Windows 2003 Server

Chapter 3

Creating and Managing User Accounts

Home | Chapters | Homework | Grades | Calendar | Forums | Syllabus

Forum Policy | Assignment Policy | E-Mail Mr Hull | FTP

Main | Chapter 1 | Chapter 2 | Chapter 3 | Chapter 4 | Chapter 5 | Chapter 6 | Chapter 7

Chapter 8 | Chapter 9 | Chapter 10 | Chapter 11 | Chapter 12 | Chapter 13 | Chapter 14


At the end of this chapter you should be able to:


  • Understand the purpose of user accounts
  • Under the user authentication process
  • Understand and configure local, roaming, and mandatory user profiles
  • Configure and modify user accounts using different methods
  • Troubleshoot user account and authentication problems


Introduction to User Accounts

User accounts are what uniquely identify people on the network.  Active Directory allows you to organize you user accounts with ease.  We will spend this chapter looking at ways to create accounts and modify user attributes.  Then we will look at the authentication process and learn how to troubleshoot logon problems.


User Account Properties

Active Directory User and Computers is the primary interface to interact with user accounts.  If you want to view the properties or attributes of a user double click on it in Active Directory Users and Computers.  In the properties page you will see tabs at the top.  Below is a summary of the tabs.

  • General - Displays general information about the user such as the first and last name.  You will also find a description of the user, their office location, telephone number, email and webpage.

  • Address - Contains information about the users physical address.

  • Account - Shows the users logon name, allows you to choose what computer they can log on from, and at what time.  You can also set account options such as user must change password at next logon, or password never expires.  In here you can also set when an account should expire.  This would be handy if you had a temp working in your organization and you know when their last day will be.

  • Profile - Set the profile location, logon script, and the location of the home drive.

  • Telephones - List of all the users telephone numbers.

  • Organization - The users title, department, company, and manager.

  • Member of - Displays all the groups in which a user belongs.

  • Dial-in - Give access to the user to access the server remotely and set the settings.

  • Environment - Tells the server what program will be the shell in a remote desktop connection.  For example if you set Internet Explorer to the startup program, when the user logs into the server they will see Internet Explorer and nothing else.  When they close Internet Explorer the session will log out. 

  • Sessions - Sets the rules for a terminal server connection.

  • Remote Control - Determine whether or not you can take over a users session in remote desktop.

  • Terminal Services Profile - Same as Profile tab but only applies when you log onto a terminal server.  (script setting not present)

  • COM+ - Determines what COM+ partition the user is a member of.

Note: More tabs will be available if the Exchange Server tools are installed and if Advanced Features are turned on.


LAB ACTIVITY - Do the lab on page 89. (10 Minutes)

User Authentication

When a user logs into the the domain they enter their username, password, and domain.  This process is called authentication.  This can be done multiple ways using multiple protocols, this section will exam them.


Authentication Methods

Interactive authentication is when the user is required to type their username and password.  Once they do this it is compared against the values in Active Directory.  If correct the user is able to log on.  If they are incorrect the user is denied access to the domain.  On the logon screen for Windows 2000, Windows 2003 and Windows XP, there is a pull down menu for logon to.  You can use this to choose the domain you wish to authenticate too.  In this list you will also see the name of your computer.  If you choose your computer name you will be logging into the local computer using it SAM database to authenticate you.


Network Authentication occurs when you try to access a resource on the domain.  If you are already logged into the domain using interactive authentication, then network authentication is transparent.  If a user outside of the domain tries to access a resource on the domain a username and password box will be displayed.  In order to login you need to tell the server what domain to authenticate from, to do this you can type your name in one of the two formats:


  • domain\user

Authentication Protocols

Kerberos v5 is the preferred authentication type for Windows Server 2003.  It is supported by Windows 2000/2003/XP.  Below is a summary of what happens when a user authenticates using Kerberos.

  • When the user logs in interactively the request is sent to a Key Distribution Center (KDC) which resides on a Domain Controller

  • If the username and password are correct the KDC issues a ticket-granting ticket (TGT) to the client.

  • When the client tries to access a resource on another server it presents its TGT to the KDC and requests a service ticket for the server that contains the resource.

  • The client then presents the service ticket to the server that contains the resource, at this point if the user has the appropriate permissions the user can open the resource.

If the client doesn't support Kerberos then NTLM authentication is used instead.  NTLM is a challenge-response protocol outlined below.

  • When the user logs in interactively the client creates cryptographic hash of the supplied password, then discards the original password.

  • The client sends the username to the domain controller.

  • The domain controller creates a 16-bit random number and sends it to the client.  (the challenge)

  • The client responds with the 16bit number and the hash of the users password. (the response)

  • The server verifies the information against Active Directory.  If everything checks out the client is authenticated.

After the user is authenticated they are given a token that they use to perform transparent network authentication.

Users Profiles

Windows NT/XP/2000/2003 all support user profiles.  User profiles allow two or more users to share a computer and keep different settings.  By default in Windows NT profiles are stored in %systemroot%\Profiles (%systemroot% is usually C:\Winnt in Windows NT), and Windows XP/2000/2003 store the profiles in %systemdrive%\Documents and Settings (%systemdrive% is usually C:\). See side note for more details about environmental variables.


Note:Environmental variables store information about the system that you can reference in scripts and batch files.  To see a list of environmental variables and their values open a command prompt, type set and hit enter. 

Practice:Open the run box and type %userprofile% and click ok.


Local Profiles

In the root of the profiles folder there is a hidden folder called Default User.  When a new user logs onto a computer the contents of the Default User are copied to a folder with the users username as it's name.  That new folder becomes the users profile.  One thing that you should know is how printers work in the local profile.  If a printer is a local printer it is available to all users of the computer.  If the printer is a network printer it is only available in the profile for which it was installed.  This means if you go to someone's office, logon as yourself, and install a network printer, the user will not see the printer when they log in.


LAB ACTIVITY - Do the lab on page 102. (10 Minutes)


Roaming Profiles

You can take your users profile folders and move them to a shared location on a server.  Then using the profile tab in the users profiles you can set the location of their profile.  Now when a user logs in there profile is loaded from the server.  If the user moves to another computer their settings will follow them.  In chapter 9 we will look at folder redirection that can be used as an alternative or in conjunction with roaming profiles.


LAB ACTIVITY - Do the lab on page 105. (15 Minutes)


Mandatory Profiles

Each profile has a user portion of the registry.  This file is called ntuser.dat, and by default it can be modified.  If the user changes their background picture the settings for that are stored in the ntuser.dat.  If you don't want the user to change any settings in their profile then rename the ntuser.dat to and it becomes a mandatory profile.  The user can make changes when they are logged in but they aren't saved.


LAB ACTIVITY - Do the lab on page 109. (10 Minutes)

Creating and Managing User Accounts

Windows Server 2003 supports multiple ways to create and manage user accounts.  The most common way is by using Active Directory User and Computers.  We will look at some of the command line tools that can be used to manage user accounts as well.


Active Directory Users and Computers

Active Directory Users and Computers allows you to browse your users, groups, OU's and printers using a graphical interface.  New in the Windows Server 2003 is the ability to move objects by dragging and dropping.  Also you can now save queries that you might commonly perform.  Windows Server 2003 places users in the Users container, this container is not an Organizational Unit, which means group policies can't be applied to it.  You will want to setup your OU structure to organize your users and to have the ability to assign group policies.


LAB ACTIVITY - Do the lab on page 113. (20 Minutes)


Another new feature in Windows Server 2003 is the ability to modify multiple user accounts at once.  Select multiple accounts, right click and choose properties.  Before Windows Server 2003 you could use the ADModify tool from Microsoft or write a script that would do it.


User Account Templates

If you copy a user there are some settings that are copied over such as group membership, profile, script, and home folder settings.  If you make an account that contains the settings for a department you can use it as a template for new users that come.


LAB ACTIVITY - Do the lab on page 116. (10 Minutes)


Command Line Utilities

Windows 2000 was missing some good command line utilities to create and manage user accounts.  Windows 2003 Server includes some new tools that will allow you to manage accounts from a command line interface.

  • DSADD - Add objects such as users

  • DSMOD - Modifies object attributes and settings

  • DSQUERY - Queries for objects

  • DSMOVE - Moves objects to different locations within a domain. (Note: If you want to move objects between domains their is a utility called movetree you can use.)

  • DSRM - Deletes objects from the directory

LAB ACTIVITY - Do the lab on page 120. (10 Minutes)

LAB ACTIVITY - Do the lab on page 122. (10 Minutes)


Bulk Import and Export

Microsoft includes two utilities to assist with the bulk import and export of users in Active Directory.  CSVDE and LDIFDE.

  • CSVDE allows you to import and export in a CSV (Comma Separated Variable) format.  A CSV can be easily modified in notepad or Microsoft Excel.

  • LDIFDE allows you to import and export in a LDIF (LDAP Interchange Format) format.  This is the standard for exchanging data between LDAP (Lightweight Directory Access Protocol) directories.  The file format used is LDF.

LAB ACTIVITY - Do the lab on page 128. (5 Minutes)


Using ADSI (Active Directory Services Interface) you can create scripts that will do similar things.  Below are two examples.

  • AD Report - This script will scan an OU and report information about each user.  It stores the information in a csv.

  • Import User - This will import users from a CSV that contain last name, first name on each line.

Troubleshooting User Account and Authentication Issues


Account Policies

Account policies can only be applied at the domain level.  You will find them in the Default Domain Policy group policy.  Their are three categories of policies you can set in this section.

  • Password Policy - Set requirements on users passwords.

    • Enforce password history - A list of x number of previous passwords that the user can not reuse.

    • Maximum password age - Defines how long the user can use the password

    • Minimum password age - Defines how long they have to use it before it can be changed.

    • Minimum password length - Defines the minimum length of the password.

    • Password must meet complexity requirements - Determines whether or not a complex password is required.  A complex password cannot include any part of the users username, must be at least 6 characters, and must contain 3 of the 4 elements below:

      • Capital letters

      • Lowercase letters

      • Numbers

      • Non-alphanumeric characters

    • Store passwords using reversible encryption - Store the password in a clear text format for some applications that need it.

  • Account Lockout Settings

    • Account lockout duration - Defines how long an account will be locked.  NOTE: In the book on page 132 the definition listed is incorrect.

    • Account lockout threshold - Defines how many tries the user has before they are locked out

    • Reset account lockout counter after - Defines how long after an unsuccessful attempt until the lockout count is cleared.

  • Kerberos

    • Enforce user logon restrictions - Require the KDC to validate every request for a session ticket against the user rights policy of the target computer.

    • Maximum lifetime for service tickets - Determine how long a service ticket is valid.

    • Maximum lifetime for user tickets - Determine how long a user ticket is valid

    • Maximum lifetime for user ticket renewal - Determine the amount of time that a user's TGT may be renewed.

    • Maximum tolerance for computer clock synchronization - Determine the difference in client and server clocks that will be allowed.

Auditing Authentication

Auditing is looked at in more detail in Chapter 14, but we will look at how to use it to troubleshoot logon problems.  In the Default Domain Policy you can enable auditing for failed logon events.  When a user fails to logon an event in the security event viewer will be logged.  You can use the information from the even viewer to troubleshoot the problem

More Information


Click Here to download the slides for this chapter

(NOTE: You must have PowerPoint or PowerPoint Viewer if you don't have  either Click Here to download PowerPoint Viewer.)

Home | Chapters | Homework | Grades | Calendar | Forums | Syllabus

Forum Policy | Assignment Policy | E-Mail Mr Hull | FTP