Contents
Overview 1
Introduction to User Accounts 2
Requirements for New User Accounts 6
Creating a Domain User Account 10
Setting Password Requirements 11
Lab A: Setting Up User Accounts 12
Setting Properties for User Accounts 16
Lab B: Setting Personal Properties 18
Lab C: Modifying User Accounts 24
Best Practices 26
Review 27
This course is a prerelease course and is based on
Microsoft Windows 2000 Beta 3 software. Content in the
final release of the course may be different than the content
included in this prerelease version. All labs in the course
are to be completed using the Beta 3 version of
Microsoft Windows 2000 Advanced Server.
Module 2: Setting Up
User Accounts
Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
1999 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS, MS, Windows, Active Directory, PowerPoint, and Windows NT are either
registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries.
The names of companies, products, people, characters, and/or data mentioned herein are fictitious
and are in no way intended to represent any real individual, company, product, or event, unless
otherwise noted.
Other product and company names mentioned herein may be the trademarks of their respective
owners.
Project Lead/Senior Instructional Designer:
Red Johnston
Instructional Designers:
Tom de Rose (S&T OnSite), Meera Krishna (NIIT (USA) Inc.)
Program Manager:
Jim Cochran (Volt Computer)
Lab Simulations Developers:
David Carlile (ArtSource), Tammy Stockton (Write Stuff)
Technical Contributor:
Kim Ralls
Graphic Artist:
Julie Stone (Independent Contractor)
Editing Manager:
Tina Tsiakalis
Editors:
Wendy Cleary (S&T OnSite), Diana George (S&T OnSite)
Online Program Manager:
Nikki McCormick
Online Support:
Tammy Stockton (Write Stuff)
Compact Disc Testing:
ST Labs
Production Support:
Rob Heiret, Ismael Marrero, Mary Gutierrez (Wasser)
Manufacturing Manager:
Bo Galford
Manufacturing Support:
Mimi Dukes (S&T OnSite)
Lead Project Manager, Development Services:
Elaine Nuerenberg
Lead Product Manager:
Sandy Alto
Group Product Manager:
Robert Stewart
Module 2: Setting Up User Accounts iii
Introduction
This module provides students with the knowledge and skills that are necessary
to set up new user accounts in an existing network. Students learn about the
different types of user accounts that they can create. Then, the module
introduces the requirements for creating new user accounts and the procedure to
create new user accounts. Finally, the module discusses the various properties
that students can set for user accounts.There are three labs in this module. In the
first lab, students create new user accounts and set passwords for them. In the
second lab, students set the personal properties for user accounts, and in the
third lab, students modify account properties for user accounts.
Materials and Preparation
This section provides you with the materials and preparation needed to teach
this module.
Materials
To teach this module, you need the following materials:
!"
Microsoft
®
PowerPoint
®
file 1556A_02.ppt
!"
Module 2, “Setting Up User Accounts”
Preparation
To prepare for this module, you should:
!"
Read all the materials for this module.
!"
Review the Delivery Tips and Key Points for each section and topic.
!"
Complete the three labs.
!"
Study the review questions and prepare alternative answers for discussion.
!"
Anticipate questions that students may ask. Write out the questions and
provide answers to them.
Presentation:
60 Minutes
Labs:
45 Minutes
iv Module 2: Setting Up User Accounts
Module Strategy
Use the following strategy to present this module:
!"
Introduction to User Accounts
Provide an overview of the purpose of a user account and how it
authenticates a user. Then, introduce the different types of user accounts and
explain the differences between them.
!"
Requirements for New User Accounts
Emphasize the importance of understanding the practices that are in place in
the existing network in regard to creating user accounts. Explain to students
that they must follow the established guidelines to ensure the smooth
running of the network. To achieve this, they must familiarize themselves
with the naming conventions, password requirements, and default account
options for user accounts that are in use on the network.
!"
Creating a Domain User Account
Demonstrate the procedure to invoke Active Directory Users and Computers
to create user accounts. Explain the requirements of the various fields in the
Create New Object (User) dialog box.
!"
Setting Password Requirements
Demonstrate how to set a password and explain the different options in the
Create New Object (User) dialog box.
The labs associated with this module are in a proposed new format. Remind
students to complete the lab survey on the Student Materials Web page when
they have completed the course.
!"
Setting Properties for User Accounts
Explain the purpose of specifying personal properties, and instruct the
students to work through the exercises in Lab B, “Setting Personal
Properties,” where they will set personal properties for some of the user
accounts that they created in Lab A. After students complete the lab,
introduce the account options that they can set to ensure the security of the
network. Explain the procedure to set account properties, the logon hours
for users, the computers from which they can log on, and how to control
access to the network from a remote location.
!"
Best Practices
Read the Best Practices section before you start the module, and then refer
to the appropriate practice as you teach the corresponding module section.
Then, at the end of the module, summarize all of the best practices for the
module.
Module 2: Setting Up User Accounts v
Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on the student computers during the labs.
This information is provided to assist you in replicating or customizing
Microsoft Official Curriculum (MOC) courseware.
The labs in this module are also dependent on the classroom
configuration that is specified in the Customization Information section at
the end of the Classroom Setup Guide for course 1556A, Administering
Microsoft Windows 2000.
Lab Setup
The labs in this module require that the Users group have the Log on locally
right. To prepare the student computers to meet this requirement, from the
Trainer Materials compact disc, run the LRights.cmd script on each domain
controller in each child domain.
Lab Results
Performing the labs in this module introduces the following configuration
changes:
!"
The assignment of the Log on locally right to the Users group.
!"
The addition of x-user1 in the Users organizational unit (OU) (where x is the
first letter of the student’s computer name).
!"
The addition of x-user2 in the Users OU (where x is the first letter of the
student’s computer name).
!"
The addition of x-user3 in the Users OU (where x is the first letter of the
student’s computer name).
!"
The addition of x-user4 in the Users OU (where x is the first letter of the
student’s computer name).
!"
The addition of x-user5 in the Users OU (where x is the first letter of the
student’s computer name).
Important
This page intentionally left blank.
Module 2: Setting Up User Accounts 1
Overview
!
Introduction to User Accounts
!
Requirements for New User Accounts
!
Creating a Domain User Account
!
Setting Password Requirements
!
Setting Properties for User Accounts
!
Best Practices
As an administrator, you need to provide all users with access to various
network resources. For this purpose, you will create user accounts to identify
and authenticate the users so that they can access the network. In this module,
you will learn about creating user accounts and setting properties for them.
At the end of this module, you will be able to:
!"
Describe the role and purpose of user accounts.
!"
Determine the requirements for a new user account.
!"
Create domain user accounts.
!"
Set properties for user accounts.
!"
Apply best practices for setting up user accounts.
Slide Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
about Windows 2000 user
accounts, which include
domain user accounts, local
user accounts, and built-in
user accounts.
2 Module 2: Setting Up User Accounts
#
##
#
Introduction to User Accounts
!
Domain User Accounts
!
Local User Accounts
!
Built-in User Accounts
A user account provides a user with the ability to log on to the domain to gain
access to network resources, or to log on to a local computer to gain access to
resources on that computer. You will create a user account for each person who
uses the network regularly.
Microsoft
®
Windows
®
2000 provides two types of user accounts: domain user
accounts and local user accounts. With a domain user account, a user can log
on to the domain to gain access to network resources. With a local user account,
a user can log on to a specific computer to gain access to resources on that
computer.
Windows 2000 also provides built-in user accounts, which you use to perform
administrative tasks or to gain access to network resources.
Slide Objective
To introduce the role and
purpose of user accounts.
Lead-in
The types of user accounts
that you can create are
domain user accounts and
local user accounts.
Windows 2000 provides
built-in user accounts to aid
in performing administrative
tasks or to allow users to
gain access to resources.
Delivery Tip
This section provides an
introduction to different
types of user accounts.
Prepare students for the
topics by providing the
following key point
information.
Key Points
Domain user accounts allow
users to log on to a domain
to gain access to network
resources.
Local user accounts allow
users to log on only to the
local computer and access
resources on it.
Built-in user accounts are
provided to perform
administrative tasks and
gain temporary access to
the network.
Module 2: Setting Up User Accounts 3
Domain User Accounts
!
Provides Access to Network Resources
!
Created on a Domain Controller
Domain
Access
Access
Network Resources
Network Resources
Domain Controller
Domain Controller
Active Directory
Active Directory
Domain
User
Account
Domain User
Domain User
Domain user accounts allow users to log on to a domain and gain access to
resources anywhere on the network. You create a domain user account on a
domain controller. During the logon process, the user provides the user name
and password. The first available domain controller uses this information to
validate the user and then replicates the new user account information to all
domain controllers in the domain.
After Windows 2000 replicates the new user account information, any of the
domain controllers in the domain tree can authenticate the user during the logon
process. Also, when the user tries to gain access to a resource on the network,
the first available domain controller can revalidate the user.
Each user account that you create has a unique, non-reusable identifier, called
the security identifier (SID). Windows 2000 uses the SID internally to identify
the user to the system.
It may take a few minutes to replicate the domain user account
information to all of the domain controllers. This delay may prevent a user from
logging on immediately by using the newly created domain user account. By
default, replication of Active Directory
™
directory service information occurs
automatically, every five minutes.
Slide Objective
To describe domain user
accounts.
Lead-in
Domain user accounts
provide users with access to
network resources in a
domain.
Delivery Tip
The time that it takes for
replication to occur may
prevent a user from logging
on immediately by using a
newly created user account.
Key Point
Domain user accounts allow
users to log on to the
domain and gain access to
resources anywhere on the
network.
Important
4 Module 2: Setting Up User Accounts
Local User Accounts
!
Provides Access to Resources on the Local Computer
!
Create Only on Computers That Are Not in a Domain
!
Created in the Local Security Database
Local User
Local User
Local Security
Database
Local
User
Account
Local user accounts allow users to log on and gain access to resources
only on the computer where you create the local user account. You can
create local user accounts on member servers and computers running
Windows 2000 Professional, but not on computers that are domain
controllers. A local user account is used only in a smaller environment
such as a workgroup or on stand-alone computers that are not networked.
When you create a local user account, Windows 2000 does not replicate the
local user account information to domain controllers. This is why you cannot
use local user accounts to gain access to resources on other computers.
After the local user account is created, the computer uses its local security
database to authenticate the local user account, which allows the user to log on
to that computer. Using the local user account, the user can access resources
that are available only on the local computer.
Slide Objective
To describe local user
accounts.
Lead-in
Local user accounts provide
users with access to
resources on the local
computer where you create
the user account.
Key Point
Local user accounts allow
users to log on at and gain
access to resources only on
the computer where you
create the local user
account.
Module 2: Setting Up User Accounts 5
Built-in User Accounts
!
Manages:
$
User accounts and groups
$
Security policies
$
File and print resources
!
Manages:
$
User accounts and groups
$
Security policies
$
File and print resources
!
Disabled by Default
!
Used for Occasional Access
!
Limited Access to Resources
!
Disabled by Default
!
Used for Occasional Access
!
Limited Access to Resources
Administrator
Administrator
Guest
Guest
Windows 2000 automatically creates two user accounts called built-in accounts.
These are Administrator and Guest.
Administrator
Use the built-in Administrator account to manage the overall computer and
domain configuration, such as creating and modifying user accounts and
groups, managing security, administering printers, and assigning permissions
and rights to user accounts to gain access to resources. You can rename the
Administrator account, but you cannot delete it. Renaming the Administrator
account is a recommended practice.
Guest
Use the built-in Guest account to give occasional users the ability to log on and
gain access to resources. For example, in a low security environment, an
employee who needs access to resources for a short time can use the Guest
account. The Guest account is disabled by default. You can rename the Guest
account, but you cannot delete it.
Slide Objective
To describe built-in user
accounts.
Lead-in
Windows 2000 provides two
built-in user accounts.
Key Point
The Guest account is
disabled by default.
6 Module 2: Setting Up User Accounts
#
##
#
Requirements for New User Accounts
!
Naming Conventions
!
Secure Password
!
Account Options to Set
To make the process of creating user accounts more efficient, you need to
familiarize yourself with the conventions and guidelines already in use on the
network. These include naming conventions, requirements for passwords, and
the account options that you can set.
Slide Objective
To describe the
requirements for creating
new user accounts.
Lead-in
Before you create new user
accounts, you need to
determine the conventions
that have been defined for
the network.
Delivery Tip
This section explains the
requirements to create new
user accounts. Prepare
students for the topics by
providing the following key
point information.
Key Points
Before creating a new user
account in an existing
network, you must
familiarize yourself with the
naming convention followed
for the user accounts that
are already in use on the
network.
You must also understand
the requirements to set
passwords and options for
the new user account.
Module 2: Setting Up User Accounts 7
Naming Conventions
!
User Logon Names and Full Names Must Be Unique
$
Domain user accounts must be unique to Active Directory
$
Local user accounts must be unique on the computer
!
User Logon Names Can Contain up to 20 Characters
!
Consider a Naming Convention That:
$
Accommodates duplicate employee names
$
Identifies temporary employees
The naming convention establishes how user accounts are identified in the
domain. A consistent naming convention will help you and your users
remember user logon names and locate them in lists. In an existing network that
supports a large number of users, it is a good practice to adhere to the naming
convention already in use.
Consider the following guidelines for naming conventions:
!"
User logon names for domain user accounts must be unique to Active
Directory. Domain user account full names must be unique within the
domain in which you create the user account. Local user account names
must be unique on the computer on which you create the local user account.
!"
User logon names can contain up to 20 uppercase or lowercase characters
(the field accepts more than 20 characters, but Windows 2000 recognizes
only 20), except for the following:
“ / \ [ ] : ; | = , + * ? < >
You can use a combination of special and alphanumeric characters to help
uniquely identify user accounts.
!"
If you have a large number of users, your naming convention for logon
names should accommodate employees with duplicate names. Some
suggestions for handling duplicate names are:
•
Use the first name and the last initial, and then add additional letters
from the last name to accommodate duplicate names. For example, for
two users named Judy Lew, one user account logon name could be Judyl
and the other Judyle.
•
In some organizations, it is useful to identify temporary employees by
their user accounts. To do so, you can prefix the user account name with
a T and a dash—for example, T-Judyl.
Slide Objective
To describe the guidelines
for naming user accounts.
Lead-in
One of the important
requirements for creating a
new user account is to
follow an established
naming convention.
Key Point
The User logon name
option for creating a domain
user account allows you to
enter more than 20
characters, but Windows
2000 recognizes only the
first 20 characters.