Module 5: Administering User Accounts Contents Overview Finding User Accounts Administering User Accounts Lab A: Administering User Accounts Managing User Profiles 10 Creating Home Folders 19 Introduction to Group Policies 22 Lab B: Administering User Profiles 23 Troubleshooting User Accounts 28 Best Practices 29 Review 30 This course is a prerelease course and is based on Microsoft Windows 2000 Beta software Content in the final release of the course may be different than the content included in this prerelease version All labs in the course are to be completed using the Beta version of Microsoft Windows 2000 Advanced Server Information in this document is subject to change without notice The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property  1999 Microsoft Corporation All rights reserved Microsoft, MS-DOS, MS, Windows, Active Directory, PowerPoint, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted Other product and company names mentioned herein may be the trademarks of their respective owners Project Lead/Senior Instructional Designer: Red Johnston Instructional Designers: Tom de Rose (S&T OnSite), Meera Krishna (NIIT (USA) Inc.) Program Manager: Jim Cochran (Volt Computer) Lab Simulations Developers: David Carlile (ArtSource), Tammy Stockton (Write Stuff) Technical Contributor: Kim Ralls Graphic Artist: Julie Stone (Independent Contractor) Editing Manager: Tina Tsiakalis Editors: Wendy Cleary (S&T OnSite), Diana George (S&T OnSite) Online Program Manager: Nikki McCormick Online Support: Tammy Stockton (Write Stuff) Compact Disc Testing: ST Labs Production Support: Rob Heiret, Ismael Marrero, Mary Gutierrez (Wasser) Manufacturing Manager: Bo Galford Manufacturing Support: Mimi Dukes (S&T OnSite) Lead Project Manager, Development Services: Elaine Nuerenberg Lead Product Manager: Sandy Alto Group Product Manager: Robert Stewart Module 5: Administering User Accounts iii Introduction Presentation: 60 Minutes Lab: 30 Minutes This module provides students with the information that they will need to administer existing user accounts The module discusses how to use Active Directory™ directory service to find a user account with specific account properties It also covers how to change user account settings, administer desktop environments with user profiles, and create home folders The module provides an introduction to group policies and the effect they can have on user accounts At the end of this module, students will be able to perform day-to-day Microsoft® Windows® 2000 administrative tasks There are two labs in this module; in them students disable and enable user accounts, reset a user’s password, search Active Directory for user accounts, reset a user’s password, define user profiles, define home directories, create and test a local user profile, and create and test a roaming user profile Materials and Preparation This section provides you with the materials and preparation needed to teach this module Materials To teach this module, you need the following materials: !" Microsoft PowerPoint® file 1556A_05.ppt !" Module 5, “Administering User Accounts” Preparation To prepare for this module, you should: !" Read all the materials for this module Notice that some slides are animated and require that you click them several times as you step through the corresponding process Animated slides are indicated with an icon in the lower left corner !" Review the Delivery Tips and Key Points for each section and topic !" In order to demonstrate unlocking a user account that is locked out of the network, create the account before teaching the module !" Complete the two labs !" Study the review questions and prepare alternative answers for discussion !" Anticipate questions that students might ask Write out the questions and provide answers to them iv Module 5: Administering User Accounts Module Strategy Use the following strategy to present this module: !" Finding User Accounts Describe and demonstrate the Find function of Active Directory to locate a user account !" Administering User Accounts Provide an overview of common tasks that are involved in administering user accounts Explain to students why they might need to reset passwords and unlock user accounts Demonstrate how to perform both administrative actions Describe and demonstrate how to disable, enable, rename, and delete user accounts The labs associated with this module are in a proposed new format Remind students to complete the lab survey on the Student Materials Web page when they have completed the course !" Managing User Profiles Provide students with an overview of user profiles Define user profiles; explain how they are created, and how they change Describe default user profiles as a template to create new user profiles Present an overview of roaming user profiles The topic on defining roaming user profiles has an animated slide The icon on the bottom left corner of the slide identifies it as an animated slide Use the slide to help describe the application of a roaming user profile to a computer at which the user logs on Demonstrate the steps for setting up a roaming user profile Describe customized roaming user profiles to provide users with the desktop environments that they need Describe mandatory roaming user profiles The topic on mandatory roaming user profiles also has an animated slide Use the slide to help describe the application of a mandatory roaming user profile to a computer at which the user logs on Demonstrate how to create and assign a customized profile for multiple users !" Creating Home Folders Provide students with an overview of home folders Explain home folders as the network location where users store their files Explain and demonstrate the procedure to create a home folder on a server !" Introduction to Group Policies Introduce group policies and explain how they can affect user access Tell students that they should be aware of group policies that might affect user accounts and should work with Group Policy administrators to resolve access conflicts !" Troubleshooting User Accounts Provide students with solutions to user account access problems !" Best Practices Read the Best Practices section before you start the module, and then refer to the appropriate practice as you teach the corresponding module section Then, at the end of the module, summarize all of the best practices for the module Module 5: Administering User Accounts v Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on the student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware Important The labs in this module are also dependent on the classroom configuration that is specified in the Customization Information section at the end of the Classroom Setup Guide for course 1556A, Administering Microsoft Windows 2000 Lab Setup The following list describes the setup requirements for the labs in this module Setup Requirement The labs in this module require that the Users group have the Log on locally right To prepare the student computers to meet this requirement, perform one of the following actions: !" Complete module 2, 3, or in course 1556A, Administering Microsoft Windows 2000 !" From the Trainer Materials compact disc, run the LRights.cmd script on each domain controller in each child domain Setup Requirement The labs in this module require the following user accounts: User51, User52, User53, User54, User55, and User56 in the Users container To prepare the student computers to meet this requirement: !" Run the script Lab051.cmd on only one of the two domain controllers in each subdomain Caution If you run the script on both domain controllers, the labs will not function properly !" If you create the users manually, leave the password blank Lab Results Performing the labs in this module introduces the following configuration changes: !" The assignment of the Log on locally right to the Users group !" The addition of User51, User52, User53, User54, User55, and User56 in the Users container Module 5: Administering User Accounts Overview Slide Objective To provide an overview of the module topics and objectives ! ! Managing User Profiles ! Creating Home Folders ! Introduction to Group Policies ! Troubleshooting User Accounts ! In this module, you will learn how to administer user accounts This includes modifying user accounts, as well as setting up user profiles and home folders You will also learn how group policies affect user accounts in your network Administering User Accounts ! Lead-in Finding User Accounts Best Practices You might have to find specific user accounts to administer them You use Active Directory™ directory service to find a user account by searching for specific account properties As an administrator, you might have to change user account settings and set up desktop environments Changes to a user account can involve changing a user’s password, or renaming or deleting a user account In addition to administering user accounts, you also administer other functions that affect user accounts You set up user profiles to control what appears on a user’s desktop and the applications to which users have access Your familiarity with group policies enables you to understand the influence they have on user accounts, groups, and computers You create and manage home folders at a location where users store data files Important You must be an administrator or have administrative rights to complete the tasks of modifying user accounts, creating roaming user profiles, and assigning home folders At the end of this module, you will be able to: !" Use Active Directory to find a user account !" Administer user accounts !" Manage user profiles and roaming user profiles !" Create home folders !" Describe group policies and their effect on user accounts, groups, and computers !" Troubleshoot user accounts !" Apply best practices to administer user accounts Module 5: Administering User Accounts # Finding User Accounts Slide Objective To describe the Find function of Active Directory to locate a user account Lead-in You can use Active directory to find a user account Find Users, Contacts, and Groups File Edit View Help Find: Users, Contacts, and Groups In: nwtraders Browse Users, Contacts, and Groups Advanced Name: Find Now Stefan Knorr Stop Description: Clear All Name Type Description item(s) found Delivery Tip Demonstrate using Users, Contacts, and Groups to find an object such as a user in Active Directory One of the key benefits of Active Directory is its store of information about network objects Information in Active Directory about users, computers, files, and printers is available to network administrators Administrators can use the Find Users, Contacts, and Groups dialog box to quickly find a user or group in Active Directory using account properties such as first name, last name, e-mail alias, or office location To find a user account, open Active Directory Users and Computers Right-click the domain, and then click Find Type the user name or, under Description, type a property of the user that you want to find, such as e-mail alias Then click Find Now Module 5: Administering User Accounts # Administering User Accounts Slide Objective To introduce some common tasks that are involved in administering user accounts ! ! Lead-in Administering user accounts allows you to fix problems that might arise for users Delivery Tip This is an overview of administering user accounts Prepare students for the topic by providing the following key points of information Resetting Passwords and Unlocking User Accounts Disabling, Enabling, Renaming, and Deleting User Accounts After you set up a user account, you might have to make modifications to it Company business needs and personnel changes might require you to modify user accounts For example, you might need to rename an existing user account for a new employee so that the employee has the same permissions and network access as his or her predecessor You might need to make modifications to user accounts because of changes in: You might also need to disable, enable, rename, and delete user accounts Company organization !" You might need to reset passwords and unlock user accounts Personnel !" Key Points !" The network If a user cannot log on to a domain or to a local computer, you might need to reset the user’s password or unlock the user’s account You might need to reset a password if a user forgets it You might have to unlock a user account if a user violates network policies and is locked out of the network You might have to make other changes to user accounts These include disabling, enabling, renaming, and deleting a user account You perform these administrative tasks in Active Directory Module 5: Administering User Accounts Resetting Passwords and Unlocking User Accounts Slide Objective To present why and how to reset a password and unlock a user account Lead-in When a user cannot gain access to the network or a computer, you might need to reset a password or unlock the user account Delivery Tip Demonstrate the procedures to reset a user account password by using Active Directory Users and Computers Demonstrate how to unlock a user account on the Account tab in the Properties dialog box for the user Modification Modification Reset Reset password password Unlock user Unlock user account account When When ! The password expires ! The password expires ! The user forgets password ! The user forgets password ! A group policy locks the ! A group policy locks the account account Typically, a Group Policy locks out a user account ! Reset Password dialog box ! Reset Password dialog box ! Account tab of Properties ! Account tab of Properties dialog box of user dialog box of user If a user cannot log on to a domain or a local computer, you might need to reset the user’s password or unlock the user’s account To perform these tasks, you must be a member of the Administrators or account operators group The following table describes when and where you make these modifications Modification When Where Reset a password The password expires before the user changes it or the user forgets the password In the Reset Password dialog box You not need to know a user’s password in order to reset it You should require the user to change the password the next time that he or she logs on Key Points You not need to know a user’s password in order to reset it In fact, there is no way to determine a user’s current password Where Where Unlock a user account A Group Policy locks out a user account if the user violates the policy For example, a user is locked out if he or she exceeds the limit that a Group Policy allows for failed logon attempts When a user account is locked out, Windows 2000 displays an error message On the Account tab in the Properties dialog box for the user When a user account is locked out, the Account lock out check box is selected Clear the check box You gain access to the Reset Password and Properties dialog boxes in Active Directory Users and Computers Right-click the appropriate user account, and then click Reset password or Properties 18 Module 5: Administering User Accounts Assigning a Customized Profile to Multiple Users Slide Objective To show how to create a template profile, to copy and assign the profile, and to create a mandatory profile Tasks Tasks Lead-in You can create a template profile to assign to multiple users Create a User Profile Template Create a User Profile Template Copy Template Account and Assign to User Accounts Copy Template Account and Assign to User Accounts Make a Mandatory Profile Make a Mandatory Profile Delivery Tips The slide for this topic is animated Present the three tasks as you demonstrate the procedures to customize and assign user profiles Use the Administrator account as the template user account Firstly, create a user profile template that contains the desktop settings that you want Secondly, copy the template user profile and assign it to the users’ accounts Thirdly, create a mandatory custom roaming user profile Key Point To make a user profile mandatory, you only need to change the extension on the Ntuser file from dat to man You can customize a roaming user profile and assign it to multiple users who will then have the same standardized settings and connections when they log on You can also make the profile mandatory The tasks for customizing and assigning a roaming user profile are: Create a user profile template that contains the customized desktop settings that you want the user to have by: a Creating an account to use as a template b Logging on using the template account and configuring the desktop environment: desktop appearance, network connections, applications, shortcuts, and Start menu items c Logging off Windows 2000 creates a user profile on the computer in systempartition\Documents and Settings\User_logon_name Use this user profile for your template Log on as Administrator and copy the user profile to the server Select which users and groups are permitted to use the profile by using System Properties in Control Panel Copy and assign a template user profile on the User Profiles tab in the System Properties dialog box Select the template profile under Name, and then click Copy To In the Copy To dialog box, under Copy profile to, type the path to the server (\\Server_name\Shared_folder_name\User_logon_name), or browse for the path Click Change to select the users that are permitted to use the profile In the Choose User dialog box, click Show Users, and then select the users for whom the profile was created To create a mandatory custom roaming user profile, change the extension on the Ntuser file in the template profile from dat to man Note Changes to the template profile affect users who are assigned the profile Module 5: Administering User Accounts 19 # Creating Home Folders Slide Objective To introduce home folders Lead-in Windows 2000 provides an additional place for users to store their documents Delivery Tip This is an overview of creating home folders Prepare students for the topic by providing the following key points of information Key Points A home folder is a place for users to store their documents To create a home folder on a server, create a shared folder, assign permissions, and then provide the path to users ! Defining Home Folders ! Creating Home Folders on a Server A user who logs on to more than one computer encounters problems accessing his or her documents if the documents are stored on only one of the computers used by the user Therefore, it is best for roaming users to store their documents centrally, on a server in a home folder You can provide a centralized network location for users to store their documents Windows 2000 provides you with the means to create a location in addition to the My Documents folder for users to store their documents This additional location is the user’s home folder Home folders are not part of a user profile, so they not affect the logon process You can locate all users’ home folders in a central location on a network server To create a home folder, you must create and share a folder, assign the appropriate permissions for the folder, and provide a path for users to the folder 20 Module 5: Administering User Accounts Defining Home Folders Slide Objective ! To present an explanation of home folders ! Lead-in Home folders store only documents, not desktop settings They not affect the length of time that it takes a user to log on ! Default Folder Used to Store User’s Documents Locate Home Directories on a Server to: $ Make documents available anywhere in the network $ Centralize administration and the backup process $ Make them accessible with any application and Microsoft operating system Not Part of the User Profile User’s User’s Document Document User’s Document User1 Key Points A home folder is not part of a user profile and does not affect the logon process If you store all users’ home folders in a central location, it is easier for you to back up users’ data Server Server User1 Home Folder Users can store their files in My Documents or in home folders With some older applications, it is not possible to save to My Documents Therefore, home folders can be the default folders for saving documents Storing all home folders on a file server provides the following advantages: !" Users can gain access to their home folders from any client computer on the network !" The administration and backup of user documents is centralized !" The home folders are accessible to applications from a client computer running any Microsoft operating system (including MS-DOS, Microsoft Windows 95, Windows 98, and Windows 2000) Because a home folder is not part of a roaming user profile, its size does not affect network traffic during the logon process Note You should store home folders on a NTFS file system partition so that you can use NTFS permissions to secure user documents If you store home folders on a file allocation table (FAT) partition, you can only restrict home folder access by using shared folder permissions Module 5: Administering User Accounts 21 Creating Home Folders on a Server Slide Objective To explain how to create a home folder on a server Creating Home Folders on a Server Lead-in After you have decided that users need home folders that are stored on a file server, you need to create the home folders Tasks Tasks Create a Shared Folder to Share Users’ Home Folders Create a Shared Folder to Share Users’ Home Folders Assign Full Control to Users Assign Full Control to Users Provide Path to Users’ Home Folders in a Shared Folder Provide Path to Users’ Home Folders in a Shared Folder Delivery Tips The slide for this topic is animated Present the three tasks as you demonstrate the procedure to create a home folder on a server Firstly, create a folder on the server called Users, and then share it Secondly, assign Full Control to the users group for the shared folder Thirdly, provide a path for the home folder In Windows Explorer, open the Users folder to show students the new home folder and the default permissions To create a home folder on a network file server, you must perform the following three tasks: Create and share a folder on a network server that will store all home folders The home folder for each user will reside in this shared folder For the shared folder, remove the default Full Control permission from the Everyone group and assign Full Control to the Users group This ensures that only users with domain user accounts can gain access to the shared folder Provide the path to the user’s home folder in the shared folder (that is, \\server_name\shared_folder_name\user_logon_name) You also provide a drive letter for the user’s connection to the server on which the home folders are stored You provide the path and the drive letter on the Profile tab of the Properties dialog box for the user account Type the user’s logon name to automatically create and name each user’s home folder as the user logon name For example, type \\server_name\Users\user_logon_name Note You can set up home folders on a server in the pre-release version of Windows 2000 However, the permissions are not applied automatically 22 Module 5: Administering User Accounts # Introduction to Group Policies Slide Objective To describe group policies ! Set Up by Group Policy or Security Administrator ! Can Be Used to Define a Desktop Environment ! Group policies are a set of configurations that give a Group Policy administrator an additional way to manage a user’s desktop environment Network Settings to Enforce Organization Policies ! Lead-in Can Affect the User Accounts That You Administer: $ Can lock out user accounts $ Can override user profile settings ! Be Aware of Group Policies in Effect on the Network ! Resolve Some Conflicts with Group Policies Yourself In most instances, only special Group Policy administrators set up group policies Group Policies are configuration settings that are used to support organizational and network policies They can be applied to one or more Active Directory objects such as user accounts, groups, and computers Usually, a Group Policy administrator or network security administrator will set up and administer group policies Group policies can affect user access Group policies can be used to define a user’s desktop environment A desktop environment can include: Key Points Network administrators should be aware of group policies that might affect users, and work with Group Policy administrators to resolve conflicts If students want information on setting group policies, refer them to course 1558, Advanced Administration for Microsoft Windows 2000 !" A customized Start menu !" Files that are copied automatically to the My Documents folder !" Applications that are set up !" Restricted access to files, folders, and Windows 2000 system settings Even if you not administer group policies, they affect the user accounts, groups, and computers that you administer, so you should be aware of them For example, user access problems might be the result of a violation of group policies There can be conflicts between group policies and local needs, such as when a policy restricts a user’s ability to gain access to a resource that the user needs to perform his or her job You should be aware of group policies that are in effect on the network that you administer Ask the Group Policy administrator to inform you of group policies that might affect users, groups, resources, and computers for which you have responsibility Knowing the policies that are in effect will improve your ability to perform your administrative responsibilities When group policies affect users, you must work with the Group Policy administrator to resolve the conflict You can resolve some conflicts between users and group policies without having to contact the Group Policy administrator For example, if a user attempts to log on, but is unsuccessful, and is locked out because the user has violated a Group Policy, you can unlock the user account Module 5: Administering User Accounts 23 Lab B: Administering User Profiles Slide Objective To prepare students for the lab Lead-in In this lab, you will define user profiles and home directories, create and test a local user profile, and create and test a roaming user profile Delivery Tip Have students work with a partner when they the lab exercises Objectives After completing this lab, you will be able to: !" Define user profiles and home directories !" Create and test a local user profile !" Create and test a roaming user profile Prerequisites Before working on this lab you must have: !" Experience logging on and off Microsoft® Windows® 2000 Lab Setup To complete this lab, you need the following information Your instructor will provide this, or you and your partner can decide together If you are not working with a partner, you will use “A” Your computer (A or B) Your partner’s computer (A or B) Estimated time to complete this lab: 15 minutes 24 Module 5: Administering User Accounts Exercise 1: Defining a Local User Profile Scenario: The employees of a company will occasionally be moving from one computer to another and would like to retain their personalized desktop environment settings on each computer Your Tasks: Create a local user profile and test it Change the user profile to a roaming user profile Task Detail Log on as the following user: If you are on computer A, log on as User55 If you are on computer B, log on as User56 Create a profile to be used as a template Log on as: User55 if you are on computer A User56 if you are on computer B Note: The first time that a user logs on, Windows 2000 creates a profile based on the default user profile Change the profile using the information in the following table, and then log off Windows 2000 Change the profile using the information in the following table, and then log off Windows 2000 Computer A Computer B Background Feather Texture (Tile) Greenstone Scheme Plum (high color) Rose Check the profile information in the system properties to verify where the profile is being stored Log on as Administrator Right-click My Computer, and then select Properties On the User Profiles tab, find the user that you logged on as in step Where is the profile being stored? The user profile type is a local profile, so it is being stored on the local computer _ _ Log off Windows 2000 Close all windows, and log off Windows 2000 To test the profile, log on with your partner’s account If you are on computer A, log on as User55 If you are on computer B, log on as User54 Log on as the following user (your partner’s account): If you are on computer A, log on as User55 If you are on computer B, log on as User54 Did the changes that your partner made to the profile follow the user? Why or why not? No Because the profile is a local profile, it will be specific to the computer Changes made to the profile will not follow the user _ _ Module 5: Administering User Accounts 25 What changes will be retained? The changes that will be retained are the changes that the user made to his or her profile the last time that the user was logged on to this computer _ _ Log off Windows 2000 Log off Windows 2000 Change the account to use a roaming user profile Change the profile for User54 (if you are on computer A) Change the profile for User55 (if you are on computer B) The profile will be stored at \\London\Profiles\DomainName\ %username% (where DomainName is your domain) Log on as Administrator Start Active Directory Users and Computers, and maximize the window Expand the domain (Domain.nwtraders.msft) Select the Users folder Right-click: User54 (if you are on computer A) User55 (if you are on computer B) Select Properties On the Profile tab, in the Profile path box, type \\london\profiles\DomainName\%username% (where DomainName is your domain) How will this information be used? The next time that the user logs on from anywhere on the network, this is where the computer will look for the profile _ _ Why you use the %username% variable? The %username% variable will be replaced with the user name and will create the directory for the profile and assign permissions automatically _ _ Close the Properties dialog box for the user Click OK to close the Userx Properties dialog box Important: Before you start the next step, confirm that your partner has finished the preceding step The next step is necessary to synchronize Active Directory between domain controllers Run Synch.cmd, which is located in the C:\MOC\WIN1556A\Labfiles folder, and then log off Windows 2000 Verify that the user profile now is a roaming user profile Log on as: User54 if you are on computer A, User55 if you are on computer B Check the profile information in System properties Click the Start button, and then click Run In the Run box, type C:\MOC\WIN1556A\Labfiles\synch.cmd Log off Windows 2000 Log on as the following user: If you are on computer A, log on as User54 If you are on computer B, log on as User55 Right-click My Computer, click Properties, and then click User Profiles 26 Module 5: Administering User Accounts Where is the profile located now? The type has changed to Roaming, so the profile now is located on the network _ _ Log on with your partner’s account to verify that the profile is roaming Log off Windows 2000, and then log on as the following user: If you are on computer A, log on as User55 If you are on computer B, log on as User54 Fill in the results in the following table Fill in the results in the following table Computer A Computer B Background Feather Texture (Tile) Greenstone Scheme Plum (high color) Rose Computer A Computer B Background Scheme Were the settings retained? Why? Yes The roaming user profile is updated on the network when the user logs off When the user logs on again from anywhere in the network (where the profile is accessible), the profile will be copied to the local computer _ _ Log off Windows 2000 Log off Windows 2000 Module 5: Administering User Accounts Exercise 2: Creating Home Directories Scenario: Your employees need a network location to store documents that they can access from anywhere in the network You could let everyone use My Documents, which is in each of their profiles, but for compatibility with older applications you have decided to create home folders for the users Your Tasks: Configure the user accounts to store their documents in home folders Verify the creation of the home folders Task Detail Modify the user account to use a home folder located at \\London\Users\DomainName\ %username% If you are on computer A, modify the User54 account If you are on computer B, modify the User55 account Log on as Administrator Start Active Directory Users and Computers, and maximize the window Expand Domain.nwtraders.msft (where Domain is your domain), and then click Users If you are on computer A, in the details pane, right-click User54, and then click Properties If you are on computer B, in the details pane, right-click User55, and then click Properties On the Profile tab, click Connect Select H for the drive letter In the To box, type \\london\users\DomainName\%username% (where DomainName is your domain, such as \\London\Users\Asia\%username%) Why should you use the %username% replaceable parameter? When you use %username% the system will replace it with the user’s name and create a folder with the same name and assign permissions to only that user This way you ensure that the user is the only one who will have access to the folder _ _ Click OK to close the Properties box Close Active Directory Users and Computers Close Active Directory Users and Computers Verify the creation of the home folder on the server Click Start, and then click Run Type \\london\users\DomainName Were the home folders created? How you know they were created? Yes, there is a folder for each of the users in the domain _ _ Log off Windows 2000 Close Windows Explorer Log off Windows 2000 27 28 Module 5: Administering User Accounts # Troubleshooting User Accounts Slide Objective To provide solutions to user account access problems Lead-in When you administer user accounts, problems might arise Troubleshooting these problems is important in order to make sure that users can gain access to resources Err or User Profile Is Unusable or Corrupt User Profile Is Unusable or Corrupt Err or A User Cannot Gain Access to His or Her Home Folder A User Cannot Gain Access to His or Her Home Folder Err or A User Is Unable to Log On to the Network A User Is Unable to Log On to the Network The following table describes user account problems and provides possible causes and solutions Problem Delivery Tip Demonstrate how to delete a user profile Possible cause Solution The user profile is unusable or corrupt, and the user cannot log on The user received an error message during the logon process The user reconfigured his or her desktop to an unusable state, or the profile is corrupt Delete the user’s local profile and the roaming user profile on the server When the user logs on, Windows 2000 creates a new local user profile When the user logs off, it copies the local user profile to the roaming user profile location on the server A user cannot gain access to his or her home folder that is stored on a server The server containing the home folder is down, or the home folder path is incorrect Make sure that the server is on If it is, re-enter the correct home folder path in the Properties dialog box for the user A user is unable to log on and gain access to the network Determine whether the user account is locked out The user might have violated a Group Policy Unlock the user account in Active Directory Users and Computers Verify group policies that might have affected the user You might have to reset the password if the user has forgotten it Module 5: Administering User Accounts 29 # Best Practices Slide Objective To provide best practices for administering user accounts Configure Roaming User Profiles for All Users Configure Roaming User Profiles for All Users Lead-in Review this checklist before you modify user accounts, set up roaming user profiles, or set up home folders Use Mandatory Profiles When Identical Desktops Are Required Use Mandatory Profiles When Identical Desktops Are Required Store All Roaming User Profiles in the Same Location Store All Roaming User Profiles in the Same Location Direct Users to Store Their Documents in My Documents Direct Users to Store Their Documents in My Documents Consider the following best practices for administering user accounts and groups: !" Configure roaming user profiles for all users so that users always receive their desktop settings and documents, regardless of the computer to which they log on In addition, it is easier to back up user profiles if they are stored on a server !" Use mandatory roaming user profiles that are pre-configured when multiple users require identical desktop environments or when multiple users will be using the same account to log on !" Store all roaming user profiles in a shared location on a member server instead of a domain controller This simplifies the administration, troubleshooting, and backing up of roaming user profile files It will also direct network traffic away from the domain controllers for logon validation !" Direct users to store their documents in My Documents instead of home folders It is the default location for storing data in Microsoft applications If the length of the logon process becomes an issue, then use home folders Windows 2000 does not copy the contents of a user’s home folder to the client computer during the logon process 30 Module 5: Administering User Accounts Review Slide Objective To reinforce module objectives by reviewing key points ! Finding User Accounts ! Administering User Accounts The questions in your workbook cover critical points ! Managing User Profiles ! Creating Home Folders Please take a few moments to answer the questions, and then we will discuss them as a class ! Introduction to Group Policies ! Troubleshooting User Accounts ! Best Practices Lead-in You know the e-mail alias from a security log of an employee How can you find the name of the user? You can locate the user in Active Directory by using the Find feature in Active Directory Users and Computers There is a new employee in your company with the same job responsibilities as a previous employee What should you to provide this new employee with a user account that has the same access and rights as the previous employee? If you want a new user to have all of the properties of a former user, including permissions, desktop settings, and group membership, rename the former employee’s user account When you rename an account, you not have to rebuild all of the properties as you for a new user account A new employee has just joined your company You provide the employee with a user account What must you to ensure that the new employee has a user profile on a client computer running Windows 2000? Nothing When a user logs on for the first time on a computer running Windows 2000, Windows 2000 creates a default user profile for that user Windows 2000 automatically saves the user profile on the local computer (systempartition\Documents and Settings\user_logon_name) Module 5: Administering User Accounts 31 An employee has been working on her own computer in her office She has been given a special assignment that requires her to work at multiple client computers throughout the company What should you with her user profile, and why? If the user wants to retain personalized settings, you would change her profile to a roaming user profile located on a server Her settings would be downloaded to her local computer whenever she logged on to any of the computers in the network What you to ensure that a user on a client computer running Windows 2000 has a roaming user profile? Firstly, create a shared folder on a network server Secondly, in the Properties dialog box for the user, provide a path to the folder on the server The next time that the user logs on, Windows 2000 creates the roaming user profile You are setting up home folders for all employees in your organization What procedure should you follow? Firstly, create and share a folder on a server Secondly, change the permission for the folder to Full Control for the Users group Thirdly, in the Properties dialog box for the user, provide a path to the folder, including the name of the individual user’s home folder (\\server_name\shared_folder_name\user_logon_name) What can you if a user whom you administer cannot gain access to a special printer that the user needs to his or her job because of a Group Policy restriction? You must contact the Group Policy administrator and resolve the conflict This page intentionally left blank ... nt5admin User1 User Admin Open user? ??s home page Builtin User2 User Admin Send mail Computers User3 User Admin Domain Controllers Task Users User4 User Admin Acct User4 User Vendor Delete User5 User. .. Rename User6 User Admin User7 User Admin Properties User8 User Admin Help User9 User Disabled AccountsAdmin Disabled Accounts User1 0 User Admin Some modifications affect the functionality of user accounts. .. addition of User5 1, User5 2, User5 3, User5 4, User5 5, and User5 6 in the Users container Module 5: Administering User Accounts Overview Slide Objective To provide an overview of the module topics