Administering Windows NT Server

Administering Windows NT Accounts In the following sections, youll see how to create and manage user and group accounts. Accounts dont just provide basic security by requiring users to identify themselves before logging on with a user name and password. They also provide the basis for securing access to just everything on the network, including files, printers, and other shared resources. The central tool for performing account management tasks is the ser manager for !omains utility. Introducing User Manager for Domains ser "anager for !omains is a graphical utility used to view, create, modify, and delete user accounts, local groups, and global groups. In addition, you can administer system#wide policies dealing with how accounts behave, what events are audited, and what rights each user and group has. Think of ser "anager for !omains as your interface to the $ecurity Account manager database of your domain and other domains on your network. %indows &T workstation includes a similar utility called ser manager. It enables you to manage user and group accounts on a single workstation. ser "anager for !omains has some significant differences, but if youre already familiar with ser "anager, you should be comfortable with much of the &T $erver version.

Administering Windows NT Server

Navigating in User Manager for Domains To start ser "anager for !omains, log on with administrator privileges and click $tart #' (rograms #' Administrative Tools #' ser "anager for !omains. )"embers of the Account *perators group can also administer accounts, but they cant manage administrator accounts or domain policies.+ ,oull see the window shown in -igure .. The upper half displays a list of user accounts. &T $erver automatically creates the two accounts Administrator and /uest. The lower half presents a list of local and global groups.

-igure . 0 ser "anager for !omains provides you with a window on the $A" database in your doamin and in other domains.

The /uest account, automatically created by &T during installation, allow users with no formal account or password to access resources on the network. sers in untrusted domains can gain access to your domain. This can be a big security hole. The good news is that by default, the /uest account is disabled. It is recommend leaving it that way. nfortunately, you cant delete the /uest account. 1y default, youre looking at the accounts in your own domain. ser "anager for !omains can administer accounts in other domains as well. To attach this utility to another domain, click $elect !omain on the ser menu. In the $elect !omain dialog bo2, type or click the domain that you want administer and click *3.

Administering Windows NT Server

If youre responsible for administering several domains, you may want to start multiple copies of sers "anager for !omains, each pointing to a different domain. This approach can be a real time#saver, allowing you to switch your attention quickly between domains to handle account maintenance tasks. If youre the only administrator in the network making changes to the account database, what you see in the ser "anager for !omains windows reflects the actual state of the $A" database. 4owever, if there are multiple administrators performing account maintenance on the network at the same time, you wont see each others changes displayed immediately. This utility periodically polls for changes made by other administrators on the network. If you want to be sure that what you5re seeing is absolutely up to date, click 6efresh on the 7iew menu. This will force the utility to gather the latest information. Establishing Account Polic 1efore creating any new user accounts, its a good idea to establish overall policies regarding how accounts should behave. ,ou can modify this behaviour any time, but it helps to understand these settings before you create individual accounts. To administer account policy, click Account on the (olicies menu. ,oull see the Account (olicy dialog bo2 shown in figure 8.

-igure 80 ,ou can manage account policies that define the behavior of all user accounts.

Administering Windows NT Server

Password !estrictions The Account (olicy dialog bo2 enables you to establish specific restrictions on passwords, and apply these restrictions to all accounts. The password parameters are0 Password E"#iration$ ,ou can make passwords live forever, or e2pire after a certain number of days. The default is a 98 day e2piration on all passwords. It is recommend e2piring all user passwords every :; to <; days. Password %ength$ ,ou can either allow blank passwords ) which is the default +, or specify a minimum length. It is recommend setting a minimum length of at least eight characters.

Password Uni&ueness$ $ome users swap between two standard passwords whenever their password e2pires. Although this is easy for them, it provides little password security. ,ou can direct &T to save a history of previous passwords, then use this information to force a user into changing his or her password to something brand new. The default keeps no history. Password Aging$ ,ou can allow passwords to change any time, or prevent changes for a certain number of days. The default allows changes immediately, with no minimum waiting period.

,ou need to consider how password uniqueness and password aging interact with each other. -or password uniqueness to be effective, you must not allow immediate changes to passwords. If you allow immediate changes, users who like to cycle between two standard passwords can immediately change passwords several times to get back to their old standard ones. 1y default. &T allows a user to log on once after his or her password has e2pired. It then forces the user to change the password. If you click to select the sers must log on in order to change password check bo2 at the bottom of the dialog bo2, &T wont e2tend this courtesy. If a users password e2pires, an administrator will have to intervene.

Administering Windows NT Server

Account %oc'out !estrictions nauthorised users often attempt to gain access to a computer or network with a valid user account name ) which is easy to guess in many organi=ations +. All they have to do is guess the password. $ome of these folks write programs to perform many repeated logon attempts over a short period of time. %ith the Account (olicy dialog bo2, shown in figure 8, you can disable the abused account after the number of failed logon attempts that you specify under >ockout After. It is recommend setting this to four attempts. nder reset ?ounter After, you can specify the ma2imum number of minutes between any two failed logon attempts for lockout to occur. $et this field to its ma2imum value. nder lockout !uration, you can specify whether an administrator needs to intervene to re#enable the account after lockout by clicking -orever. ,ou can also click !uration and type the number of minutes that the account should remain disabled. %ogon Time !estrcitions ,ou can specify a ma2imum number of logon hours for each account. &ormally when this time limit e2pires, the users e2isting server connections remain active, but he or she cant connect to additional servers. If you want to force all users to disconnect from all servers when the logon time limit is reached, click to select -orcibly disconnect remote users from server when logon hours e2pire, as shown in figure 8. This will cause &T to cut immediately all connections that the user has to servers in the domain when the logon hours e2pire. Pre#aring a User Profile Strateg (erhaps you have individual users who log on the network from various computers during the day. *f course, each person has their environment of desktop and menus set just how they like them, and youd like that environment to follow the user around from one computer to the ne2t. @very time a person logs on, he or she is greeted with his or her familiar desktop environment. (erhaps you want to present the same environment to all your users and control it centrally, to avoid problems caused by users tweaking their environments in nonstandard ways. %indows &T $erver enables you to centrali=e and download these environments, called user profiles. User Profiles There are three flavors of user profiles0 local, roaming, and mandatory. >ocal profiles are local to the computer on which theyre created and dont follow you if you logon on to another computer. 6oaming profiles act like your shadow, following you from one computer to the ne2t as you log on to the network. "andatory profiles are similar to roaming profiles, but theyre created and controlled by the network administrator. 1oth roaming and mandatory profiles live on a server and are downloaded to your computer when you log on to the network.

Administering Windows NT Server

,ou create a user profile with the $ystem application in ?ontrol (anel. ?lick the ser (rofiles tab , select an e2isting profile that you want to copy, click ?opy To, and provide a destination on the network. To change the user or group thats allowed to use the profile, click ?hange. !uring user account creation, youll need to specify a location where user profiles are centrally stored. $elect a computer that is running %indows &T server. The profiles are generally stored in the $ystem6ootA(6*-I>@$ directory, under a separate subdirectory for each user. -or e2ample, the profile for >I&!A would be stored in /0A%I&&TA(6*-I>@$A>I&!A. %ithin each profile directory, theres a file called &T $@6.!AT. To convert this to a mandatory profile, change the name to &T $@6."A&. %ogon Scri#ts A logon script is simply a batch file thats automatically run when you log on to the %indows &T $erver network from &T, !*$, %indows for %orkgroups, or *$B8 computer. >ogon scripts arent as powerful as profiles, but theyre the only way to go if youre logging on to the network from a non &T computer. $o, if a user will be logging on from computers running different operating systems, you may want to assign both a user profile and a logon script to his or her user account. >ogon scripts are stored in the directory $ystem6ootA$,$T@":8A6@(>AI"(*6TA$?6I(T$. Typically, one master set of logon scripts is stored on the primary domain controller )(!?+. ,ou then use directory replication to keep up to date copies on other domain controllers. 1y taking this approach. ,oure assured that users will have access to their logon scripts, regardless of which domain controller accepted their logon. (ome Directories @ach user account has a home directory associated with it, to be used for sorting personal files. ,ou can configure the user account to place the home directory on the users local computer, or you can opt to store home directories on the network. The latter approach is more fle2ible, since users can then access their home directories regardless of which computer they used to log on to the network. If you place home directories on the network, youll need to identify a server and directory where you want them to be located. %hen you create the account, specify a &? path name to the users home directory ) for e2ample, \\Server_Name\HomeDirs\Linda). &T automatically creates this directory and sets permissions on it to allow access only by the user account that youre creating.

Administering Windows NT Server

Adding a ser Account 4eres how to add and configure a new &T user account0 .. *n the user menu, click &ew ser. Type the appropriate values in the sername, -ull &ame. !escription, (assword, and ?onfirm (assword fields, as shown in figure :. The !escription field is optional. ,ou can use it for department names, job tittles, office locations, and so forth.

-igure : 0 In the &ew ser dialog bo2, you can add a new user account by specifying its name, password, and other information.

8. ?lick to select the ser "ust ?hange (assword at &e2t >ogon check bo2. This check bo2 is selected by default. -orcing your users to change their passwords to something unknown to administrators provides ma2imum security. :. If you dont want the user to be able to change the account password, click to select the ser cannot ?hange password check bo2. If more than one user will share this account, you may want to prevent the users from changing passwords on each other. 4owever, it is recommend that not to let users share accounts.

Administering Windows NT Server

9. If you want to prevent this particular account password from e2piring, click to select the (assword &ever @2pire check bo2. C. If you want this account temporarily disabled so that no one can use it, click to select the Account !isabled check bo2. <. ?lick groups. In the /roup "emberships dialog bo2, shown in figure 9, under &ot "ember of, click to select the groups that you want this account to join. Then click Add. %hen youre done adding groups, click *3.

-igure 9 0 In the /roup "emberships dialog bo2, you can make this account a member of e2isting groups.

Administering Windows NT Server