Some administrators rename or disable the Administrator account to make it more difficult for malicious users to gain access to a domain controller (DC). You can instead have administrators log on with user accounts that have membership in the same groups, which gives them sufficient rights to administer the domain. If you disable the Administrator account, you can still use the account to access the DC when necessary by booting the DC into Safe Mode (the Administrator account is always available in Safe Mode).
The Guest account lets people who don't have an account log on to the domain. Additionally, users whose accounts are disabled can use the Guest account to log on. The Guest account doesn't require a password, but you can set permissions for the account, just as you can for any user account. The Guest account is a member of the Guests and Domain Guests groups. Obviously, inherent dangers exist in letting anyone without a real account log on to your domain, so most administrators don't use this account. In fact, in Windows 2003, the Guest account is disabled by default. Unless you have some urgent reason to use the account, you should leave the Guest account disabled. To disable the Guest account in Win2K, right-click its listing in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, then choose Disable from the shortcut menu.
The HelpAssistant account is new with Windows 2003. The Remote Desktop Help Session Manager service creates and manages the account when you request a Remote Assistance session.
Creating Domain User Accounts
You create domain user accounts from a DC within AD. Open the Active Directory Users and Computers snap-in, then expand the appropriate domain (if more than one domain exists). Unlike Windows NT 4.0, Windows 2003 and Win2K separate the user account creation and account configuration processes: First, you create the user and the associated password, then you configure the user details, including group memberships.
To create a new domain user, right-click the Users container, then choose New, User to open the New Object - User dialog box, as Figure 1 shows. Enter the user's name and logon name. Windows automatically adds the current domain suffix to the logon name, which is called a user principal name (UPN) suffix. You can create additional UPN suffixes and select the one you want to use for a new user from the drop-down list. You can also enter a username (by default, the same name) to let users log on to the domain from NT 4.0 and Windows 9.x machines.
Click Next to configure the user's password, as Figure 2 shows. By default, Windows forces users to change the password the next time they log on, so you can use a standard company password for each new user, then let the user create a new password the first time he or she logs on. Next, select the password options you want to impose for this user. Finally, click Next to see a summary of your choices, then click Finish to create the user in AD.
Configuring User Account Properties
To configure or modify the properties for a domain user, double-click the user listing you want to configure. As Figure 3 shows, you have many configuration categories to choose from.
The Member Of tab controls the user group memberships (and therefore a user's permissions and rights across the domain). By default, Windows places a new user in the Domain Users group. For many users, this is sufficient, and you don't have to do anything else. For other users, such as department heads and members of the IT staff, you should provide group memberships that let these users perform the tasks they need to be able to do. To add group memberships, click Add, then select the appropriate groups for the user you're creating (or editing). If you feel the built-in groups don't provide the exact set of permissions you require, you can also create your own groups.
Creating User Templates
Windows lets you copy users, which makes the process of creating new users fast and efficient. The best way to take advantage of this feature is to create a series of user templates, then copy those accounts to real accounts. Because permissions and rights are the most important (and potentially dangerous) properties, create user templates in categories that match the group memberships you assign. Start with a template for a standard user (i.e., a member of the Domain Users group only), then create templates that have a particular combination of group memberships. For example, you can create a user template named Power with membership in the Power Users group, unlimited logon hours, and other attributes, or a user template named DialUp with preconfigured dial-up settings for your company. Then, as you create new users, you can select the appropriate template and modify it.
I've discovered a few tricks for creating and copying user templates:
- Give the templates filenames that start with 0 so that they appear together at the top of the list of user files.
- Give all the templates the same password.
- Disable all template accounts (right-click the file, then choose Disable).
To create a new user from a user template, right-click the template listing, then choose Copy. In the Copy Object - User dialog box, enter the username and logon name for the new user you're creating, then click Next to configure the new user's password, as follows:
- Enter the standard company password and assign it to the new user.
- Clear the Password never expires and Account is disabled options.
- Select the User must change password at next logon option.
- Click Next, then click Finish.
Don't bother with the Member Of tab because the system has already copied the group memberships from the user template. In fact, unless you want to record the user's telephone and address information, you don't have to do anything on any of the remaining tabs. The system copies all common user attributes. However, you can add other attributes for automatic copying or prevent certain attributes from being copied by modifying the AD schema. I'll discuss that process in a future column.
End of Article
Prev. page
1
[2]
next page -->
