Windows NT 4.0 User and Group Management Guide
Introduction
User and group management is fundamental to Windows NT 4.0 security and administration. This guide covers creating, managing, and securing user accounts and groups using User Manager for Domains.
User Manager for Domains Overview
Accessing User Manager
Start → Programs → Administrative Tools → User Manager for Domains
Interface Components
- User List: Displays all user accounts
- Group List: Shows built-in and custom groups
- Menu Bar: Access to all management functions
- Status Bar: Current domain information
User Account Management
Creating User Accounts
- Basic Account Creation ``` User → New User...
Required Fields: - Username: Maximum 20 characters - Full Name: User's display name - Description: Account purpose - Password: Initial password - Confirm Password: Verify password ```
-
Account Options
[ ] User Must Change Password at Next Logon [ ] User Cannot Change Password [ ] Password Never Expires [ ] Account Disabled -
Best Practices
- Use consistent naming convention (e.g., firstname.lastname)
- Set "User Must Change Password at Next Logon"
- Document account purpose in description
User Account Properties
Groups Tab
- Add user to groups
- View current group memberships
- Set primary group (for POSIX compliance)
Profile Tab
User Profile Path: \\server\profiles\%username%
Logon Script: login.bat
Home Directory:
[ ] Local Path: C:\Users\%username%
[X] Connect H: to \\server\home\%username%
Hours Button
- Set allowed logon hours
- Restrict access to business hours
- Different schedules for different users
Logon To Button
- Restrict which workstations user can access
- Enter NetBIOS computer names
- Leave blank for all workstations
Account Button
Account Expires:
[ ] Never
[X] End of: [Date]
Account Type:
[X] Global Account (Domain users)
[ ] Local Account (This computer only)
Dialin Button
- Configure RAS permissions
- Set callback options
- Control remote access
Managing Multiple Users
Copy User
- Select existing user
- User → Copy...
- Modify unique fields
- Maintains group memberships and settings
Bulk Operations
Using command line tools:
REM Create user from command line
net user john.doe Password123 /add /domain
REM Add to group
net group "Domain Users" john.doe /add /domain
REM Set properties
net user john.doe /expires:12/31/2024 /domain
Group Management
Built-in Groups
Global Groups
- Domain Admins: Full administrative access
- Domain Users: All domain users
- Domain Guests: Guest access
Local Groups
- Administrators: Local admin rights
- Backup Operators: Backup/restore permissions
- Power Users: Create users, share resources
- Users: Standard user access
- Guests: Minimal access
- Replicator: Directory replication
Creating Custom Groups
- Create Global Group ``` User → New Global Group...
Group Name: Sales_Team Description: Sales Department Staff Members: Add users ```
- Create Local Group ``` User → New Local Group...
Group Name: File_Managers Description: File share administrators Members: Can include global groups ```
Group Strategies
AGLP Strategy (Microsoft Recommended)
- Accounts go into
- Global groups, which go into
- Local groups, which get
- Permissions
Example:
Users (John, Jane) → Global Group (Sales_Team) →
Local Group (File_Readers) → NTFS Permissions
Managing Group Memberships
Add Users to Groups
- Select group
- User → Properties
- Click Add
- Select users
- Click OK
View User's Groups
- Select user
- User → Properties
- Click Groups button
- Shows all group memberships
Security Policies
Account Policies
Access via Policies → Account:
Password Restrictions:
- Maximum Password Age: 42 days
- Minimum Password Age: 1 day
- Minimum Password Length: 8 characters
- Password Uniqueness: 5 passwords remembered
Account Lockout:
- Lockout after: 3 bad logon attempts
- Reset count after: 30 minutes
- Lockout Duration: 30 minutes (or Forever)
Forcibly disconnect users:
- When logon hours expire
User Rights Policy
Access via Policies → User Rights:
Critical Rights to Configure
Advanced User Rights:
Access this computer from network:
- Domain Users
- Administrators
Log on locally:
- Administrators (on servers, limit this)
- Power Users (on workstations)
Take ownership of files:
- Administrators only
Shut down the system:
- Administrators
- Power Users (workstations only)
Back up files and directories:
- Administrators
- Backup Operators
Change the system time:
- Administrators only
Audit Policy
Configure via Policies → Audit:
Recommended Audit Settings:
[X] Logon and Logoff
[X] Success [X] Failure
[X] File and Object Access
[ ] Success [X] Failure
[X] Use of User Rights
[ ] Success [X] Failure
[X] User and Group Management
[X] Success [X] Failure
[X] Security Policy Changes
[X] Success [X] Failure
Profile Management
User Profiles Types
- Local Profile
- Stored on workstation
- Path:
%SystemRoot%\Profiles\username -
Unique to each computer
-
Roaming Profile
- Stored on server
- Path:
\\server\profiles\username -
Follows user to any workstation
-
Mandatory Profile
- Read-only roaming profile
- Rename NTUSER.DAT to NTUSER.MAN
- Changes not saved
Setting Up Roaming Profiles
-
Create Profile Share
Create folder: D:\Profiles Share as: Profiles$ Permissions: Users - Change -
Configure User
User Manager → User → Properties → Profile User Profile Path: \\server\profiles$\%username% -
First Logon
- Profile created automatically
- Copied from Default User profile
Home Directories
Server Setup
Create folder: D:\Home
Share as: Home$
Permissions: Users - Change
User Configuration
User Manager → User → Properties → Profile
Home Directory:
Connect H: to \\server\home$\%username%
The folder is created automatically with correct permissions.
Logon Scripts
Creating Logon Scripts
-
Script Location
Default: %SystemRoot%\System32\Repl\Import\Scripts Must be on domain controller -
Basic Script Example ```batch @echo off REM login.bat - Basic logon script
REM Synchronize time net time \PDC /set /yes
REM Map common drives net use G: \server\shared net use H: \server\home\%username%
REM Map department drives if "%GROUP%"=="Sales" net use S: \server\sales if "%GROUP%"=="IT" net use I: \server\it
REM Set printer net use lpt1: \printserver\laser ```
- Assign to User
User Manager → User → Properties → Profile Logon Script Name: login.bat
Advanced Scripting
Using IFMEMBER.EXE utility:
REM Check group membership
ifmember "Domain Admins"
if errorlevel 1 net use A: \\server\admin$
ifmember "Sales Team"
if errorlevel 1 (
net use S: \\server\sales
net use lpt1: \\server\salesprinter
)
Account Templates
Creating Templates
-
Create Template Account
Username: _Sales_Template Full Name: Sales Template Account Description: Template for Sales Users Account: Disabled -
Configure Template
- Set group memberships
- Configure profile path
- Set home directory
- Assign logon script
-
Configure hours and workstations
-
Using Template
- Select template
- User → Copy
- Enter new user details
- Enable account
Department Templates
Create templates for each department:
- _Sales_Template
- _IT_Template
- _HR_Template
- _Finance_Template
Troubleshooting User Issues
Account Lockouts
-
Check Lockout Status
User Manager → Select User → Properties Look for "Account Locked Out" checkbox -
Unlock Account
- Uncheck "Account Locked Out"
- Investigate cause of lockout
-
Check bad password attempts
-
Common Causes
- Cached credentials
- Service accounts
- Mapped drives with old password
- Scheduled tasks
Profile Issues
Corrupted Profile
Solutions:
1. Rename profile folder
2. User logs in, new profile created
3. Copy data from old profile
4. Delete corrupted profile
Profile Not Loading
Check:
1. Permissions on profile share
2. Network connectivity
3. Profile path spelling
4. Available disk space
Logon Problems
Cannot Log On
- Check account not disabled
- Verify password not expired
- Check logon hours restrictions
- Verify workstation restrictions
- Check domain controller availability
Best Practices
Naming Conventions
Users: firstname.lastname or firstinitiallastname
Groups: Department_Function (e.g., Sales_Managers)
Service Accounts: svc_servicename
Admin Accounts: adm_username
Security Guidelines
- Regular Reviews
- Monthly: Review admin group members
- Quarterly: Audit all user accounts
-
Annually: Full security audit
-
Account Maintenance
- Disable don't delete initially
- Remove from all groups
- Delete after 90 days
-
Document all changes
-
Password Policies
- Enforce complexity
- Regular expiration
- Prevent reuse
- Educate users
Documentation
Maintain records of: - Account creation/deletion - Group membership changes - Security policy modifications - Template configurations - Special permissions
Command Line Management
Useful Commands
REM User Management
net user /domain REM List all users
net user username /domain REM Show user details
net user username password /add /domain
net user username /delete /domain
net user username /active:no /domain
REM Group Management
net group /domain REM List all groups
net group "Group Name" /domain REM Show group members
net group "Group Name" username /add /domain
net group "Group Name" username /delete /domain
REM Local Groups
net localgroup "Group Name" REM Show local group
net localgroup "Group Name" "Domain\Domain Group" /add
Batch User Creation
@echo off
REM CreateUsers.bat - Bulk user creation
for /f "tokens=1,2,3" %%a in (users.txt) do (
echo Creating user %%a %%b
net user %%a.%%b Password123 /add /domain
net user %%a.%%b /fullname:"%%a %%b" /domain
net group "Domain Users" %%a.%%b /add /domain
net group "%%c" %%a.%%b /add /domain
)
REM users.txt format:
REM FirstName LastName Department
REM John Doe Sales
REM Jane Smith IT
Conclusion
Effective user and group management is essential for Windows NT 4.0 security and administration. Following these guidelines and best practices ensures a secure, well-organized, and maintainable user environment. Regular reviews and documentation are key to long-term success.