Windows Server 2003 Networking - 7

Understanding Windows User Accounts

User accounts are one of the basic tools for managing a Windows server. As a network administrator, you’ll spend a large percentage of your time dealing with user accounts — creating new ones, deleting expired accounts, resetting passwords for forgetful users, granting new access rights, and so on. Before get into the specific procedures of creating and managing user accounts, thissection presents an overview of user accounts and how they work.

Local accounts versus domain accounts

A local account is a user account that’s stored on a particular computer and applies only to that computer. Typically, each computer on your network  will have a local account for each person that uses that computer.

In contrast, a domain account is a user account that’s stored by Active Directory and can be accessed from any computer that’s a part of the domain. Domain accounts are centrally managed. This chapter deals primarily

with setting up and maintaining domain accounts.

User account properties

Every user account has a number of important account properties that specify  the characteristics of the account. The three most important account properties are

✦ Username: A unique name that identifies the account. The user must enter the username when logging on to the network. The username is public information. In other words, other network users can (and often should) find out your username.

✦ Password: A secret word that must be entered in order to gain access to the account. You can set up Windows so that it enforces password policies, such as the minimum length of the password, whether the password must contain a mixture of letters and numerals, and how long the password remains current before the user must change it.

✦ Group membership: Indicates which group or groups to which the user account belongs. Group memberships are the key to granting access rights to users so that they can access various network resources, such as file shares or printers, or to perform certain network tasks, such as creating new user accounts or backing up the server. Many other account properties record information about the user, such as the user’s contact information, whether the user is allowed to access the system only at certain times or from certain computers, and so on

The Administrator account

Windows comes with a built-in account named Administrator that has complete access to all the features of the server. As a network administrator, you’ll frequently log on using the Administrator account to perform maintenance chores. Because the Administrator account is so powerful, you should always enforce good password practices for it. In other words, don’t use your dog’s name as the Administrator account password. Instead, pick a random combination of letters and numbers. Then, change the password periodically.

Write down the Administrator account password and keep it in a secure location. Note that by “secure location,” I don’t mean taped to the front of the monitor. Keep it in a safe place where you can retrieve it if you forget it,

but where it won’t easily fall into the hands of someone looking to break into your network.