Windows NT is an operating system that manages sessions: this means that when the system starts, it is necessary to log in with a username and password. When Windows NT is installed, the administrator account is created by default, as well an account labeled guest. It is possible (and recommended) to modify user permissions (which actions they have a right to perform) as well as to add users with the user manager.
The user manager is the standard utility provided with Windows NT, that, as its name suggests it, manages users. It is available in the Start menu (Programs/Administration tools).
To create a new account, click on New User in the users menu. This brings up a dialog box for entering information on the new user:
- User: Login name for the user.
- Full name: Optional information on the user.
- Description: Optional field.
- The password: those fields are optional, but it is still recommended to fill them in, as well as to check the box labeled "user must change password " for security reasons.
User Naming Conventions
User naming conventions are how an administrator decides to identify users. The following should be kept in mind:
- Usernames must be unique (within a domain, or on a local computer).
- User names may contain any uppercase or lowercase character except for the following: / \ [ ] : . | = , + * ? < >
- Avoid creating similar usernames.
User Accounts and Security
There are two kinds of accounts in NT. Built-in accounts are accounts that you create. After installation, Windows NT is set up with built-in accounts (the default accounts administrator and guest). This provides only minimal security.
The different accounts are:
- Accounts you create: user accounts for logging into a network and accessing network resources. These accounts contain information on the user, in particular their name and password.
- Guest: This lets occasional users login and access the local computer. By default, it is deactivated.
- Administrator: Used for managing global configuration of computers and domains. This account can carry out any task.
To benefit from the Administrator account’s permissions, you have to:
- Deactivate the guest account.
- Change the name of the administrator account in order to reduce the risk of intrusion by the user account.
Location of User Accounts
Domain user accounts are created in the User Manager. When an account is created, it is automatically recorded in the SAM of the Principal Domain Controller (PDC), which then synchronizes it with the rest of the domain. This may take several minutes. As soon as an account is created in the SAM of the PDC, the user can log onto a domain from any domain workstation.
Local user accounts are created on a member server or a Windows NT Workstation computer, with the User Manager. The account is only created in the SAM of the local computer. For this reason, the user can login only to that particular computer.
Planning New User Accounts
The account creation process can be simplified by planning and organizing information on people who need a user account.
The home folder is the private folder in which a user can store their files. It is used as the default file for running commands like Save. It may be stored on the local user computer or on a network server.
The following points should be taken into account for creating them:
- Storing home folders on a server: this way, it is much easier to ensure the backing up and restoration of data belonging to different users. Otherwise, data should be backed up regularly on the various network computers where the home folders are stored.
- Disk space on domain controllers: Windows NT does not have utilities for managing disk space (Windows 2000 does). Because of this, if you're not careful to keep home folders from becoming filled with large files, they may quickly use up the server's storage space.
- A computer without a hard drive: the user’s home folder must be on the network server.
- Home folders located on local computers: this way network performance will increase, as there will be less traffic over the network and the server isn't constantly handling requests.
Defining Workstation and Account Options
The workstations from which a user logs in to the network can also be configured. You can either allow them to login from any workstation, or specify one or more workstations. Using a unique station for a user is one option for a high-security network. Indeed, a user who logs in to a workstation that is not their own will login locally and will therefore have access to all of the machine's local resources. What's more, specifying one or more workstations from which the user can log in allows the Network Administrator to monitor the user.
Also, it is possible to set an expiration date for a user account. This option may be useful for giving an account to a temporary employee. The account's expiration date would be set to whenever their contract runs out.
If the RAS (Remote Access Service) is installed, dial-up permissions can be configured. This service lets a user with the appropriate permissions remotely access network resources by dialing over a telephone line (or X.25). It helps users who need to access the network from home or elsewhere. There are several configurable call permissions:
- No Call Back: The user pays for communications fees. The server will not call the user back.
- Set By Caller: This option lets a user be called back by the server at a number they specify. In this case, the business handles the communication fees.
- Preset to: Allows callback control by the administrator. They decide which number a given user must call the server from. This option can be used not only to reduce costs, but also to increase security, because the user must be located at a specific phone number.
Removing and Changing User Account Names
When an account is no longer needed, it may be deleted or renamed so that another user can use it. Note that deleting an account also deletes the SID (Security IDentification).
Managing the User Work Environment
When a user logs in for the first time from a Windows NT client, a default user profile is created for that user. This profile sets elements such as their work environment and network and printer connections. This profile can be personalized in order to restrict certain desktop elements or tools shown on the station.
These profiles contain user-definable settings for a work environment on a computer running Windows NT. These settings are automatically saved in the Profiles folder (C:\Winnt\Profiles).
For users who are logging from clients not running Windows NT, a session opening script may be used to configure the user’s network and printer connections or to set the work environment or hardware settings. It is actually a command file (.bat or .cmd) or an executable file that automatically runs when the user logs in to the network.
It is also possible to use roaming user profiles, meaning a profile which gives a user the same work environment no matter what workstation they are connected with to the network. These profiles are recorded on the server.
There are two options for roaming profiles:
- Mandatory roaming profile: Can be applied to one or several users and cannot be modified by these users. Only the administrator decides what features are given to the users (tools, configuration etc.) Even if the user changes the configuration, these modifications will not be saved after the user disconnects.
- Personal roaming profile: Can only be applied to a single user and can also be modified by that user. Each time the user disconnects, changes to settings are kept saved.
Once the user account is created and the user logged in for the first time, a user profile is automatically created in the Profiles folder.
The user or administrator can edit any settings that are needed to make sure that changes remain after logging out.
The administrator must then create a folder, such as \\servernt\Profiles\user_name.
In the Configuration Panel, double-click on the System icon, then click on the User Profiles tab. Click on the desired profile, and press the Copy to button.
In the corresponding field, enter the UNC path that leads to the folder. Under Permitted to use, click on Change. Choose user.
Note: In the folder where the various profiles are stored, rename the ntuser.dat user file to ntuser.man to make that profile mandatory.
In Domain User Manager double-click on the account for the user in question and click Profiles. In the User Profile Path area, type the UNC path which leads to the network profile folder.
Defining a User Environment
The User Environment Profile dialog box can be used to enter user profile pathways, a logon script, and the home directory.
Several options can be configured, in particular for indicating which paths lead to which elements:
- User Profile Path: Indicates the path to the user profile folder. For personal user profiles, type \\computer_name\share\%username% . For mandatory profile, replace %username% with profile_name
- Login Script Name: It is possible to use a path leading to the user's local computer, or a UNC path leading to a shared folder on a network server.
- Home Directory: To specify a network path, select Connect and the drive letter. Then enter the UNC path. Before specifying a network slot, a folder must be created on the server and must be shared over the network. Note: Use the variable %username% whenever a home folder or personal user profile is created. It will automatically be replaced by the user account.
Windows NT also allows users to be managed by group, meaning it can define sets of users with the same type of permissions by sorting them into categories.
A group is a collection of user accounts. A user added to a group is granted all permissions and rights of that group. User groups make administration simpler, as they allow permissions to be granted to several users at once.
There are two different types of groups:
- Local groups: Give users permission to access a network resource. They also serve to give users rights to perform system tasks (like changing the time, backing up and recovering files, etc.).
- Global groups: Are used to organize domain user accounts. They are also used in multiple-domain networks, when users from one domain need to be able to access resources from another domain.
When Windows NT is started for the first time, six groups are created by default:
- Backup Operators.
- Power Users.
These default groups can be deleted, and personalized user groups may be added, with special permissions depending on which operations they are to perform on the system. To add a group, click on New Local Group in the user menu.
Next, add users to groups by clicking on a user and then on Add. This brings up the following dialog box:
This allows you to simply select which groups a user should be part of.
Implementing Built-in Groups
Built-in groups are groups that have default determined user rights. User rights determine which system tasks a user or member of a built-in group can run.
These are the three built-in groups in Windows NT:
- Built-in local groups: Give users rights that allow them to run system tasks like backing up and restoring data, changing the time, and administrating system resources.
- Built-in global groups: Provide administrators a simple way to control all of the domain's users.
- System groups: organize automatically users by system use. Administrators do not add users to them. Users can be members of them by default, or become members through their network activity.
These are the built-in local groups:
- Users: Can run tasks for which they have access rights, and can access resources for which they have obtained permission.
- Administrators: Can run all administrative tasks on the local computer.
- Guests: Can run any task for which they have access rights, and can access resources for which they have obtained permission. Its members cannot permanently modify their local environment.
- Backup Operators: Can use the Windows NT backup program to back up and restore computers running Windows NT ².
- Replicators: Used by the Directory Replicator service. This group is not used for administration.
The following groups are only defined on domain controllers:
- Account Operators: Can create, delete, and modify users, local groups, and global groups. They cannot modify Administrators and Server Operators.
- Server Operators: Can share disk resources, back-up and restore data on servers.
- Print Operators: Can configure and manage network printers.
When Windows NT Server is installed as a Domain Controller, three global groups are created in the SAM. By default, these groups have no inherent rights. They acquire rights when they are added to local groups or when user rights or permissions are granted to them.
- Domain Users is automatically added to the local Users group. By default, an Administrator account is a member of this group.
- Domain Administrator is automatically added to the local Users group. These members can run administrative tasks on the local computer. By default, an Administrator account is a member of this group.
- Domain Guests is automatically added to the local Users group. By default, a Guest account is a member of this group.
Finally, built-in system groups reside on all computers running Windows NT. Users become members of them by default as the network operates. Member status may not be modified.
- Everyone: includes all local and remote users with access to the computer. It also contains all accounts other than those created by the Domain Administrator.
- Creator/Owner: includes the user who created or has taken ownership of a resource. This group can be used to manage file and folder access only on NTFS volumes.
- Network: includes any user who is connected to a shared resource on your computer from another computer on the network.
- Interactive: includes automatically any user connected to the computer locally. Interactive members can access resources on the computer to which they are connected.