Lesson 2: Planning New User Accounts
You can streamline the process of creating user accounts by planning or organizing the information for user accounts. This lesson introduces you to planning the following items for user accounts:
Naming conventions for user accounts
Requirements for passwords
Account options, such as logon hours, the computers from which users can log on, and account expiration
After this lesson, you will be able to
Plan a strategy for creating new user accounts
Explain how password requirements affect security levels
Estimated lesson time: 10 minutes
The naming convention establishes how users are identified in the domain. A consistent naming convention will help you and your users remember user logon names and locate them in lists.
Table 7.1 summarizes some points you might want to consider in determining a naming convention for your organization.
Table 7.1 Naming Convention Considerations
| Consideration | Explanation |
|---|---|
Local user accounts |
Local user account names must be unique on the computer where you create the local user account. |
Domain user accounts |
The user''s logon name (DN) must be unique to the directory. The user''s full name (also referred to as display name or account name) (RDN) must be unique within the OU where you create the domain user account. |
20 characters maximum |
User logon names can contain up to 20 uppercase or lowercase characters. Although the field accepts more than 20 characters, Windows 2000 recognizes only the first 20. |
Invalid characters |
The following characters are invalid: " / \ [ ] : ; | = , + * ? < > |
User logon names are not case-sensitive |
You can use a combination of special and alphanumeric characters to help uniquely identify user accounts. User logon names are not case-sensitive, but Windows 2000 preserves the case. |
Accommodate employees with duplicate names |
If two users were named John Doe, you could use the first name and the last initial, and then add letters from the last name to differentiate the duplicate names. In this example, one user account logon name could be Johnd and the other Johndo. Another possibility would be to number each user logon name—for example, Johnd1 and Johnd2. |
Identify the type of employee |
In some organizations, it is useful to identify temporary employees by their user account. To identify temporary employees, you can use a T and a dash in front of the user''s logon name—for example, T-Johnd. Alternatively, use parentheses in the name—for example, John Doe (Temp). |
E-mail compatibility |
Some e-mail systems may not accept characters, such as spaces and "()" brackets. |
To protect access to the domain or a computer, every user account should have a password. Consider the following guidelines for passwords:
Always assign a password for the Administrator account to prevent unauthorized access to the account.
Determine whether the Administrator or the users will control passwords. You can assign unique passwords for the user account and prevent users from changing them, or you can allow users to enter their own passwords the first time that they log on. In most cases, users should control their passwords.
Use passwords that are hard to guess. For example, avoid using passwords with an obvious association, such as a family member''s name.
Passwords can be up to 14 characters; a minimum length of eight characters is recommended.
Use characters from each of the following three groups: uppercase and lowercase letters, numerals, and nonalphanumeric characters.
Have at least one symbol character in the second through sixth positions.
Make them significantly different from prior passwords.
They must not contain the user''s name or user name.
They must not be a common word or name.
NOTE Windows 2000 group policies can also affect passwords. For further information on using group policy, see Chapter 12, "Administering Group Policy."
You should assess the hours when a user can log on to the network and the computers from which a user can log on, and you should determine if temporary user accounts need to expire. To determine account options, consider the following information.
Set logon hours for users who only require access at specific times. For example, allow night-shift workers to log on only during their working hours.
Computers from Which Users Can Log On
Determine the computers from which users can log on. By default, users can log on to the domain by using any computer in the domain. For security reasons, require users to log on to the domain only from their computer. This prevents users from gaining access to sensitive information that is stored on other computers.
CAUTIONIf you have disabled NetBIOS over TCP/IP, Windows 2000 is unable to determine which computer you are logging on from and therefore you cannot restrict users to specific computers.
Determine whether a user account should expire. If so, set an expiration date on the user account to ensure that the account is disabled when the user would no longer have access to the network. As a good security practice, you should set user accounts for temporary employees to expire when their contracts end.
Practice: Planning New User Accounts
In this practice, you plan how to implement user accounts for employees on the new hire list.
As the Windows 2000 administrator for your corporate network, you need to set up the user accounts for new employees. Ten employees have recently been hired. You need to determine the following:
A naming convention that will easily accommodate employees with duplicate or similar names and temporary contract personnel
The hours during which users can log on
The computers at which a user can log on
Use the following criteria to make your decisions:
All employees require a user account.
Permanent employees should control their passwords.
For security reasons, an administrator should control passwords for temporary employees.
Day-shift hours are from 8 AM through 5 PM and night-shift hours are from 6 PM through 6 AM.
Permanent employees require access to the network 24 hours a day, seven days a week.
Temporary employees log on at only their assigned computers and only during their shifts. The computer names for computers that temporary employees use are Temp1 and Temp2.
Table 7.2 provides fictitious names and hiring information for the new employees.
Table 7.2 New Hire List for Practice
| User Name | Title | Department | Status | Shift |
|---|---|---|---|---|
Don Hall |
Representative |
Sales |
Temporary |
Day |
Donna Hall |
Manager |
Product Support |
Permanent |
Night |
James Smith |
Vice President |
Training |
Permanent |
Day |
James Smith |
Representative |
Sales |
Permanent |
Day |
Jon Morris |
Developer |
Product Development |
Temporary |
Night |
Judy Lew |
Developer |
Product Development |
Temporary |
Day |
Kim Yoshida |
President |
Training |
Permanent |
Day |
Laurent Vernhes |
Engineer |
Product Support |
Temporary |
Night |
Sandra Martinez |
Engineer |
Product Support |
Permanent |
Day |
Complete Table 7.3 to determine a naming convention for the users in the new hire list by considering the information that is provided in the sections "Scenario," "Criteria," and "New Hire List" in this practice.
Table 7.3 New Hire Naming Convention Plan for Practice
| User Name | Full Name | User Logon Name |
|---|---|---|
Don Hall |
|
|
Donna Hall |
|
|
James Smith |
|
|
Jon Morris |
|
|
Judy Lew |
|
|
Kim Yoshida |
|
|
Laurent Vernhes |
|
|
Sandra Martinez |
|
|
Complete Table 7.4 to determine logon hours and computer use for the users in the new hire list by considering the information that is provided in the sections "Scenario," "Criteria," and "New Hire List" in this practice.
Table 7.4 New Hire Scheduling Plan for Practice
| User Name | When Can the User Log On? | Where Can the User Log On? |
|---|---|---|
Don Hall |
|
|
Donna Hall |
|
|
James Smith |
|
|
James Smith |
|
|
Jon Morris |
|
|
Judy Lew |
|
|
Kim Yoshida |
|
|
Laurent Vernhes |
|
|
Sandra Martinez |
|
|
Select the appropriate password setting for each user in Table 7.5 to determine who controls the user''s password.
Table 7.5 New Hire Password Settings Plan for Practice
| User Name | User Must Change Password the Next Time He or She Logs On | User Cannot Change Password |
|---|---|---|
Don Hall |
|
|
Donna Hall |
|
|
James Smith |
|
|
James Smith |
|
|
Jon Morris |
|
|
Judy Lew |
|
|
Kim Yoshida |
|
|
Laurent Vernhes |
|
|
Sandra Martinez |
|
|
In this lesson you learned that in planning user accounts, you should determine naming conventions for user accounts, requirements for passwords, and account options such as logon hours, the computers from which users can log on, and account expiration. You learned that domain user accounts can be up to 20 characters in length and must be unique within the OU where you create the domain user account. The user''s logon name (DN) must be unique to the directory. The user''s full name (also referred to as display name or account name) (RDN) must be unique within the OU where you create the domain user account. Local user account names can also be up to 20 characters in length and must be unique on the computer where you create the local user account. Making these decisions before you start creating user accounts will reduce the amount of time it takes to create the needed user accounts and will simplify managing these accounts.
In the practice portion of this lesson, you were presented with a fictitious scenario and planned a naming convention that easily accommodated employees with duplicate or similar names and temporary contract personnel. You also had to plan the hours during which users could log on and the computers at which a user could log on, based on the scenario and criteria you were supplied.