I've received a lot of email from readers about problems they encounter when creating or managing user accounts. Many administrators have trouble because they inadvertently omit important configuration items or fail to follow consistent practices. For these reasons, I've decided to review the basic processes of creating and managing user accounts and share some useful hints to make the processes easier.
A user account contains a name and password for logging on to either a local computer or a domain. In Active Directory (AD), a user account can also contain information such as the user's full name, email address, phone number, department, and physical address. User accounts also serve as a means for granting permissions, applying logon scripts, assigning profiles and home directories, and linking other working-environment properties to a user.
Local vs. Domain User Accounts
When users log on to a computer instead of the domain, they use a local account. In a workgroup (i.e., peer-to-peer—P2P) environment, local accounts provide logon capabilities for local computer users and give remote users access to a computer's resources. Certain users might have access to data on a server, for example, and would use a local user account to log on to that machine.
However, most user accounts in a corporate setting are domain accounts, which offer logon rights and permissions across the domain. Unless the domain account restricts them from doing so, users can use a domain account to log on to the domain from any workstation. After they're logged on, users receive specific permissions to network resources from the domain account.
Not just users have domain accounts, however. On a domain, accounts represent a physical entity, which could be a computer, a person, or a group. User accounts, computer accounts, and group accounts are all security principals—directory objects that automatically receive SIDs, which in turn determine access to resources on the domain.
The two most important uses of a domain account are to authenticate the identity of users and to authorize or deny access to resources on the domain. Authentication enables users to log on to computers and domains with an identity that the domain has authenticated. The domain grants or denies access to domain resources based on the permissions that users have obtained through membership in one or more domain groups.
Built-in Domain Accounts
When you create a domain, Windows automatically creates several user accounts. In Windows 2000, the built-in accounts are Administrator and Guest. Windows Server 2003 domains have a third built-in account named HelpAssistant, which is created automatically the first time the Remote Assistance feature runs. Each of these built-in accounts has a different set of permissions.
The Administrator account has Full Control permissions for all resources on the domain and can assign permissions to domain users. By default, the Administrator account is a member of the following groups:
- Administrators
- Domain Admins
- Domain Users
- Enterprise Admins
- Group Policy Creator Owners
- Schema Admins
Prev. page
[1]
2
next page 
