Lesson 1: Introduction to User Accounts - MCSE Training Kit, Microsoft Windows 2000 Active Directory Services [Electronic resources] نسخه متنی

Lesson 1: Introduction to User Accounts

A user account provides a user with the ability to log on to the domain to gain access to network resources or to log on to a computer to gain access to resources on that computer. Each person who regularly uses the network should have a unique user account.

Windows 2000 provides different types of user accounts: local user accounts,
domain user accounts, and built-in user accounts. With a local user account, a user logs on to a specific computer to gain access to resources on that computer. With a domain user account, a user can log on to the domain to gain access to network resources. Built-in user accounts are used to perform administrative tasks or to gain access to network resources. This lesson introduces user accounts and the differences between account types.

After this lesson, you will be able to

Describe the difference between a local user account and a domain user account

Describe the purpose of a built-in account

Estimated lesson time: 10 minutes

Local User Accounts

Local user accounts allow users to log on at and gain access to resources on only the computer where you create the local user account.

When you create a local user account, Windows 2000 creates the account only in that computer's security database, which is called the local security database, as shown in Figure 7.1. Windows 2000 does not replicate local user account information to domain controllers. After the local user account exists, the computer uses its local security database to authenticate the local user account, which
allows the user to log on to that computer.

Do not create local user accounts on computers that require access to domain
resources, because the domain does not recognize local user accounts. Therefore, the user is unable to gain access to resources in the domain. Also, the domain
administrator is unable to administer the local user account properties or assign access permissions for domain resources unless he or she connects to the local computer using the Action menu on the Computer Management console.

Figure 7.1 Local user accounts

Domain User Accounts

Domain user accounts allow users to log on to the domain and gain access to
resources anywhere on the network. The user provides his or her user name and password during the logon process. By using this information, Windows 2000 authenticates the user and then builds an access token that contains information about the user and security settings. The access token identifies the user to
computers running Windows 2000 and pre-Windows 2000 computers on which the user tries to gain access to resources. Windows 2000 provides the access
token for the duration of the logon session.

You create a domain user account in a container or an organizational unit (OU)
in the copy of the Active Directory database (called the directory) on a domain controller, as shown in Figure 7.2. The domain controller replicates the new user account information to all domain controllers in the domain.

After Windows 2000 replicates the new user account information, all of the
domain controllers in the domain tree can authenticate the user during the
logon process.

NOTE
It can take a few minutes to replicate the domain user account information to all of the domain controllers. This delay might prevent a user from immediately logging on using the newly created domain user account. By default, replication of directory information occurs every five minutes.

Figure 7.2 Domain user account

Built-In User Accounts

Windows 2000 automatically creates accounts called built-in accounts. Two
commonly used built-in accounts are Administrator and Guest.

NOTE
The IUSR_computername and IWAM_computername built-in accounts are automatically created when Internet Information Services are installed on the domain controller. IUSR_computername is an account for anonymous access to IIS. IWAM_computername is an account for anonymous access to IIS out-of-process applications.

The TsInternetUser account is automatically created when Terminal Services are installed on the domain controller. TsInternetUser is an account used by Terminal Services.

Administrator

Use the built-in Administrator account to manage the overall computer and
domain configuration for such tasks as creating and modifying user accounts and groups, managing security policies, creating printers, and assigning permissions and rights to user accounts to gain access to resources.

If you are the administrator, you should create a user account that you use to perform nonadministrative tasks. Log on by using the Administrator account only when you perform administrative tasks. For information on setting up user accounts for performing nonadministrative tasks, see Chapter 8, "Group Account Administration."

NOTE
You can rename the Administrator account, but you cannot delete it. As
a best practice, you should always rename the built-in Administrator account to provide a greater degree of security. Use a name that does not identify it as the
Administrator account. This makes it difficult for unauthorized users to break into the Administrator account because they do not know which user account it is.

Guest

Use the built-in Guest account to give occasional users the ability to log on
and gain access to resources. For example, an employee who needs access to
resources for a short time can use the Guest account.

NOTE
The Guest account is disabled by default. Enable the Guest account only in low-security networks, and always assign it a password. You can rename and disable the Guest account, but you cannot delete it.

Lesson Summary

In this lesson you learned that Microsoft Windows 2000 provides different types of user accounts: domain user accounts and local user accounts. With a domain user account, a user can log on to the domain to gain access to network
resources. With a local user account, a user logs on to a specific computer to gain access to resources on that computer. There are also built-in user accounts, which can be either domain user accounts or local user accounts. With built-in user accounts, you can perform administrative tasks or gain access to network resources.

When you create a domain user account, Windows 2000 creates the account in the copy of the Active Directory database (called the directory) on a domain controller. The domain controller then replicates the new user account information to all domain controllers in the domain. When you create a local user account, Windows 2000 creates the account only in that computer's security database, which is called the local security database. Windows 2000 does not replicate local user account information to domain controllers. You do not create built-in user
accounts; Windows 2000 automatically creates them.