Add and configure new users
Last month I discussed user accounts and explained the difference between workgroup and domain accounts. This month I explain how you can set up user accounts, and I discuss the options you can configure to manage users.
Adding a New User
To set up a new user account, open User Manager for Domains (in the Administrative Tools group). To set up a user account when logged on locally to a Windows NT workstation, use the User Manager utility instead. From the User drop-down menu, select New User. Screen 1, page 210, shows the dialog box for adding a new user. You must specify a username, which can contain as many as 20 upper- and lower-case characters. When a user logs on, the username is not case sensitive, but NT preserves case. You cannot use certain characters (e.g., punctuation). For a list of illegal characters, click Help, Contents, and select Manage User Accounts/Creating a New User Account. The apostrophe is legal, but it can cause problems with SQL Server logins, so you might have to coordinate with your database administrator. Avoid putting spaces in a username so that you do not have to enclose the username in quotation marks when you use it in a batch file. Avoid names with hyphens and underscores because of incompatibilities with Internet email.
Assigning SIDs and Usernames
When you add a user to the accounts database, NT creates a security ID (SID). A SID is a long, computer-generated string that uniquely identifies each user account. The system associates security permissions with SIDs rather than usernames.
If a person leaves the department or company, you can change the person's username to accommodate a new employee. Suppose you have a programmer, Brian, who quits, and you replace him with another programmer, Cindy. To add Cindy as a user, you must give her the same group memberships and permissions as Brian. You can copy Brian's account for the new account, and then delete Brian from the account database. But you must take ownership of Brian's files, and then let Cindy take ownership of them. (You can let someone take ownership, but you cannot give ownership.) An easier method is to change the username on the account from Brian to Cindy. The SID remains the same, but Cindy then owns the files.
Changing usernames is easy. From the main User Manager dialog box, click User, Rename. Enter the new name, and click OK. Assign the user a new password. If you temporarily disabled the account to ensure that no one could log on to it until you reassigned it, you will need to reenable the account.
Configuring a New User
To configure a new user, you must assign a full name, description, and password, as Screen 1, page 210, shows. You can use any name and description you think is appropriate because these labels merely help identify the user. Passwords are case sensitive, so be sure to turn off Caps Lock. A password can be as many as 14 characters, and the same character restrictions apply as for usernames. NT hides the password as you type it, and you must type it twice for verification.
Password options. You need to set certain password options. When you add a new user, NT enables the User Must Change Password at Next Logon option by default. The user must choose a new password, and the administrator-assigned password becomes invalid. Therefore, the administrator cannot log on as the user, and the system remains secure.
For low-security accounts (e.g., temporary employee accounts, public-access accounts), you might enable the User Cannot Change Password option. In these cases, you do not want a user to be able to change the password and lock out others.
In NT, you cannot vary the length of time for which each password is valid. You can assign passwords that never expire, or you can specify all passwords to expire in a certain number of days. To override a password expiration policy, you must use the Password Never Expires option. Administrators frequently use this option for accounts such as the Replication account and the SQL Executive account. These accounts are not true user accounts; NT services use these accounts to log on behind the scenes. Therefore, these accounts do not interact with the desktop and cannot request a new password if the old one expires. Services typically start with account name and password verification. If the password expires, you must assign a new password and then reconfigure the service. Hackers can use these service accounts to break in, so use a password that is difficult to crack.