1. Page 1 User Accounts Lecture 3 Hassan Shuja 09/21/2004

2. Page 2 User Accounts – A user account is needed to access a Windows 2000 computer – Object trying to access resource must do it through user account – User accounts determine 3 things – When a user may log on – Where within a domain or workgroup can a user log in – What privilege a users has – Each User account has a SID

3. Page 3 User Account Type of Accounts – Windows 2000 has two types of accounts – Local Account – This logon account is checked against user account database on the local PC – Domain Account – This logon account is checked against Active Directory database on the DC – Local Accounts – Supported on all Windows 2000 machines except Domain Controllers – Authentication is done only for local machine access – Guest and Administrator are built-in local accounts – Domain Accounts – User accounts are verified on DC using encryption and permits access throughout a Domain – Makes Administration easier – Once authenticated user is given a session key which is used to access resources – Session Key is checked against resources’ ACL list when accessing resource – Created in Active Directory within a DC and then propagated to all other DCs

4. Page 4 User Account Resource Access Ticket Exchange

5. Page 5 User Account Resource Access Ticket Exchange Between Domains

6. Page 6 User Accounts User Account Attributes – User account names should be unique within a Domain – A Workgroup can have similar user accounts but user accounts must be unique on each local machine – Logon name attributes – Less than 20 characters – Not case sensitive – Must not contain: +,*,?,,/,\,[,],:,; – Passwords are case sensitive

7. Page 7 User Accounts Manipulating User Accounts – Renaming user account does not effect any properties except the name – Accounts can be moved from one container to another – Accounts can be disabled – Cannot be accessed while disabled – Accounts can be copied – Most properties are copied except username, full name, password, logon hours, address/phone info, organization info, and user rights and permissions – Deleting User Account – Permanently removed and all of its group memberships – If new account is created with the same name, it has different SID and GUID – Disabling account may be a better option – Administrator and Guest can be renamed but not deleted

8. Page 8 User Accounts User Account Properties – User accounts have various different properties – Properties can be changed through using Computer Management tool for local accounts or Active Directory Users and Computers for Domain Accounts

9. Page 9 User Accounts User Profiles – User Profile determines the desktop environment of user – Helps manage and control what users do – Every user has a profile that defines how, when and where a login is possible – Three types of profiles – Local, Roaming, and Mandatory

10. Page 10 User Accounts Profiles – Local Profile – Profiles are maintained on each system that a user logs onto – Default User is a template if a user has never logged on to that system – Roaming Profile – All Domain users to move from system to system and maintain one profile – Mandatory Profile – Profile is Read-Only and cannot be changed – User can make changes to the desktop environment per logon session only