CREATING USER ACCOUNTS • Group accounts simplify administration by organizing user

accounts into a single administrative unit. • They provide a convenient method of controlling access for

several users who will be performing similar tasks. • By placing multiple users in a group and assigning rights

and/or permissions to the group, you can assign the same abilities and/or restrictions to all the users at the same time.

• Without groups, you would have to assign user rights and access permissions to the individual users’ accounts.

• Even if a user account is a member of one or more groups, you can also modify that account individually.

Step 1 Create Global Groups

• Global groups consume from 2K to 4K of memory in the Registry.

• As a result, you may want to go easy on the number of global groups you create. In a medium-sized network with up to 5,000 users, it’s not uncommon to have 30 to 40 global groups.

• In larger networks, you may need more.

Create a global group called Color Printer Users

Start User Manager for Domains from Administrative Tools

• Notice that the Administrator account in the top frame is highlighted.

• The user interface for User Manager for Domains has the bad habit of always highlighting the first user, which is usually the Administrator.

• When you create global groups, you need to make sure that nothing in the top frame is highlighted, including the Administrator account.

• To remove that selection, click any of the groups listed in the lower half of the screen.

From the User menu, select New Global Group to bring up the dialog box

Step 2 Create Local Groups To create local groups, follow the same approach. From User Manager for Domains, select New Local Group from the User menu to bring up the dialog box

• In Figure 4.7, previous slide, we are creating a new local group called Colour Printers.

• Remember, local groups are used to control resources.

• As a result, consider creating local groups, such as Colour Printers or Office Applications, whose names indicate the resources that they control.

Step 3 Add Global Groups to Local Groups

• Clicking Add in Figure 4.7 lets us add global groups to the Colour Printers local group.

• First, the Add Users and Groups dialog box appears.

• Highlight global groups that you want to add to the local group, then select Add.

• As you can see in Figure 4.8, the domain’s global group Colour Printer Users has been added to this group.

When you finish adding users, click OK. The New Local Group dialog box (Figure 4.9) appears with Colour Printer Users as the only Member

Don’t add users to a Local Group• Note that we did not add any users to this local group. • It is a good idea to not add users to local groups if you are

implementing NT domains. • If you add users to local groups, you must then manage and

configure local groups whenever you add new users. • Because a local group is visible only on the computer where

it is defined, you may end up modifying local groups on various computers constantly.

• For example, if you have three colour printers on three computers, you end up adding those users in three different local groups so that they can access all three colour printers.

Add users to the Global Group

• Even if you set up new local groups called Colour Printers on different computers, you just need to add the Colour Printer Users global group once to the local group, and you never have to touch it again.

• With this setup, whenever a new user needs to access a number of similar resources across the network, adding that user to one global group gives the user access across the network.

Step 4 Create Template Accounts • Because creating a user account is pretty much self-explanatory

with the User Manager for Domains, we simply highlight the main issues here.

• From the User menu, select Add User to bring up the New User dialog box (Figure 4.10).

Make sure that this template account is disabled by checking Account Disabled. Also, check “User Must Change Password at Next Logon.”

You can set up valid logon hours, the computers that the user is allowed to logon to, dates when the account expires, and dial-in permissions using the four buttons — Hours, Logon To, Account, and Dialin — at the bottom of the dialog box.

Template for General Users

Groups and Profile buttons• Clicking Groups brings up the dialog box in Figure 4.11. • By default, TemplateUser is set up as a member of

Domain Users. • To add TemplateUser to the Colour Printer Users

global group, double-click the appropriate entry in the pane on the right.

• You can make TemplateUser a member of as many groups as you want.

• Remember, though, that even though you can make TemplateUser a member of various local groups, you should resist this temptation.

When you click Profiles in Figure 4.10, the User Environment Profile dialog box (Figure 4.12) appears; here you set the user profile, logon scripts, and home directories.

Profiles

• You may want to fill in the User Environment Profile as shown in Figure 4.12.

• Here, \\sbs01 is the NetBIOS name of the computer, and the \profiles and \home parts of the paths are the share names.

• These resources must be created and shared before you can type this part of the path name.

• When you create an actual user account with this template, the %username% variable will be replaced by the user name during the creation of the user’s home directory inside the \\sbs01\home share.

Roaming Profile

• By specifying a profile available on a shared folder, you create a roaming profile, which gives the user access to more or less the same desktop configuration on different domain members.

• In other words the user will have the same privileges regardless of where they log on to the domain.

The user profile maintains a variety of user preferences

• Background, screen saver, display properties • Start menu configuration • Mouse settings • Desktop items • Personal program groups • Explorer settings • Taskbar settings • Window size • Control Panel settings • Window position • Accessories • Help bookmarks • Persistent network connections • Printer connections

Three types of User Profiles

• Local Profiles — these profiles are created during initial logon.

• Roaming Profiles — when you create the account, you can create these profiles by specifying a path in User Manager for Domains.

• Mandatory Profiles — you create these profiles by changing the .dat file name extension to .man (for example, changing Ntuser.dat to Ntuser.man).

Step 5 Copy Template Accounts • To use the template account to create a user account,

you copy the template account. • From the User menu in User Manager for Domains,

highlight the template account and select Copy to bring up the dialog box shown in Figure 4.13.

• Here, you add the user name and full name. Everything else is copied from the template.

• For example, the Profile dialog box for the new user account for Karen Mercer is shown in Figure 4.14.

Notice that the %username% variable has been replaced by the user name.