Several of the tabs available from a user account’s properties window need to be given special attention. One of the more commonly used tabs is the Account tab. The first fields allow you to change the logon name and UPN suffix for the account. You’ll notice two buttons available on the property sheet: Logon Hours and Log On To. Clicking the Logon Hours button brings up a window that allows you to restrict the hours and days that the user is permitted to logon during. The Log On To button allows you to restrict which workstations the user is permitted to logon from. The Account expires section permits you to define when the account expires. For example, you can configure an account to expire on a specific date for a temporary employee who will no longer require network access after a specific date.
Under Account options you’ll notice several check boxes. Some of these options were described in the article on creating a new user account. The other available options are outlined below, a couple of which are new to Windows Server 2003.
- Smart Card is required for interactive logon – Smart cards store information such as private and public keys and passwords. Selecting this option requires the user to have a smart card reader and a pin number to log onto the network.
- Account is trusted for delegation – Allows the account to be impersonated by a service to access resources throughout the network.
- Account is sensitive and cannot be delegated – Selecting this option means the account cannot be impersonated by a service.
- Use DES encryption types for this account – Enables data encryption standards such as Standard MPPE (40 bit), MPPE Strong (128 bit), and IPSec.
- Do not require Kerberos preauthentication – Disables Kerberos preauthentication. Use this option carefully as preauthentication provides additional security.
These days it’s very common for users to require remote access when they’re on the road or working from home. Or there maybe be remote clients or business partners requiring dial-in access to the network. The Dial-in tab allows you to define remote access settings for a user account.
By default all user accounts are denied remote access. In order for a user to be able to dial-in, you must first select the option to Allow access or Control access through remote access policy. If you select the second option make sure the remote access policy is set to allow access.
For security purposed you can restrict the number from which a user can dial-in from. For example, if a user should only be permitted to dial-in from their home office select the Verify Caller-ID option and type in the user’s phone number. If the user attempts to dial in from a number other than the one listed, access will be denied.
The Callback options configured determine whether or not the server calls the user back during the connection process. The default option is set to No Callback. If you want the server to call the caller back you can allow the caller to set the call back number or select the option to Always Callback to and specify a callback number.
The bottom fields of the Dial-in tab allow you to configure a specific IP address to be assigned when the user dials in and also define static IP routes. Defining static routes means that these routes will be added to the routing table of the answering computer when the connection is made.
The Profile tab allows you to configure the path to the user profile. For those of you who aren’t familiar with what a user profile is, here is a perfect example that I’m sure most can relate to. Two users share the same computer. One user prefers the Windows default background and the other prefers backgrounds downloaded from the Internet. So what permits users to retain their own preferences on a single computer? Of course, as I’m sure you’ve already guessed, the answer is user profiles.
By default profiles are stored on a local computer. What happens though for users who move between multiple workstations? They can configure their settings on each local computer or the easier solution is to use roaming profiles. This way the profiles can be stored on a central server making your profile available on any computer in the domain. This is where the Profile tab comes in. Once you’ve created a share on the server to hold the profiles, use the Profiles tab under the account properties and type in the path to the shared folder.
Two other fields are available from this property sheet: logon scripts and home folders. If you are using logon scripts, provide the path to where they are located so the scripts can be run each time the user logs on to the network. Home folders are considered to be a user’s personal storage space. You have the option of storing them on the local machines or on the network. More often you’ll map a drive and type in the network path instead of a local path.
When I check the box so that preauthentication is not required my users cannot logon to the domain. When it is unchecked they can logon? Any ideas?