[Previous] [Next]
Lesson 4: Setting Properties for User Accounts
A set of default properties is associated with each local user account that you create. After you create a local user account, you can configure these account properties. A user's Properties dialog box has three tabs that contain information about each user account: the General tab, the Member Of tab, and the Profile tab.
After this lesson, you will be able to
- Set properties for user accounts.
Estimated lesson time: 15 minutes
The General Tab in a User Account's Properties
The General tab in the Properties dialog box for a user account (see Figure 10.5) allows you to set or edit all the fields from the New User dialog box, except for User Name, Password, and Confirm Password. It also provides one additional check box: Account Is Locked Out.
Figure 10.5 The General tab of a user's Properties dialog box
You can't select the Account Is Locked Out check box because it is unavailable when the account is active and not locked out of the system. The system locks out a user if he or she exceeds the limit set on the number of failed logon attempts. This is a security feature to make it more difficult for an unauthorized user to break into the system. If an account has been locked out by the system, the Account Is Locked Out check box becomes available and an administrator can clear the check box to allow the user access to the system.
The Member Of Tab in a User Account's Properties
The Member Of tab in the Properties dialog box for a user account allows you to add the user account to or remove the user account from a group. For information on groups, see Chapter 11, "Setting Up and Managing Groups."
The Profile Tab in a User Account's Properties
The Profile tab in the Properties dialog box for a user account allows you to set a path for the user profile, logon script, and home folder (see Figure 10.6).
Figure 10.6 The Profile tab of a user's Properties dialog box
A user profile is a collection of folders and data that stores the user's current desktop environment and application settings, as well as personal data. A user profile also contains all of the network connections that are established when a user logs on to a computer, such as Start-menu items and mapped drives to network servers. User profiles maintain consistency for users in their desktop environments by providing each user the same desktop environment that he or she had the last time that he or she logged on to the computer.
Windows 2000 creates a user profile the first time that a user logs on at a computer. After the user logs on for the first time, Windows 2000 stores the user profile on that computer. This user profile is also known as a local user profile.
User profiles operate in the following manner:
NOTE
You should have users store their documents in My Documents rather than in home directories. Home directories are covered later in this chapter. Windows 2000 automatically sets up My Documents, and it is the default location for storing data for Microsoft applications.
By opening the System program in Control Panel and clicking the User Profiles tab, an administrator can easily copy, delete, or change the type of a user profile. Changing the type for user profiles allows an administrator to change it from a local user profile, which sets up the user's desktop environment on a specific computer, to a roaming user profile. A roaming user profile is especially helpful in a domain environment, because it follows the user around, setting up the same desktop environment for the user no matter what computer the user logs on to in the domain.
There is a third type of user profile, the mandatory user profile, which is a read-only roaming user profile. When the user logs off, Windows 2000 does not save any changes made during the session, so the next time the user logs on the profile is exactly the same as the last time the user logged on. You can create a mandatory user profile for a specific user or to be used with a group of users.
NOTE
A hidden file called Ntuser.dat contains the section of the Windows 2000 system settings that applies to the individual user account and contains the user environment settings. Create a user account that you can use to create user profiles. Log on as the user you created, and configure all the desktop environment settings you want. Log on as administrator and locate the Ntuser.dat file in C:\Documents and Settings\user_logon_name. You make the profile a mandatory roaming user profile by changing its name to Ntuser.man. You can then copy this file to apply the mandatory user profile to any other user or group.
A logon script is a file you can create and assign to a user account to configure the user's working environment. For example, a login script can be used to establish network connections or start applications. Each time a user logs on, the assigned logon script is run.
In addition to the My Documents folder, Windows 2000 provides you with the means to create another location for users to store their personal documents. This additional location is the user's home folder. You can store a home folder on a client computer or in a shared folder on a file server. In fact, you can locate all users' home folders in a central location on a network server.
Storing all home folders on a file server provides the following advantages:
NOTE
Store home folders on an NTFS file system volume so that you can use NTFS permissions to secure user documents. If you store home folders on a FAT volume, you can restrict home folder access only by using shared folder permissions.
To create a home folder on a network file server, you must perform the following three tasks:
If you use the username variable to name a folder on an NTFS volume, the user is assigned the NTFS Full Control permission, and all other permissions are removed for the folder, including those for the Administrator account.
You can set User Account Properties by doing the following:
Practice: Modifying User Account Properties
In this practice, you will modify user account properties. Then you will test them.
Exercise 1: Testing Account Properties
In this exercise, you will again test the User Must Change Password At Next Logon property that you configured when you created users in the previous Practice. You will then set the User Cannot Change Password Account property on User1 and the Account Is Disabled property on User2, and then test these account properties.
Windows 2000 displays a Logon Message dialog box indicating that you are required to change your password at first logon.
Windows 2000 displays a Change Password dialog box. Notice that the password you just typed is in the Old Password box.
Windows 2000 displays a Change Password dialog box indicating that your password has been changed.
In this exercise, you will set and then test the User Cannot Change Password property.
Windows 2000 displays the users in the details pane.
The User1 Properties dialog box appears.
The User Cannot Change Password check box should contain a check mark, indicating that it is selected. Notice that the User Must Change Password At Next Logon check box is now unavailable.
The User2 Properties dialog box appears.
The Account Is Disabled check box should contain a check mark, indicating that it is selected.
Windows 2000 displays the Windows Security dialog box.
The Change Password dialog box appears.
A Change Password dialog box appears indicating that you do not have permission to change your password.
A Logon Message dialog box appears, indicating that your account has been disabled.
In this lesson, you learned that a set of default properties is associated with each local user account that you create. These properties include whether users can change their own password, whether users are required to change their password at the next logon, and whether the account is disabled. The Computer Management snap-in allows you to easily configure or modify these account properties.
In the practice portion of this lesson, you were able to configure account properties, including prohibiting users from changing their passwords and disabling a user account. Finally, you tested these properties to verify that they worked as expected.