The User Account: Logon Validation Part 2

Deals with Usernamepasswords , etc. that are unique to the (domain database; directory database; SAM) for the domain. Once the Computer Account has been created in Server Manager for the domain, and the Client computer has made the appropriate settings in the Identification (Domain Name and Computer Name), a User Account must be setup for the User to participate on the domain using User Manager for Domains.

The PDC and/or PDC can validate logons; however, if the PDC goes offline, you cannot administer accounts.

> User > New User

User Properties

• Username - Identifies the User Account.
• Full Name - establish a standard naming convention
• Password - up to 14 characters and it IS case sensitive
• Confirm - duh
• User Must Change Password at next logon - forces User to uh, change password at next logon. An error related to choosing this feature is when a User receives "password has expired."
• User Cannot Change Password - Applied to Account used by multiple Users such as the Guest Account. Has no effect Admin Group. Good feature I think.
• Account Disabled - To disable an account, or possibly for Template Accounts. Does not effect Admin.
• Account Locked Out - Becomes checked when client incorrectly tries to logon too many times. Just uncheck it and you're back in business. VERY, VERY common error.

Groups Button

• Establish or Change Group memberships for this Account. Useful to see what Groups a User belongs to.

Hours Button

• You can use this restrict days and hours when a User can Logon. The default is no restrictions

Logon To Button

• Default is all Workstations. You can restrict a User to log on from only specified workstations.

Account Button

• Account Expires
  • Never is default
  • End of ... if you specify the account expires at the end of that day. If a User is still logged on, the User remains logged on until S/he logs off; however, the User cannot create any new network connection. Once S/he logs off, the Account is disabled. To reenable the User's account, you will need to set a new future End Of date.
• Account Type
  • Global Account - ...
  • Local Account - account provided for User who's regular account is not in a trusting domain. Best Practice: use same password. Local accounts CANNOT log on interactively.

Dialin (some of RAS Access Admin functionality)

• Grant Dialin permission to User (checkbox)
• Callback
  • Yes
  • Set By Caller
  • Preset to

And of course, the Profiles Button opens up a can of worms...

User Profile  - is a stored collection of items that define a User?s desktop and environment. Through a profile, Users can customize settings such as display properties, desktops, Start Menu configuration, network connections, printer connections, mouse settings, Windows sizes and positions, and program groups. Profiles can be created for both Users and Groups. Windows NT security requires a user profile for each account that access to the system

Source: "Windows NT 4 Upgrade Training" by MS Press

Types of User Profiles

• Local Profiles: Profiles specific to each computer. Profile can only be loaded when a User logs on to that specific computer.
• Default User Profile -  created during installation process. Each time a new User logs on to an NT computer, a profile is created for the User by copying the default User Profile. The default User Profile is copied into a folder for the user and all modifications the User makes are saved to this profile.
• Roaming Profiles - Ntuser.dat. Profiles that can be loaded from any computer. User can log on at any computer and load the profile.
• Mandatory Profiles - Ntuser.man extension. Preset, roaming profiles that cannot be changed by the user. If a User's mandatory profile is unavailable the user will not be able to log on.

Folders that compose a User Profile

Source: "Windows NT 4 Upgrade Training" by MS Press

Warning: do not copy Profiles with Windows Explorer. Use System Applet or registry will be confused.

Profiles in the Registry and Windows 95 equivalents

Profiles from Windows 95 and Windows NT (all versions) are NOT COMPATIBLE. Any changes made to one will not be reflected if the User logs in from another TYPE OF OPERATING SYSTEM

User Profile Path (only necessary to fill in if you creating a roaming or mandatory profile).

Creating Roaming Profiles (4 Step Overview)

• Step 1 - Creating a Template Profile (and Account) for Use
• Step 2 - Creating the User's Profile Folder, Copying the Template Profile to the User's Profile Folder, and giving the User permissions to Use the Template Profile
• Step 3 - Specifying the User Profile path to the Roaming (or Mandatory) Profile
• Step 4 - Making it work

Step 1 - Creating a Template Profile (and Account) for Use

• Logon as the Administrator.
• Assign the log on locally right to "Everyone" in User Manager for Domains >  Polices > User Rights. In "Right" box, click "log on locally." Add. Under "Name" choose "Everyone."OK
• Create a shared folder called "Profiles" off the c:\ of the Server and give "Everyone" permission to it.
• Create New User in User Manager for Domains called "Template Profile" and clear "...must change password at next logon." This will be our template User and the Account we will use to create the template profile.
• Create New User in User Manager for Domains called "User2" and clear "...must change password at next logon."  This will be our beta user who will test to see if the profile worked.
• Logoff as Administrator
• Logon as Template Profile
• Using Windows Explorer, you should see that a local user profile is automatically created in c:\winnt\profiles\ folders. If you were to go into the System Applet > User Profiles Tab, you should also be able to see that a Local Profile (called for example: "Domain1\Template User") has been created.
• Make changes to the desktop, (example: color of background)
• Logoff as Template Profile

Step 2 - Creating the User's Profile Folder, Copying the Template Profile to the User's Profile Folder, and giving the User permissions to Use the Template Profile

• Windows Explorer, create this folder c:\profiles\User 2
• > User Profiles Tab > Copy Profile to ... Type in the full UNC path name to the server where the profile will reside. Our example: \\Server1\Profiles\User 2.

• Click the "change" button. "Choose User" dialog box appears. In "List Name From" box, make sure your domain appears
• Click "Show Users" Button. Click on User2 and then "Add" button. Click ok.
• ***You are back at the "Copy to" dialog box -- click ok. Make sure \\Server1\Profiles\User2 is in the
  "Copy to" dialog box and Domain1\User2 is listed as "Permitted to use." Now Click Ok ***

Step 3 - Specifying the User Profile path to the Roaming (or Mandatory) Profile

• > User 2 > Double click on User 2 > Profile Button
• Specify path in "User Profile Path" in User Environment Profile dialog box
  • Roaming profile: \\Server1\profiles\%username% ; NT will substitute user name with account name
  • If profile is roaming mandatory example: \\Server1\Profiles\Ntuser.man (you will have had to change Ntuser.dat to Ntuser.man for this to work). It is important to specify "Ntuser.man" when doing mandatory profiles.

Step 4 - Making it work

• You've noticed, even up to this point, if you tried to go into the System Applet and "Change Type" of the Profile -- you can't.
• Logoff as Administrator
• Logon as User 2 -- you will be prompted on whether or not to use a Roaming Profile. Use the Roaming Profile.
• Go into the System Applet and "Change Type." This time it will read "roaming profile." Now you have done something ;-).

Use cached profile on slow connections checkbox is an option once Roaming Profile is enabled!

User Profiles and System Polices in Directory Replication

• By storing ROAMING profiles in \%winntroot% \ System32 \ Repl \ Export \ Profile , you effectively enable load balancing AND protect profile usage if the PDC fails. You would reference for each User (in User Manager for Domains ) with NETLOGON \ PROFILES \ %USERNAME %
• System Policies should also be stored in \%winntroot% \ System32 \ Repl \ Export \ Scripts ;

Profiles only need to be stored on an acessible Server. They can reside in a trusting/or trusted domain. Contrary to some sources, depending on how you configure your replication, you may be able to gleen some performance advantages by replicating Profiles.

Logon Scripts

• Can be .bat, .cmd, or .exe
• The default export directory for logon scripts on the PDC is \winnt\ System32\ Repl\ Export\ Scripts. Note that "scripts" is a subfolder of "Export."
• Path you want to enter is: \winnt\ System32\ Repl\ Import\ Scripts

Default for "Open" and Save As"

Local Path  - der.

For a Network "home drive" per say ...

• Connect drive letter - network drive letter that will appear on the client computer
• To - (type in the UNC name) share on the network server. Example: \\Server1\data\User 2 or \\Server1\data\%username% ...NT Server will usually create the folder automatically unless the drive on the server is hidden.

There is a great deal of contradictory information on these commands. Using variables like %homepath% (and %homedrive - "...used to reference User's home directory in application programs one a User Account has been created ..."), %username% (for home directories), %servername% (for load balancing), etc. Need to find better information on this ... got any? got, like, a list of all them? ... functions, considerations for use, etc. ? email me