Active Directory Groups

Group accounts have also changed in Windows 2000. Unlike NT 4 where we only found Global and Local groups, Windows 2000 includes new group types, scopes and abilities. Before we discuss these however, we need to take a look at something referred to as the ‘mode’ of a domain. By default, all domains are created in something called Mixed Mode. In this mode, NT 4 BDCs can still exist, and many of the rules associated with an NT 4 domain still apply. Once all domain controllers have been switched to Windows 2000, the domain can be switched into what is referred to as Native Mode. This is a one-way process. Note that even if you are not upgrading an NT 4 domain, a Windows 2000 domain is still automatically created in Mixed Mode, and the change to Native mode must be made before many of the new feature with respect to users and groups can be used.

Windows 2000 supports two types of groups. The first are very similar to groups in NT 4, and are referred to as Security groups. Quite simply, a security group has a SID, and as such can be part of a Discretionary Access Control List (DACL), the list of users and groups that have permissions to access a resource. The second type of group is called a Distribution group, and exists for the purposes of sending email messages to a group of users. This functionality largely exists for the purpose of Exchange 2000 integration. Distribution groups have no SID, and as such cannot be added to a DACL. You may be asking why it is necessary to make a distinction. The reason relates to what happens when a user logs on – a security token gets created that lists their SID, and the SIDs of the groups they are part of. The larger the number of security groups, the larger the security token for a user, and the longer it will take to log on. Distribution groups provide an easy and less resource-intensive way to be able to integrate messaging technologies with Active Directory.

User Accounts in Active Directory

Every User that needs to log into the domain will require a user account. Note that the account can be created within any container (built-in, or OU that you create), since these are all still technically ‘domain’ accounts. The user will still only need to supply the domain they wish to log into, not the container in which their account actually exists. Unlike NT 4 where the properties relating to a user account were very limited, in Active Directory user account properties are actually quite extensive. Most of these are not configured during the account creation process, but actually afterwards by accessing the properties of an account. Like NT 4, you can change the properties of multiple accounts simulataneously by selecting many accounts and then accessing their properties collectively. The property tabs found on a domain user account differ based on the services installed. For example, if Exchange 2000 is installed, a user’s mail configuration is done from the property sheets. Note that to view some tabs, you must choose Advanced Features from the View menu. The default tabs and their purposes are listed below:

  • General – contains basic information about the user including first name, last name, email address, etc.
  • Address – home address of the user
  • Account – user account details, including logon name, logon hours, account options, and account expiry.
  • Profile – user profile and logon script information, as well as home directory details.
  • Telephones – various phone numbers for the user.
  • Organization – information on title, department, and manager.
  • Environment – Terminal services startup information.
  • Sessions – settings relating to Terminal service sessions, such as idle session disconnect.
  • Remote Control – settings relating to Terminal service remote control options.
  • Terminal Services Profile – information relating to Terminal service profile, home directory, and allowing/disallowing logon to terminal server.
  • Published Certificates – listing of user’s X.509 certificates and purposes.
  • Member Of – listing of groups the user is a member of.
  • Dial-in – Dial-in settings for this user, including items such as callback settings.
  • Object – shows fully qualified name of the user object, when it was created.
  • Security – show access control list associated with this object.

Managing Domain Users and Groups

Local users and groups exist only in the SAM of a local Windows 2000 system, and can only be used for access on the system on which they exist. As such, local accounts are not practical for use in a large environment, due to their distributed administrative nature. As such, most companies have a domain, which of course centralizes user and group administration, as well as the authentication function, on Windows 2000 Servers acting as domain controllers. Domain controllers do not have a local SAM, but instead share and replicate the Active Directory database, where user and group objects (amongst other things) exist. In this section we’ll take a look at a number of features of accounts that still exist, but some that are different than in NT 4.

First of all, every account in Active Directory is an object, and objects can have properties. Examples of properties include things like a first name, last name, password, phone number, and so forth. There are many more properties associated with a domain user account than a local user account.

In very basic terms, local accounts are still very much like accounts in NT 4, while Windows 2000 domain accounts potentially have many more properties associated with them. Domain accounts (users, groups, computers, etc) are set up using the Active Directory Users and Computers tool.

Some basic things you should know about user and group accounts in a domain environment in Windows 2000:

  • User accounts and security group accounts still have a SID (security identifier) associated with them. Renaming an account retains the SID, and may be a good idea if one person is the company replaces another, for the purpose of resource access.
  • If you delete a user account, you also delete the associated SID. Creating another account with the same name will produce a new SID, and therefore an entirely new account.
  • If a person is going on a leave of absence, you can still disable an account.
  • The domain administrator and guest accounts cannot be deleted, but can (and probably should) be renamed. The Guest account is disabled by default.
  • You can still copy user domain user accounts, as in NT 4. Note that only generic items will be copied, such as group membership and so forth. More specific properties, such as a user’s home address, will not be copied. Copying account is most useful if you create a template account for different types of users. (Note that if you create a template account and disable it, all accounts copied from this template will also be disabled until you specifically enable them). Note also that if you copy an account called Mike, for example, and the copy is called Bob, access permissions to resources associated directly to the Mike account are NOT copied to Bob.
  • When dealing with group accounts, you can easily find out what other groups this group is a part of by checking the Member Of property tab. The Members tab shows other users and groups who are part of this group.

Note that Windows 2000 supports three different types of groups: Domain Local, Global, and Universal. Groups can also be nested in Windows 2000, meaning a group can be part of another group (potentially – there are rules). Note that group nesting and Universal groups are only supported in Native mode (a mode where all domain controllers are running Windows 2000), and not in Mixed mode (where you might still have NT 4.0 BDCs present).

User Profiles

Windows 2000 maintains a user’s desktop configuration and environment settings in what is called a user profile. Settings found in a user profile include things like the wallpaper the user has set, the placement of the icons on their desktop, mouse settings and so forth. In Windows 2000, a user’s profile can be found under the folder Documents and Settings, in a folder that maps to their user name.

If the system has been upgraded from NT 4, however, profiles will still be found under the %systemroot%\profiles folder. By default, all user profiles are local. That means that when a user logs on to a system for the first time, they receive a new profile, and any changes they make are stored on that machine only. By contrast, you can also store user profiles on a server such that they follow users as they move from machine to machine. These are referred to as roaming profiles. When a user logs off a system, their settings (including any changes they have made) are saved back to the central server. Note that certain folders, such as My Pictures and My Documents, are part of the user profile. As such, if you are using roaming profiles, and a user has a number of large files in these folders, it can cause significant network disruption. However, Windows 2000 does keep a locally cached copy of roaming profiles on a system. As such, if a user has a large roaming profile and usually uses the same machine, only the changes are copied back and forth, not the entire profile every time they log on. Roaming profiles are configured in the properties of a user account (on the Profile tab), by providing a UNC path to where the profile is stored such as \\server2\profiles\dan. In order to make things simpler, consider setting user accounts up for roaming profiles by using the %username% variable instead of the actual user name. This will automatically create a profile location on the server with the same name as that of the user (if you do this, only the administrator and user will have full control over the profile by default if the target volume is formatted NTFS). If you want to take an existing local profile and change it to roaming, you must set the properties on the user account as mentioned above, as well as copy the local profile to the server using the Copy To button on the Profiles tab in the System Program.

As in NT 4, you can still make a profile mandatory (unchangeable) by renaming the Ntuser.dat file in the profile to

User and Group Settings

In Windows 2000 Professional, users and groups are created using the Computer Management tool’s Users and Groups extension. By default, W2K Pro still only includes two user accounts by default, Administrator and Guest. Similar to NT 4, the Guest account is disabled by default. Both accounts can be renamed, though neither can be deleted. A number of built-in groups also exist by default, some of which allow you to control membership (local groups), and some of which control membership automatically (system groups). The table below outlines the built-in groups you will find, but of course you can still create your own local groups.

Built-in Local Groups:
Backup Operators
Power Users

Built-in System Groups:
Anonymous Logon
Authenticated Users
Creator Owner