User accounts give a user access to a domain to access network resources or
to a computer to use resources on that machine. When a domain user logs on via
the authentication process, he/she is provided with an access token. During the
logon session, this token is used the deliver information about the user and
security settings to the machines the users tries to access. Local accounts are
created in the local SAM of Windows 2000 professional clients or Windows 2000
member servers. Active Directory accounts are stored in the Active Directory
maintained by domain controllers.
Domain accounts are created in the directory of a domain controller and
replicated to the other domain controllers in the domain. (default every five
minutes)
With a local account you can only get access to local resources. This account is stored in the local security database of the machine.
Windows 2000 has the following built-in user accounts :
| Administrator. This account cannot be deleted but should be renamed
to create optimal security. After it has been renamed you can create a new
administrator account without permission to mislead hackers. The
administrator account is available in domain- and local account database. |
| Guest.. This account is disabled by default but is part of the
everyone group. The guest account is available in domain- and local account
database. |
| ILS_Anonymous user. This is a special account for the ILS service.
This service is used for telephony applications and uses IIS. The
ILS_Anonymous user account is only available in domains. |
| IUSR_Computer_name. This account is internet guest account used by
IIS and only available if IIS installed. The IUSR_Computer_name account can
be available in domain- and local account database. |
| IWAM_Computer_name. This account is used by IIS to start out of
process applications on a computer with IIS installed. The
IWAM_Computer_name account can be available in domain- and local account
database. |
| Krbtgt. This account is used by the Key Distribution Center
service. It is only available on domains. |
| TSInternetUser. This account is used by terminal services and is
only available on domains. |
Windows 2000 professional also creates an account based on the name you entered during the installation. This account is given administrative privileges.
When planning new accounts, keep the following things in mind :
| Local user accounts are created with the Local Users and Groups Utility via the Users and passwords applet in the control panel or via the Computer Management console. (compmgmt.msc) When using the Users and passwords applet you can use the group membership tab to select predefined group memberships like Standard user (Power users group), restricted user (users group) or other. This applet can also be used to start Advanced user management (lusrmgr.msc), to manage certificate and to disable logon via CRTL-ALT-DEL. |
| User accounts in a domain are created via the Active Directory Users and Computers snap in (dsa.msc) and stored on the first available domain controller the console contacts. (normally the operations master domain controller) This domain controller will replicate the accounts. |
| Local user account names must be unique on the machine. |
| Users logon name must be unique within the directory if it is a domain account. |
| The name of the user must be unique within the organization unit if it is a domain account. |
| Maximal 20 characters are allowed for a username. (upper- and lowercase) |
| The following characters are invalid : "/\[ ]:;=,+*?<>| |
| User names are not case sensitive, but Windows 2000 preserves the case. |
| Local user accounts are stored in the SAM (winnt\system32\config) |
| User accounts in the Active directory are stored in \winnt\ntds\ntds.dit |
| Each user account has a unique SID. It has the following structure : |
S-1-5-21-D1-D2-D3-RID
S-1-5 = Prefix, 1 = version number, 5 means SID is assigned by NT
21 = NT prefix
D1,D2,D3 = 32 bit number that specify the domain.
RID = Relative unique identifier. Unique for each account
| Each user account gets an Universal Principal Name (UPN). It consists of the username + @ + the domain the account is stored in. |
| You can log in with the pre-windows 2000 name (account) and with the upn-name (account@domain) |
| Always assign a password to the administrator account. |
| Define if user should be able to change their password. |
| Use difficult to guess passwords. Use upper- and lowercase characters, numerals and non-alphanumeric characters. |
| Password can be up to 128 characters, a minimum of 8 characters is required. Keep in mind that Windows 95 and 98 support up to 14 characters. |
| Determine logon hours, machine from which logon is allowed and if the account will expire. If you disabled NetBIOS over TCP/IP Windows 2000 is not able to check on which machine to user logs on. |
| Use the general, address, telephone and organization tab to store additional user info. This info can be used to search users within the directory |
| When setting logon times and the allowed logon time expires, the user will not be disconnected. However, the user will not be able to establish new connections. This setting can be changed via the group policy snap in (gpedit.msc) or via the domain/local security policy tool |
| In the profile tab, you can add the login script. This script is stored in the winnt\sysvol on the domain controller(s) by default |
When you select a user, the following tasks are available :
| Copy. Copy the selected user account to create a new account. |
| Add members to group. Add the user account to a group. |
| Name mappings. Gives the ability to view and modify X 509 certificates (*.cer) and Kerberos principal names for the user. |
| Disable/Enable account. Disable or enable the account of the user. |
| Reset password. Reset the password of the user. |
| Move. Move the user to another domain or OU. |
| Open home page. Open the homepage of the user. |
| Send mail. Send a mail to the user. |
| Properties. View or modify information at the following tabs : |
Contains the first name, initials, last name, display name, description, office, telephone number, e-mail and web page of the user. You can add more than one telephone number of web page via the Other-buttons.
Contains the street, P.O box, city, state/province, ZIP/postal code, and country/region of the user.
Contains the user logon name (name and domain) and the user logon name
pre-windows 2000. The Logon hours button can be used to restrict logon hours,
the Log on to-button to specify the machines on which the user is allowed to
logon. (NetBIOS required)
The tab shows if the account is locked, and you can set an expiration date for
the account. You can also specify the following account options :
| User must change password at next logon. |
| User cannot change password. |
| Password never expires. |
| Store password using reversible encryption. This option is required for users using Apple computers. |
| Account is disabled. |
| Smart card is required for interactive logon. |
| Account is trusted for delegation. This gives the user the ability to assign parts of his management tasks in the domain to another user. |
| Account is sensitive and cannot be delegated. |
| Use DES encryption types for this account. |
| Do not require Kerberos preauthentication. Can be required when using a different Kerberos mechanism. |
Profile
Set the profile path, the logon script and the home folder. (local path or connected to network share)
Telephones
Enter telephone numbers for the home, pager, mobile, fax and ip phone of the user. Use the Other button to add extra numbers. You can also add notes in the tab.
Organization
Enter the title, department, company and manager. The manager is selected via Active Directory.
Published certificates
Shows the certificates of the users and offers the ability to remove certificates or the add them from store or a file (*.cer or *.p7b).
Member of
Shows the groups the user is member of and offers an Add button to add the users to groups. You can also set the primary group for Macintosh clients or POSIX-compliant applications.
Dial-in
You can set the following options :
| Remote access permissions for dial in or VPN. Allow access, deny access or control access through Remote Access Policy. (default) |
| Verify caller-ID. |
| Callback options. No callback (default), set by caller (Routing and RAS service only) or Always call back to (enter a number) |
| Assign a static ip address. (add an ip address) |
| Apply static routes. Add static routes. |
Display the fully qualified domain name of the user, the object class, creation and modification date, original USN and current USN.
Shows permissions on the user account.
Used for Terminal Services to set the programs to start at logon and to set the following settings :
| Connect clients drives at logon. (default on) |
| Connect client printers at logon. (default on) |
| Default to main client printer. (default on) |
User for Terminal Services timeout and reconnections settings. You can set :
| End a disconnected session. (default Never) |
| Active session limit. (default Never) |
| Idle session limit. (default Never) |
| When a session limit is reached or connection is broken disconnect from session (default) or end session. |
| Allow reconnection from any client (default) or from origination client only. |
Used for Terminal Services remote control settings. You can set :
| Enable remote control. (default on) |
| Require user's permission. (default on) |
| Level of control. View session or interact. (default interact) |
Used to set the Terminal Services profile. You can set :
| User profile. |
| Terminal server home . (local or network share) |
| Allow logon to terminal server. |
A profile gives to ability to store user specific settings on the local machine or on the network. This gives each user his/her own working environment on a machine. If the profile is stored on the network, the user settings travel with the user. When logging off, the profile is synchronized with the network. When logging on it's synchronized with the client. Keep in mind that with the default group policies a network profile is not load via a slow connection.
A user profile exists of the saved registry hive hkey_current_user (ntuser.dat) and a set of folders. NTuser.dat contains the following information :
| Windows explorer settings. (inc. mapped drives) |
| Taskbar settings. |
| Printer settings. |
| Control panel settings that can be changed per user. |
| Accessories settings. |
| Application settings. (applications that use hkey_current_user) |
Each user profile contains the following folders:
| Application data. Application-specific data, such as a custom dictionary for a word processing program. If a program needs more than 64 kb of user specific information, it is not stored in the registry but in this folder. This folder is hidden and can be redirected by using Group policies. |
| Cookies. Cookies used by Internet explorer. |
| Desktop. Desktop items, including files and shortcuts. This folder can be redirected by using Group policies. |
| Favorites. Internet Explorer favorites. |
| Local Settings. Application settings and data that don't roam with
the profile. The folder contains machine specific data, or data that is
too large to roam effectively. This is hidden and contains the subfolders Application data, history (IE history), Temp (temp. files)
and Temporary internet files. (IE offline cache) You can use group policies to set which folders in a profile are non-roaming. It is not possible to change the temp and temporary internet files to non-roaming. |
| My Documents. The new default location for any documents that the user creates. Applications should be written to save files here by default. If the user has a home-, the default location for documents is changed to this folder. This contains a folder called My pictures. Both folders can be redirected by using Group policies. |
| NetHood. Shortcuts to Network Neighborhood items. This folder is hidden. |
| PrintHood. Shortcuts to printer folder items. This folder is hidden. |
| Recent. Shortcuts to the most recently used documents. |
| SendTo. Shortcuts to document storage locations and applications. |
| Start Menu. Shortcuts to program items. This folder can be redirected by using Group policies. |
| Templates. Shortcuts to template items. This folder is hidden. |
When a user logs on for the first time a default user profile is created in the system_root_disk\Documents and settings\user_logon_name. If the system is migrated from Windows NT 4.0, the old \winnt\profiles is used. Migration from Windows 3.51, 95 or 98 use the system_root_disk\Documents and settings\user_logon_name .
By default it contains the folders Cookies, Desktop, My Documents, Favorites and Start Menu. Hidden folders are Application Data, Local settings, Nethood, Printhood, Recent, Sendto and templates. The files ntuser.dat, ntuser.ini and ntuser.dat.log are also hidden. The My Documents is the default to store documents.
A roaming profile is copied from the server to the client when a user logs on to the domain. When a user already has a local profile, only the files that have been changed on the server are copied to the client.
Roaming profiles should not be encrypted.
The ntuser.ini file does contain information about files that should not be
copied to the network when using a roaming profile. If you want to prohibit
certain folders from being 'roamed' use group policies.
A mandatory profile is a read only roaming profile. When a user logs off, the changes are not saved on the network. To activate this, rename ntuser.dat to ntuser.man. Renaming it back to ntuser.man does not work. If a mandatory profile is not available, the user is not able to logon. Mandatory profiles are only supported by Windows 2000 for backwards compatibility. In Windows 2000 group policies should be used for desktop configurations.
When a Profile- is created on a network share, the
administrators-group does not have read permissions by default. This can be
changed via group policy: Computer configuration - Administrative templates -
System - Logon Add the Administrators security group to roaming profiles.
If the server that should store the user's profile is not available, a
system_root_disk\Documents and settings\temp is used to create a
profile. This is deleted when the user logs off.
Via Control panel - System - User profiles, you can change local profiles into roaming profiles. You can also copy profiles for other users and give them permission to use the copied profile.
The Delprof resource kit utility can be used to delete local profiles via a script.
The following steps are executed when a new user uses a local profile :
| The user logs on. |
| The operating system checks the list of user profiles located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList to determine if a local profile exists for the user. If an entry exists, then this local profile is used. |
| If a local profile is not found, and the computer is part of a domain, the operating system checks if a domain wide default profile exists in a folder named Default user on the domain controller's Netlogon share. |
| If a domain wide profile exists, it is copied to a subfolder on the local computer with the username under %systemdrive%\Documents and Settings\username. If a default domain profile does not exist, then the local default profile is copied from the %Systemdrive%\Documents and Settings\Default User folder. |
| The user's registry hive (NTUSER.DAT) is mapped to the HKEY_CURRENT_USER portion of the registry. |
| When the user logs off, a profile is saved to the local hard disk of the computer. |
The following steps are executed when a existing user uses a local profile :
| The user logs on. |
| Windows checks the list of user profiles located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList to get the path to the user's profile. |
| The user's registry hive (NTUSER.DAT) is mapped to the HKEY_CURRENT_USER portion of the registry. |
| When the user logs off, the profile is saved to the local hard disk of the computer. |
The following steps are executed when a new user uses a roaming profile :
| The user logs on. |
| Windows checks the list of user profiles located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList to determine if a cached copy of the profile exists. If a local copy of the profile is not found, and the computer is part of a domain, Windows checks to determine if a domain wide default profile exists in the Default User folder on the domain controller's NETLOGON share. |
| If a domain wide profile exists, it is copied to a subfolder on the local computer with their username under %Systemdrive%\Documents and Settings\. |
| If a default domain profile does not exist, then the local default profile is copied from the %Systemdrive%\Documents and Settings\Default User folder to a subfolder on the local computer with their username under %Systemdrive%\Documents and Settings\. |
| The user's registry hive (NTUSER.DAT) is copied to the local cached copy of their user profile, and is mapped to the HKEY_CURRENT_USER portion of the registry. |
| The user can then run applications and edit documents as normal. When the user logs off, their local profile is copied to the path configured by the administrator. If a profile already exists on the server, the local profile is merged with the server copy. |
The following steps are executed when an existing user uses a roaming profile :
| The user logs on. |
| Windows checks the list of user profiles located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList to get the path to the user's profile. |
| The user's registry hive (NTUSER.DAT) is copied to the local cached copy of the user profile, and is mapped to the HKEY_CURRENT_USER portion of the registry. |
| The contents of the local cached profile are compared with the copy of the profile on the server, and the two profiles are merged. |
| The user can then run applications and edit documents as normal. When the user logs off, the local profile is copied to the path configured by the administrator. If a profile already exists on the server, the local profile is merged with the server copy. |
Windows 2000 contains a merge algorithm to prevent that data in a profile on a server is overwritten. This could occurs of a user logs on more than once. When copying the profile back to the server, files that have a date newer than the date the profile was copied to the client, are preserved.
To set a limit on a user's profile you have to change the user's configuration\administrative template\system\logon limit profile size policy. You can set the maximum size and the response the system should give when the limit is reached.
Proquota.exe is a program to monitor the size of a user's profile.
You can also use a policy that removes cached versions of the profile on logoff. (e.g for public used computers) The is the Delete cached copies of roaming profiles policy stored at configuration\administrative template\system\logon.
Other policies concerning profiles are :
| Slow network connection timeout for user profiles. (do not load a profile on a slow connection) |
| Wait for remote user profile. (wait for profile, even on slow connections) |
| Prompt user when slow link is detected. (ask user if profile should be load on slow connection. If not answered in time, the network profile is not load) |
| Do not detect slow network connections. (By default slow network connections are detected, if so the network profile is not load) |
| Wait for remote user profile. (When set, the network profile is load from a slow connection) |
| Timeout for dialog boxes. (Time to wait for user input on dialogs. Default 30 seconds, minimal 0, maximal 600 seconds) |
You can use folder redirection the redirect (profile) folder paths to another
location, e.g the My documents folder. The Application Data-, My Documents-, My
Pictures-, Desktop-, and Start Menu- folders can be redirected via Group
Policies. Within Windows 2000 it is not recommended to redirect the Start menu
folder, the option is available for backward compatibility. Windows 2000
environments should use group policies to control the Start-menu.
Folder redirection is set via Group policies, User Configuration, Windows
Settings, Folder Redirection nodes. You can redirect each user to the same
or depend the redirection on the security groups the user is in. You
can also set the following policies :
| Grant the user exclusive rights to My Documents. Only the user and the local system have full control. This option is enabled by default. |
| Move the contents of My Documents to the new location. Moves any document the user has in the local My Documents folder to the server share. This option is enabled by default. |
| Leave the folder in the new location when policy is removed. Specifies that files remain in the new location when the Group Policy object no longer applies. This option is enabled by default. |
| Redirect the folder back to the local user profile location when policy is removed. If enabled, specifies that the folder be copied back to the local profile location if the Group Policy object no longer applies. |
| Make My Pictures a subfolder of My Documents. If selected, when the My Documents folder is redirected, My Pictures remains a subfolder of My Documents. By default, My Pictures automatically follows the My Documents folder. |
| Do not specify administrative policy for My Pictures. If selected, Group Policy does not control the location of My Pictures; this is determined by the user profile. |
When using Folder redirection, do not create the new folders. If you do, set the permissions properly. Keep in mind that if the system creates the , the Everyone group gets Full Control.
| My documents. Redirect the location of the My Documents folder to a folder outside the roaming profile to decrease loading times. This is done by setting a home folder, use policies or a logon script. |
| EFS. Do not use Encrypted File System with roaming profiles. EFS files or folders will not roam. |
| Disk quotas. Set enough quota for temporary files that occur during the synchronization process. |
| Offline folders. Turn off Offline folders for the share where roaming profiles are stored. |
| Share permissions. Users need Full control on the share that points to the profile. |
A home folder is used to store user-specific information. By default an application will prefer to write data to the My Documents folder of the profile, but if a home folder exists, this is used. You can add a local path in the 'Local path' entry and a network path to map at the 'Connect' entry.
| Greyware membership monitor 1.3b (Windows 2000 magazine feb 2001) |
| Greyware's membership monitor |
Last update : 9 January 2003