In a typical Unix environment, the administrator may add new accounts using a custom script or something like useradd in Solaris 2.6. Adding users is very simple because the script takes care of the mundane details. It is possible to come up with a similar setup on NT as well.
The following tutorial shows you how to set up user accounts by copying them from template accounts. If you need to create hundreds of accounts, consider using a utility such as addusers.exe.
Step 1 Create Global Groups
Global groups consume from 2K to 4K of memory in the Registry. As a result, you may want to go easy on the number of global groups you create. In a medium-sized network with up to 5,000 users, it’s not uncommon to have 30 to 40 global groups. In larger networks, you may need more.
Let’s create a global group called Color Printer Users. Start User Manager for Domains (Figure 4.1) from Administrative Tools. (You can also use the Security Configuration Editor that comes with the Microsoft Management Console — MMC — and Service Pack 4 for NT 4.0.)
Looking back at Figure 4.1 (page 74), notice that the Administrator account in the top frame is highlighted. The user interface for User Manager for Domains has the bad habit of always highlighting the first user, which is usually the Administrator. When you create global groups, you need to make sure that nothing in the top frame is highlighted, including the Administrator account. To remove that selection, click any of the groups listed in the lower half of the screen.
From the User menu, select New Global Group to bring up the dialog box in Figure 4.6.
Special Note: Notice under Not Members in Figure 4.6 that we’ve included Administrator. With NT, if you are a member of a specific group and that group is explicitly denied permission to access a resource, you are denied access even if you are the Administrator. As a result, it is not a good idea to put Administrators in every group.
Step 2 Create Local Groups
To create local groups, follow the same approach. From User Manager for Domains, select New Local Group from the User menu to bring up the dialog box in Figure 4.7.
In Figure 4.7, we are creating a new local group called Color Printers. (Remember, local groups are used to control resources. As a result, consider creating local groups, such as Color Printers or Office Applications, whose names indicate the resources that they control.)
Step 3 Add Global Groups to Local Groups
Clicking Add in Figure 4.7 lets us add global groups to the Color Printers local group. First, the Add Users and Groups dialog box appears. Highlight global groups that you want to add to the local group, then select Add. As you can see in Figure 4.8, the domain’s global group Color Printer Users has been added to this group.
When you finish adding users, click OK. The New Local Group dialog box (Figure 4.9) appears with Color Printer Users as the only Member.
Note that we did not add any users to this local group. It is a good idea to not add users to local groups if you are implementing NT domains. If you add users to local groups, you must then manage and configure local groups whenever you add new users. Because a local group is visible only on the computer where it is defined, you may end up modifying local groups on various computers constantly. For example, if you have three color printers on three computers, you end up adding those users in three different local groups so that they can access all three color printers.
However, if you add the user to the global group, you simplify administration because that’s the only change you must make. Even if you set up new local groups called Color Printers on different computers, you just need to add the Color Printer Users global group once to the local group, and you never have to touch it again. With this setup, whenever a new user needs to access a number of similar resources across the network, adding that user to one global group gives the user access across the network.
Step 4 Create Template Accounts
Because creating a user account is pretty much self-explanatory with the User Manager for Domains, we simply highlight the main issues here. From the User menu, select Add User to bring up the New User dialog box (Figure 4.10).
Make sure that this template account is disabled by checking Account Disabled. Also, check “User Must Change Pasword at Next Logon.”
You can set up valid logon hours, the computers that the user is allowed to logon to, dates when the account expires, and dial-in permissions using the four buttons — Hours, Logon To, Account, and Dialin — at the bottom of the dialog box. We focus here on the Groups and Profile buttons.
Clicking Groups brings up the dialog box in Figure 4.11. By default, TemplateUser is set up as a member of Domain Users. To add TemplateUser to the Color Printer Users global group, double-click the appropriate entry in the pane on the right.
You can make TemplateUser a member of as many groups as you want. Remember, though, that even though you can make TemplateUser a member of various local groups, you should resist this temptation.
In the dialog box in Figure 4.11, the Set button at the bottom sets the primary group; it’s useful only for Macintosh users and for the Posix subsystem. NT itself doesn’t use it.
When you click Profiles in Figure 4.10, the User Environment Profile dialog box (Figure 4.12) appears; here you set the user profile, logon scripts, and home directories.
You may want to fill in the User Environment Profile as shown in Figure 4.12. Here, \\sbs01 is the NetBIOS name of the computer, and the \profiles and \home parts of the paths are the share names. These resources must be created and shared before you can type this part of the path name. When you create an actual user account with this template, the %username% variable will be replaced by the user name during the creation of the user’s home directory inside the \\sbs01\home share.
By specifying a profile available on a shared folder, you create a roaming profile, which gives the user access to more or less the same desktop configuration on different domain members.
Special Note: The user profile maintains a variety of user preferences, including
Background, screen saver, display properties
Start menu configuration
Mouse settings
Desktop items
Personal program groups
Explorer settings
Taskbar settings
Window size
Control Panel settings
Window position
Accessories
Help bookmarks
Persistent network connections
Printer connections
There are three types of User Profiles:
Local Profiles — these profiles are created during initial logon.
Roaming Profiles — when you create the account, you can create these profiles by specifying a path in User Manager for Domains.
Mandatory Profiles — you create these profiles by changing the .dat file name extension to .man (for example, changing Ntuser.dat to Ntuser.man).
User can modify their own local and roaming profiles, but only Account Operators and Administrators can change mandatory profiles.
Use roaming profiles and mandatory profiles only on networks where you have a reasonable guarantee of uniform configuration. For example, if you use a mandatory roaming profile that was originally set up on an XGA machine and the user logs on to a system with VGA display, the icons and the user interface may look different.
Step 5 Copy Template Accounts
To use the template account to create a user account, you copy the template account. From the the User menu in User Manager for Domains, highlight the template account and select Copy to bring up the dialog box shown in Figure 4.13.
Here, you add the user name and full name. Everything else is copied from the template. For example, the Profile dialog box for the new user account for Karen Mercer is shown in Figure 4.14.
Notice that the %username% variable has been replaced by the user name.
REMOTELY MANAGING USERS AND DOMAINS
You can use all the graphical tools that come with NT Server — User Manager for Domains, Performance Monitor, Server Manager, and others — to manage a domain remotely. However, you should be aware of a few difficulties:
Many of the graphical tools must be installed on local computers, such as workstations. For example, to run server utilities on a workstation, you may have to install or copy the utilities. You may not want to do that for a variety of reasons.
You may want commands to execute on a remote server without using remote procedure calls (RPCs). The graphical utilities use mostly RPCs, and as a result, if the RPC server on a remote computer is down, it may be difficult to use the graphical tools.
You may want to use batch files to manage domains, and it is almost impossible to use graphical tools from batch files.
We first focus on remote administration using command-line utilities. The command-line utilities (NET commands) are all well-documented in NT help files, but for some reason, the utilities don’t seem to be used for remote administration as much as one might expect.
Table 4.3 lists utilities included with NT Server and Workstation that can be invoked from the command line. We provide brief descriptions and examples of each utility in the following sections.
Net Accounts
The syntax for the Net Accounts command is
NET ACCOUNTS [/FORCELOGOFF:{minutes | NO}][/MINPWLEN:length]
[/MAXPWAGE:{days | UNLIMITED}] [/MINPWAGE:days]
[/UNIQUEPW:number] [/DOMAIN]
NET ACCOUNTS [/SYNC]
You can use the Net Accounts command to set up the following kinds of account policies:
Forced log off after account hours have expired
Minimum password length
Maximum password age
Minimum password age
Password history
The Net Accounts command provides a few options not available directly through the graphical user interface of User Manager for Domains. For example, the forcelogoff option lets you specify when a user is warned before being forced to log off: /forcelogoff:5 tells NT to send a warning message five minutes before the user has to log off the domain.
Likewise, Net Accounts /sync seems to be the only way to force the synchronization process — the process in which the entire user account database is copied from the PDC to all BDCs. This command forces a full synchronization. The “Synchronize Entire Domain” command from Server Manager doesn’t copy the entire security database; you can force only a partial synchronization from Server Manager.
Net Group
The syntax for the Net Group command is
NET GROUP [groupname [/COMMENT: "text"]] [/DOMAIN]
NET GROUP groupname {/ADD [/COMMENT:"text"] | /DELETE} [/DOMAIN]
NET GROUP groupname username [...] {/ADD | /DELETE} [/DOMAIN]
Of the three ways of specifying the Net Group command, the first one listed gives you the group names, the second lets you add or delete a global group, and the third one lets you add new users or delete existing users from a global group. Group names with spaces in them — such as “Domain Admins” — must be enclosed in quotes.
Net LocalGroup
The syntax for the Net LocalGroup command is
NET LOCALGROUP [groupname [/COMMENT:"text"]] [/DOMAIN]
NET LOCALGROUP groupname {/ADD [/COMMENT
NET LOCALGROUP groupname name [...] {/ADD | /DELETE} [/DOMAIN]
This command lists, adds, deletes, and modifies local groups on local workstations/servers and on domain controllers. The first line lists the groups or adds the text comments you specify to the local group. The second line adds a new local group or deletes an existing local group. The third line adds or deletes specific users from the local group.
Net User
The syntax for the Net User command is
NET USER [username [password | *] [options]] [/DOMAIN]
NET USER username {password | *} /ADD [options] [/DOMAIN]
NET USER username [/DELETE] [/DOMAIN]
The first line modifies the properties of an existing user, the second line adds a new user, and the third one deletes an existing user.
Figure 4.15 shows the results of a Net User command.
The example in Figure 4.15 is from an NT Workstation. You can modify most of the items listed using the Net User command; the options are listed in the NT help file.
To see the account information about the NT domain, just add /domain at the end of the command string to execute the command on the NT domain controller.
Windows Scripting Host
The Internet Information Server Resource Kit includes the Windows Scripting Host. You can use this utility to run administrative scripts written in VBScript or Javascript. For further information, please see the IIS Resource Kit, which includes sample scripts for adding and deleting users, modifying passwords, and starting servers, services, and applications.
The Microsoft Windows NT Resource Kit
The Microsoft Windows NT Resource Kit provides tools, techniques, and a vast amount of information for managing NT systems and networks. For the typical Unix administrator who is accustomed to managing multiple machines through powerful scripts from the command line through X-Terminals and Telnet sessions, the NT Resource Kit provides a variety of tools.
Windows 2000 Server’s Active Directory feature and NT 4.0 with Service Pack 4 also provide graphical tools that don’t have command-prompt equivalents. However, the Win32 API provides a wide variety of ways to reach and control every aspect of NT administration and management. A discussion of the Win32 APIs is beyond the scope of this book, but the Visual Basic (VB) 5.0 Enterprise Edition, Visual C++ documentation, and Win32 programming guides all provide examples of how to access browser, domain, authentication, and security-related information using programs that are relatively easy to write.
Chapter 7 covers the Active Directory and its capabilities. There, you will find examples in VB that you can adapt for specific domain-related issues.
Order Your SQL Fundamentals CD Today! Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
You've Deployed SharePoint...Now What? This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions
What Would You Do If You Ran Microsoft? ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.
Maximize Your SharePoint Investment This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.
Windows IT Pro
Register
