authentication from clients using a previous, or nonstandard, implementation of Kerberos.
from Microsoft Windows 2000 Administrator's Pocket Consultant by William R. Stanek. Copyright © 1999 Microsoft Corporation.