Managing Users and Groups
Windows 2000 allows you to manage user accounts and passwords. It also provides you with tools such as the Local Users and Groups management tool, security for users, and user and computer profiles.
Setting Up User Accounts
A local user account gives a user access to resources that are located only on the computer where you create the account. Local user accounts are stored in the security database of the computer where you create them.
Overview of Users and Passwords
Users and Passwords in Control Panel simplifies adding and removing local user accounts, adding and removing users from groups, and working with passwords. It also provides access to certificate management and secure boot settings.When the Windows 2000 Professional–based computer is connected to a Windows NT or Windows 2000 Server domain, you can use Users and Passwords to add and remove domain user accounts to local groups.When the Windows 2000 Professional–based computer is not connected to a domain, you can use Users and Passwords to add and remove local user accounts and assign users to a local group. In addition, you can specify whether users can log on automatically each time the computer starts. You enable this feature on the Users tab by clearing the Users must enter a user name and password to use this computer check box. Users and Passwords is not available on Windows 2000 Server or when Windows 2000 Professional is running in Terminal Services mode.
NOTETo add users to more than one group or create groups, use the Local Users and Groups MMC snap-in that is available by going to Users and Passwords in Control Panel and clicking Advanced on the Advanced tab.Users and Passwords allows you to create or change the password for local user accounts, which is necessary when you create a new local user account or when a local user forgets his or her password.To improve the security of user passwords, the password should contain at least two of the following elements: uppercase letters, lowercase letters, numbers, and punctuation. The longer the password and the more of these elements it contains, the more secure it is.You can use Group Policy settings to enforce password requirements such as minimum length and expiration time. However, domain controller Group Policy settings override local computer configuration and local user configuration Group Policy settings.For more information about using Group Policy, see "Group Policy" later in this chapter. For more information about using Local Users and Groups to manage certificates and secure boot settings, see Windows 2000 Professional Help.
You must log on as an administrator or be a member of the Administrators group to add and delete user accounts, assign users to a local group, and change user passwords.
Local Users and Groups
The Local Users and Groups MMC snap-in gives you more control setting up and maintaining local user accounts. It is similar to User Manager in Windows NT 4.0 Workstation.With Local Users and Groups you can assign profiles, add and edit users and groups, assign users to more than one group, and set or modify password restrictions. You can also add a domain user to any local group. This is helpful for assigning domain user accounts to the local Administrators group. This allows domain user account members to have administrator rights on the local computer without giving them administrator rights on the domain.To gain access to Local Users and Groups, start MMC and then add the Local Users and Group snap-in; or open Users and Passwords in Control Panel, click the Advanced tab, and then click Advanced.You should review the information about security settings for Windows 2000 before you create or modify user accounts and groups. For more information about security settings, see "Security" in this book.
Security for Users and Groups
To effectively manage users of Windows 2000 Professional, it is important to understand how user rights are defined and set, how privileges and logon rights are granted, and how to change these settings.User rights are assigned by using the Group Policy MMC snap-in. After you have started MMC and opened the Group Policy snap-in, in the console tree pane under Local Computer Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies, locate the User Rights Assignment folder.For more detailed information about planning security, see "Security" in this book. For more information about using MMC and Group Policy, see "Group Policy" later in this chapter. For information about configuring security options, see Windows 2000 Professional Help.
User Rights
You can assign specific rights to group accounts or to individual user accounts. These rights authorize users to perform specific actions, such as logging on to a system interactively or backing up files and directories. User rights are different from permissions; user rights apply to user accounts, permissions are attached to objects.Although user rights can apply to individual user accounts, user rights are best administered on a group account basis. A user who is a member of one or more groups, inherits rights associated with that group. You can simplify user account administration by assigning user rights to groups rather than to individual users. When all users in a group require the same user rights, you can assign the set of user rights once to the group, rather than repeatedly assigning the same set of user rights to each user account.User rights that are assigned to a group apply to all members of the group. If a user is a member of multiple groups, the user's rights are cumulative, which means that the user has more than one set of rights. Occasionally, some logon rights assigned to one group might conflict with rights assigned to another group. However, this is generally not the case. To remove rights from a user, remove the user from the group that has those rights.There are two types of user rights:Privileges. A right that is assigned to a user and specifies allowable actions on the network. An example of a privilege is the right to back up files and directories.Logon rights. A right that is assigned to a user and specifies the ways in which a user can log on to a system. An example of a logon right is the right to log on to a system locally.
Privileges
To ease the task of user account administration, you should assign privileges primarily to group accounts, rather than to individual user accounts. When you assign privileges to a group account, users are assigned those privileges when they become a member of that group. This method of administering privileges is easier than assigning individual privileges to each user account when the account is created.Some of these privileges can override permissions set on an object. For example, a user logged on to a domain account as a member of the Backup Operators group has the right to perform backup operations for all domain servers. However, this requires the ability to read all files on those servers, even files for which their owners have set permissions that explicitly deny access to all users, including members of the Backup Operators group. A user right, in this case, the right to perform a backup, takes precedence over all file and directory permissions.The following list shows the privileges that you can assign to a user by setting user rights. You can manage these privileges by using settings in the MMC Group Policy console in the console tree pane under Local ComputerWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment.
Act as part of the operating system Add workstations to a domain Back up files and directories Bypass traverse checking Change the system time Create a token object Create permanent shared objects Create a pagefile Debug programs Enable trusted for delegation on user and computer accounts Force shutdown from a remote system Generate security audits Increase quotas Increase scheduling priority Load and unload device drivers Lock pages in memory Manage auditing and security log Modify firmware environment values Profile a single process Profile system performance Replace a process-level token Restore files and directories Shut down the system Take ownership of files or other objects Unlock a laptop
For detailed descriptions of these privileges and for information about using Group Policy to manage security settings, see "Security" in this book.
Logon Rights
The special user account called "LocalSystem" has almost all available privileges and logon rights assigned to it because all processes that are running as part of the operating system are associated with this account, and these processes require a complete set of user rights. The logon rights of the local system user account are as follows:
- Log on locally Log on as a batch job Log on as a service Deny access to this computer from the network Deny logon as a batch job Deny logon as a service Deny local logon
For more information about logon rights, see "Security" in this book.
User Profile Types
In Windows 2000 Professional, user profiles automatically create and maintain the desktop settings for each user's work environment on the local computer. A user profile is created for each user when the user logs on to a computer for the first time.User profiles include all user-specific settings of a user's Windows 2000 Professional environment, including program items, screen colors, network connections, printer connections, mouse settings, window size and position, and desktop preferences.User profiles provide several advantages to users. For example, when users log on to their workstations, they receive the desktop settings as they existed when they logged off. Also, when several users log on to the same computer, each receives a customized desktop.There are three types of user profiles, which are as follows:Local User Profile This profile is automatically created the first time a user logs on to the computer, and it is stored on the computer's local hard drive. Any changes made to the local user profile are specific to the computer where the change was made.Roaming User Profile You, as the administrator, create this profile, and store it on a network server. This profile is available when a user logs on to any computer on the network. Any changes made to roaming user profiles are automatically updated on the server when the user logs off.Mandatory User Profile Mandatory user profiles are stored on a network server and are downloaded each time the user logs on. This profile does not update when the user logs off. It is useful for situations where consistent or job-specific settings are needed Only administrators can make changes to mandatory user profiles. If the mandatory user profile is unavailable, the user cannot log on.
IMPORTANTFor more information about roaming user profiles and mandatory user profiles, see "Defining Client Administration and Configuration Standards" in the Deployment Planning Guide.
Group policy settings take precedence over user settings.
Creating User Profiles
When you install Windows 2000 Professional, a user profile is created on the %SystemDrive%Documents and Settings partition.When a user logs on to a Windows 2000 Professional–based computer, the name of the folder that is created is derived from the user account name, and, if necessary, the user account name is appended with the name of the local computer or domain that is applicable to the user who is logging on.The user account name in Windows NT 4.0 Server is in NetBIOS format, such as <domain>jeffsmith. In Windows 2000 Server, you can specify user accounts in the NetBIOS format, or you can use the user principal name (UPN) format. An example of a UPN format is jeffsmith@<domain>.com.If the NetBIOS name is <domain>jeffsmith, the user ID is jeffsmith. If the UPN is jeffsmith@<domain>.com, the user ID also is jeffsmith. The user ID portion of the UPN and the user ID portion of the NetBIOS name usually are the same. However, they might not be the same, as shown in the following example:
NetBIOS name: <domain>jeffsmith |
Whether the user logs on to a local account or to an account from a domain, if the %UserProfile% folder does not contain a folder with the name of the user who is logging on (in this case jeffsmith), a folder with that name is created and the path is recorded in the registry of the user who is associated with the profile. The folder that is created as a result is the following:
%SystemDrive%:Documents and Settingsjeffsmith |
If another user with the NetBIOS name jeffsmith logs on, another folder is created, but it is created with the name of the local computer or domain in which the user's account originates. The folder that is created as a result is the following:
%SystemDrive%:Documents and Settingsjeffsmith.NEWDOMAIN. |
Or, if the user account is established on the local computer, the folder that is created as a result is the following:
%SystemDrive%:Documents and Settingsjeffsmith.LOCALBOX. |
If another user with an account name jeffsmith logs on to the same Windows 2000 Professional–based computer from an identically named source (either a domain or local computer) and the SIDs of the two accounts are not the same, a new folder is created with an extension indicating how many times the user account name was used. This occurs when the user accounts are re-created and the user logs on to the same computer, as shown in the following example:
- For the first user: %SystemDrive%:Documents and Settingsjeffsmith [NEWDOMAIN].000 For the second user: %SystemDrive%:Documents and Settingsjeffsmith [NEWDOMAIN].001
For more information about setting and changing local profiles, see Windows 2000 Professional Help.
Upgrading User Profiles from Previous Versions of WindowsThe naming convention for user profile folders in Windows 2000 is different from the naming convention that is used in Microsoft Windows NT 4.0 and earlier versions of Windows. There is a new location for user profile folders in Windows 2000 and also a new way to create subfolders for individual user profiles.If you upgrade from Windows NT, the user profile folders are stored in the same location as in Windows NT. This location is as follows:
%SystemRoot%Profiles
When you upgrade to Windows 2000 from Windows 95 or Windows 98, a new folder for user profiles is created on the same partition as the Windows 2000 installation:
%SystemDrive%:Documents and Settings
NOTE
The appropriate path to the user profiles folder is represented as %UserProfile%.