The notion of a user
Windows NT is an operating system which manages sessions, meaning that when the system is started, it is necessary to log in with a user name and password.
When Windows NT is installed, the administrator account is created by default, as is an account labeled guest. It is possible (and recommended) to modify user permissions (which actions they have a right to perform) as well as to add users with the user manager. A user account is an identification uniquely assigned to user to allow him or her:
- to log on to a domain in order to access network resources
- to log on to a local computer in order to access local resources
Therefore, each user who regularly uses the network must have an account.
The user manager is the standard utility provided with Windows NT, which manages users (as its name would suggest). It is available in the Start menu (Programs/Administration tools).
To create a new account, click on New User in the users menu. This brings up a dialog box for entering information on the new user:
- User: Login name for the user
- Full name: Optional information on the user
- Description: Optional field
- The Password fields are optional, but it is still recommended to fill them in, as well as to check the box labeled "user must change password " for security reasons.
User naming conventions
User naming conventions are how an administrator decides to identify users. The following should be kept in mind:
- User names must be unique (within a domain, or on a local computer)
- User names may contain any uppercase or lowercase character except for the following: / \ [ ] : . | = , + * ? < >
- Avoid creating similar user names.
User accounts and security
There are two kinds of accounts in NT. Built-in accounts are accounts that you create. After installation, Windows NT is set up with built-in accounts (the default accounts administrator and guest), which provides only minimal security.
The different accounts are:
- Accounts you create: User accounts for logging onto a network and accessing network resources. These accounts contain information on the user, in particular his or her name and password.
- Guest: This lets sometime users log on and access the local computer. By default, it is deactivated.
- Administrator: Used for managing global configuration of computers and domains. This account can carry out any task.
It is essential:
- first, to deactivate the guest account which would let any user log in to the system.
- and second, to change the name of the administrator account in order to reduce the risk of intrusion by that user account. As the administrator account has full permissions, it makes a prime target for would-be intruders.
Location of user accounts
Domain user accounts are created in the User Manager. When an account is created, it is automatically recorded in the SAM of the Principal Domain Controller (PDC), which then synchronizes it with the rest of the domain. As soon as an account is created in the SAM of the PDC, the user can log onto a domain from any domain workstation.
It may sometimes take several minutes for the domain to be synchronized.
There are two methods: typing
net accounts /sync
at the command prompt or, in the Server Manager, in the Computer menu, choosing Synchronize Entire Domain.
Local user accounts are created on a member server or a Windows NT Workstation computer, with the User Manager. The account is only created in the SAM of the local computer. For this reason, the user can log on only to that particular computer.
Planning new user accounts
The account creation process can be simplified by planning and organizing information on people who need a user account.
The home folder is the private folder in which a user can store his or her files. It is used as the default file for running commands like "Save." It may be stored on the local user computer or on a network server. The following points should be taken into account for creating them:
- It is much easier to ensure the backing up and restoration of data belonging to different users if the home folders are stored on a server. Otherwise, data should be backed up regularly on the various network computers where the home folders are stored.
- Pay attention to disk space on domain controllers: Windows NT does not have utilities for managing disk space (Windows 2000 does). Because of this, if you're not careful to keep home folders from becoming filled with large files, they may quickly use up the server's storage space. However, there are third-party tools for this, like "QUOTA MANAGER".
- If a user works on a computer without a hard drive, his or her home folder must be on the network server
- If the home folders are located on local computers, network performance will increase, as there will be less traffic over the network and the server isn't constantly handling requests.
Defining workstation and account options
The workstations from which a user logs in to the network can also be configured. You can either allow him or her to log on from any workstation, or specify one or more workstations. Using a unique station for a user is one option for a high-security network. Indeed, a user who logs in to a workstation which is not his or her own will log in locally and will therefore have access to all of the machine's local resources. What's more, specifying one or more workstations from which the user can log in allows the Network Administrator to monitor the user.
Also, it is possible to set an expiration date for a user account. This option may be useful for giving an account to a temporary employee. The account's expiration date would be set to whenever his or her contract runs out.
If the RAS (Remote Access Service) is installed, dial-up permissions can be configured. This service lets a user with the appropriate permissions remotely access network resources by dialing over a telephone line (or X.25). It helps users who need to access the network from home or elsewhere. There are several configurable call permissions:
- No Call Back: The user pays for communications fees. The server will not call the user back.
- Set By Caller: This option lets a user be called back by the server at a number he or she specifies. In this case, the business handles the communication fees.
- Preset to: Allows callback control by the administrator. He or she decides which number a given user must call the server from. This option can be used not only to reduce costs, but also to increase security, since the user must be located at a specific phone number.
Note: In the latter two cases, the user must first log in to the server in order for it to call him or her back.
Removing and changing user account names
When an account is no longer needed, it may be deleted or renamed so that another user can use it. Note that deleting an account also deletes the SID (Security IDentification). Even though NT provides for 15000 different SIDs, there is no point in deleting an account if it can be renamed for another employee.
Managing the user work environment
When a user logs on for the first time from a Windows NT client, a default user profile is created for that user. This profile sets elements such as his or her work environment and network and printer connections. This profile can be personalized in order to restrict certain desktop elements or tools shown on the station.
These profiles contain user-definable settings for a work environment on a computer running Windows NT. These settings are automatically saved in the Profiles folder (C:\Winnt\Profiles).
For users who are logging on from clients not running Windows NT, a session opening script may be used to configure user network and printer connections or to set the work environment or hardware settings. It is actually a command file (.bat or .cmd) or an executable file which automatically runs when the user logs in to the network.
It is also possible to use roaming user profiles, meaning a profile which gives a user the same work environment no matter what workstation he or she is connecting to the network with. These profiles are recorded on the server. There are two options for roaming profiles:
- Mandatory roaming profile: May be applied to one or several users and cannot be modified by these users. Only the administrator decides what features are given to the users (tools, configuration etc.) Even if the user changes the configuration, these modifications will not be saved after the user disconnects.
- Personal roaming profile: May only be applied to a single user and may be modified by that user. Each time the user disconnects, changes to settings are kept saved.
Note: These roaming profile options work correctly on computers with Windows NT. For computers that use Windows 95 or another OS, some problems may arise. The Policy Editor (POLEDIT) must then be used for creating roaming user profiles.
Once the user account has been created and the user has logged on for the first time, a user profile is automatically created in the Profiles folder.
The user or administrator can edit any settings that are needed to make sure that changes remain after logging out and stay saved in this folder.
The administrator must then create a folder, such as \\servernt\Profiles\user_name.
In the Configuration Panel, double-click on the System icon, then click on the User Profiles tab. Click on the desired profile, and press the Copy to button.
In the correct field, enter the UNC path which leads to the folder. Under Permitted to use, click on Change. Choose user.
Note: In the folder where the various profiles are stored, rename the ntuser.dat user file to ntuser.man to make that profile mandatory.
In Domain User Manager double-click on the account for the user in question and click Profiles. In the User Profile Path area, type the UNC path which leads to the network profile folder.
Defining a user environment
The User Environment Profile dialog box can be used to enter user profile pathways, a logon script, and the home directory.
Several options can be configured, in particular for indicating which paths lead to which elements:
- User Profile Path: Indicates the path to the user profile folder. For personal user profiles, type \\computer_name\share\%username% . For mandatory profile, replace %username% with profile_name
- Logon Script Name: It is possible to use a path leading to the user's local computer, or a UNC path leading to a shared folder on a network server.
- Home Directory: To specify a network path, select Connect and the drive letter. Then enter the UNC path. Before specifying a network slot, a folder must be created on the server and must be shared over the network.
Note: Use the variable %username% whenever a home folder or personal user profile is created. It will automatically be replaced by the user account
Windows NT also allows users to be managed by group, meaning it can define sets of users with the same type of permissions by sorting them into categories.
A group is a collection of user accounts. A user added to a group is granted all permissions and rights of that group. User groups make administration simpler, as they allow permissions to be granted to several users at once. There are two different types of groups:
- Local groups: Give users permission to access a network resource. They also serve to give users rights to perform system tasks (like changing the time, backing up and recovering files, etc.) There are preset local groups.
- Global groups: Are used to organize domain user accounts. They are also used in multiple-domain networks, when users from one domain need to be able to access resources from another domain.
When Windows NT is started for the first time, six groups are created by default:
- Backup Operators
- Power Users
These default groups may be deleted, and personalized user groups may be added, with special permissions depending on which operations they are to perform on the system. To add a group, click on New Local Group in the user menu.
Next, add users to groups by clicking on a user and then on Add. This brings up the following dialog box:
This allows you to simply select which groups a user should be part of.
Implementing built-in groups
Built-in groups are groups which have default determined user rights. User rights determine which system tasks a user or member of a built-in group can run. These are the three built-in groups in Windows NT:
- Built-in local groups: Give users rights that allow them to run system tasks like backing up and restoring data, changing the time, and administrating system resources. They are found on all computers running Windows NT
- Built-in global groups: Provide administrators a simple way to control all of the domain's users. Built-in global groups are found only on Domain Controllers.
- System groups automatically organize users by system use. Administrators do not add users to them. Users may be members of them by default, or become members through their network activity. They are found on all computers running Windows NT
None of these built-in groups may be renamed or deleted.
These are the built-in local groups:
- Users: Can run tasks for which they have access rights, and can access resources for which they have obtained permission.
The local group Power Users reside only on member servers and computers running NT Workstation. This group's members can create and modify accounts, as well as share resources.
- Administrators: Can run all administrative tasks on the local computer. If the computer is a Domain Controller, members may also administer the entire domain.
- Guests: Can run any task for which they have access rights, and can access resources for which they have obtained permission. Its members cannot permanently modify their local environment.
- Backup Operators: Can use the Windows NT backup program to back up and restore computers running Windows NTÂ²
- Replicators: Used by the Directory Replicator service. This group is not used for administration.
The following groups are only defined on domain controllers:
- Account Operators: Can create, delete, and modify users, local groups, and global groups. They cannot modify Administrators and Server Operators
- Server Operators: Can share disk resources, back up and restore data on servers
- Print Operators: Can configure and manage network printers
When Windows NT Server is installed as a Domain Controller, three global groups are created in the SAM. By default, these groups have no inherent rights. They acquire rights when they are added to local groups or when user rights or permissions are granted to them.
- Domain Users is automatically added to the local Users group. By default, an Administrator account is a member of this group.
- Domain Administrator is automatically added to the local Users group. These members can run administrative tasks on the local computer. By default, an Administrator account is a member of this group.
- Domain Guests is automatically added to the local Users group. By default, a Guest account is a member of this group.
Finally, built-in system groups reside on all computers running Windows NT. Users become members of them by default as the network operates. Member status may not be modified.
- Everyone includes all local and remote users with access to the computer. It also contains all accounts other than those created by the Domain Administrator.
- Creator/Owner includes the user who created or has taken ownership of a resource. This group can be used to manage file and folder access only on NTFS volumes.
- Network includes any user who is connected to a shared resource on your computer from another computer on the network
- Interactive automatically includes any user connected to the computer locally. Interactive members can access resources on the computer to which they are connected.