Windows NT is an operating system that manages sessions: this means that when the system starts, it is necessary to log in with a username and password. When Windows NT is installed, the administrator account is created by default, as well an account labeled guest. It is possible (and recommended) to modify user permissions (which actions they have a right to perform) as well as to add users with the user manager.
The user manager is the standard utility provided with Windows NT, that, as its name suggests it, manages users. It is available in the Start menu (Programs/Administration tools).
To create a new account, click on New User in the users menu. This brings up a dialog box for entering information on the new user:
User naming conventions are how an administrator decides to identify users. The following should be kept in mind:
There are two kinds of accounts in NT. Built-in accounts are accounts that you create. After installation, Windows NT is set up with built-in accounts (the default accounts administrator and guest). This provides only minimal security.
The different accounts are:
To benefit from the Administrator account’s permissions, you have to:
Domain user accounts are created in the User Manager. When an account is created, it is automatically recorded in the SAM of the Principal Domain Controller (PDC), which then synchronizes it with the rest of the domain. This may take several minutes. As soon as an account is created in the SAM of the PDC, the user can log onto a domain from any domain workstation.
Local user accounts are created on a member server or a Windows NT Workstation computer, with the User Manager. The account is only created in the SAM of the local computer. For this reason, the user can login only to that particular computer.
The account creation process can be simplified by planning and organizing information on people who need a user account.
The home folder is the private folder in which a user can store their files. It is used as the default file for running commands like Save. It may be stored on the local user computer or on a network server.
The following points should be taken into account for creating them:
The workstations from which a user logs in to the network can also be configured. You can either allow them to login from any workstation, or specify one or more workstations. Using a unique station for a user is one option for a high-security network. Indeed, a user who logs in to a workstation that is not their own will login locally and will therefore have access to all of the machine's local resources. What's more, specifying one or more workstations from which the user can log in allows the Network Administrator to monitor the user.
Also, it is possible to set an expiration date for a user account. This option may be useful for giving an account to a temporary employee. The account's expiration date would be set to whenever their contract runs out.
If the RAS (Remote Access Service) is installed, dial-up permissions can be configured. This service lets a user with the appropriate permissions remotely access network resources by dialing over a telephone line (or X.25). It helps users who need to access the network from home or elsewhere. There are several configurable call permissions:
When an account is no longer needed, it may be deleted or renamed so that another user can use it. Note that deleting an account also deletes the SID (Security IDentification).
When a user logs in for the first time from a Windows NT client, a default user profile is created for that user. This profile sets elements such as their work environment and network and printer connections. This profile can be personalized in order to restrict certain desktop elements or tools shown on the station.
These profiles contain user-definable settings for a work environment on a computer running Windows NT. These settings are automatically saved in the Profiles folder (C:\Winnt\Profiles).
For users who are logging from clients not running Windows NT, a session opening script may be used to configure the user’s network and printer connections or to set the work environment or hardware settings. It is actually a command file (.bat or .cmd) or an executable file that automatically runs when the user logs in to the network.
It is also possible to use roaming user profiles, meaning a profile which gives a user the same work environment no matter what workstation they are connected with to the network. These profiles are recorded on the server.
There are two options for roaming profiles:
Once the user account is created and the user logged in for the first time, a user profile is automatically created in the Profiles folder.
The user or administrator can edit any settings that are needed to make sure that changes remain after logging out.
The administrator must then create a folder, such as \\servernt\Profiles\user_name.
In the Configuration Panel, double-click on the System icon, then click on the User Profiles tab. Click on the desired profile, and press the Copy to button.
In the corresponding field, enter the UNC path that leads to the folder. Under Permitted to use, click on Change. Choose user.
Note: In the folder where the various profiles are stored, rename the ntuser.dat user file to ntuser.man to make that profile mandatory.
In Domain User Manager double-click on the account for the user in question and click Profiles. In the User Profile Path area, type the UNC path which leads to the network profile folder.
The User Environment Profile dialog box can be used to enter user profile pathways, a logon script, and the home directory.
Several options can be configured, in particular for indicating which paths lead to which elements:
Windows NT also allows users to be managed by group, meaning it can define sets of users with the same type of permissions by sorting them into categories.
A group is a collection of user accounts. A user added to a group is granted all permissions and rights of that group. User groups make administration simpler, as they allow permissions to be granted to several users at once.
There are two different types of groups:
When Windows NT is started for the first time, six groups are created by default:
These default groups can be deleted, and personalized user groups may be added, with special permissions depending on which operations they are to perform on the system. To add a group, click on New Local Group in the user menu.
Next, add users to groups by clicking on a user and then on Add. This brings up the following dialog box:
This allows you to simply select which groups a user should be part of.
Built-in groups are groups that have default determined user rights. User rights determine which system tasks a user or member of a built-in group can run.
These are the three built-in groups in Windows NT:
These are the built-in local groups:
The following groups are only defined on domain controllers:
When Windows NT Server is installed as a Domain Controller, three global groups are created in the SAM. By default, these groups have no inherent rights. They acquire rights when they are added to local groups or when user rights or permissions are granted to them.
Finally, built-in system groups reside on all computers running Windows NT. Users become members of them by default as the network operates. Member status may not be modified.