لطفا منتظر باشید ...
Publisher| UsersConcepts |
individual to log on to a computer or network. The two kinds of user
accounts in WS2003-based networks are:
- Local user account
Enables a user to log
on to a
standalone server to access resources on that computer. Local users
are stored on the computer on which they are created in the
computer's local security database. Local users
can't be created on domain controllers, but they can
be created on member servers belonging to a domain.- Domain user account
Enables a user to log on
to a domain to access resources on
computers in the domain. Domain users are domainwide in scope and are
stored within Active Directory. Domain user accounts are internally
identified within Active Directory by their security identifier. If
you delete an account and create a new account with the same name, it
will have a different SID than the deleted account.
Built-in Accounts
In addition, a number of built-in
user
accounts are created when WS2003 is installed:
- Administrator
An account that has full administrative rights for the domain or
computer.- Guest
An account used to grant temporary access to network resources in the
domain or computer. This account is disabled by default and should be
enabled only when needed.
On a member server or client computer, the Administrator and Guest
accounts are local user accounts and are stored in the local security
database. For example, the Administrator account on a member server
has full administrative rights on that member server and no rights on
any other computer in the network. On a domain controller, however,
these accounts are domain user accounts and are stored in Active
Directory. Therefore, the Administrator account on a domain
controller has full rights on every computer in the domain. Depending
on which optional components of WS2003 are installed, there may be
other built-in user accounts. Table 4-53 lists some
of the most common of these accounts.
Account | Name | Description |
|---|---|---|
Internet Guest account | IUSR | Used by Internet Information Services (IIS) to provide anonymous users with access to IIS resources |
Launch IIS Process account | IWAM | Used by IIS to launch out-of-process web applications |
TsInternetUser | TsInternetUser | Used by Terminal Services |
krbtgt | krbtgt | Key Distribution Center service account (disabled by default) |
User Profiles
A user profile is a collection of
files that stores the desktop
configuration and personal settings of a user. User profiles ensure
that users have consistent desktop and application settings each time
they log on to their machines. User profiles can also be stored on
the network to enable users to access their desktop and personal
settings from any machine on the network and can be configured either
to allow or prevent users from modifying their settings.
Specifically, a user profile stores information about a
user's desktop settings, wallpaper, screen
resolution, desktop icons, Start menu items, files stored in his
My Documents folder, network connections, mapped
drives, and network shortcuts to shared folders and printers located
on network serversThe three types of user profiles are local, roaming, and mandatory.
These three types allow administrators to control
users' desktop environments in a variety of ways.
Local User Profile
This user profile is stored on
the local
machine. A local user profile (or local profile) for a user is
created the first time a user logs on locally to a machine. These
local profiles are stored by default in subfolders of
C:\Documents and Settings . Each subfolder is
named after the username of a user who has logged on locally to the
machine at least once. For example, the local profile for
Administrator is located in the folder C:\Documents and
Settings\Administrator and consists of a series of
subfolders and files within the Administrator
folder.When a user makes changes to her desktop (e.g., changes the
wallpaper) and then logs off, the local profile is updated to reflect
any changes made by the user during the session. When the user next
logs on, the settings will reflect these changes made during the
previous session. If multiple users use the same machine, each user
will have his own, separate, local profile stored in the folder
C:\Documents and Settings\<username> . Each
user's settings will be preserved regardless of what
the other users do while they are logged on to the machine.
Roaming User Profile
By storing users' profiles on a
network
file server and configuring users' accounts with
information about where their profiles can be found, you give users
the ability to roam around the network, log on to any client machine,
and retrieve their own personal desktop settings for use on that
machine. This is known as roaming user profiles (or roaming profiles)
and is useful when users need to perform their work at multiple
client computers.When a user logs on to a machine using the roaming profile and makes
changes to the desktop environment, these changes are saved when the
user logs off. If the user then logs on to a different machine, the
changes made on the first machine are reflected on the second. In
other words, users can make changes to their roaming profiles, unless
mandatory user profiles are implemented, as described next.Roaming profiles are typically used when users share their computers.
For example, if you have 15 sales personnel sharing five computers
(since most of the time they should be out drumming up contracts
anyway), then you could implement roaming profiles for these users so
they can use whichever of the five computers is currently free.
Another example would be if you had 10 trainers who need to access
their email during coffee break. You could give them two computers to
share and assign them roaming profiles (the cost-effective solution)
or give them each a laptop (my own preference, but no one ever
listens to me).
Mandatory User Profile
A mandatory user
profile
(or mandatory profile) is a form of roaming user profile in which the
user can't make changes. The user can, however, make
changes to the desktop environment while logged on. But when she logs
off, the mandatory profile is not updated to reflect these changes.
Mandatory user profiles are also sometimes referred to as mandatory
roaming profiles and roaming mandatory profiles!You might use mandatory profiles for naive users to prevent them from
making changes to their desktop. Users sometimes like to install
shareware and other software they have downloaded off the Internet,
and sometimes such software can cause problems that necessitate
costly intervention from technical support staff. Mandatory profiles
prevent such changes to users' desktops and thus
reduce the costs of supporting these users.Another use for mandatory profiles might be to create a customized
user profile that you assign to several users who need to perform the
same type of tasks on their computers. You can create a default user
profile that reflects the kind of desktop environment most conducive
to their productivity, make this profile mandatory, and then assign
it to each user.
How User Profiles Work
When a user logs on to a WS2003 client computer for the first time,
the following procedure occurs:
- WS2003 checks whether a roaming profile has been specified for the
user by the administrator. If so, it downloads this roaming profile
from the appropriate network file server and applies it to the
user's desktop environment. When the user logs off,
the roaming profile is updated on the file server to reflect any
changes the user has made during the session. - If not, WS2003 checks whether there is a network-default user
profile. A default user profile is a kind of template from which all
other user profiles are created. It is called the network-default
user profile if it has the name Default User and is stored in the
NETLOGON administrative share on all domain controllers. - If such a default profile exists on the domain controller that the
client computer contacts, WS2003 downloads this profile and applies
it to the user's desktop environment. When the user
logs off, a local profile is created on the client computer for the
user. The next time the user logs on, the local profile is used
instead of the network-default profile. - If not, WS2003 loads the default local user profile and applies it to
the user's desktop environment. When the user logs
off, a local profile is created on the client computer for the user.
The next time the user logs on, the local profile is used instead of
the local default profile.
Home Folders
A user's home folder is a
centralized location on a network
file server where he can store his personal documents. Home folders
were a feature of NT that allowed users to store their personal files
on network file servers, which could be backed up easily, instead of
on their local machines. While WS2003 still supports home folders for
backward compatibility with legacy applications, the default location
for users to store their personal files is now the My
Documents folder. By default, this folder is located on a
user's local machine and is part of the
user's profile.
My Documents
My Documents is a special
folder that is part of a user
profile. The My Documents folder is the default
location for users to store their personal and work files. When you
select File
Open from the menu of a"designed for WS2003" application,
the application looks by default in the My
Documents folder for the currently logged-on user.
Similarly, when a user selects File
Save As to save work,it goes into the My Documents folder.Each user who logs on to a WS2003 machine has his own separate
My Documents folder for storing files. Each user
also has an icon on the desktop that allows him easy access to his
files. The My Documents folder for a user is
contained within the user profile for that particular user. For
example, if a user named Bob has his local user profile stored in
C:\Documents and Settings\Bob on his machine,
Bob's personal and work files will be stored in the
subfolder C:\Documents and Settings\Bob\My
Documents .My Documents and other important user profiles
can also be redirected to a network share using Group Policy. This
ensures that users have their data available no matter which client
computer they log on with. See Group Policy
earlier in this chapter for more information.
