Server Administration - User Administration
In a Nutshell - CIW Course Section 3, Part A2, Chapter 4
SAM
When logging on to a Windows 2000 computer, it would be likely that you would log on to the domain where the logon is authenticated by the server running Active Directory. However, there will be times when you need to log on locally to an individual machine. To facilitate this, the machine needs to maintain it's own list of users.
This user list is stored in a secure database known as SAM, or the Security Accounts Manager which forms part of the system registry. Entries can be found in the following registry keys:
HKEY_LOCAL_MACHINE\SAM
HKEY_LOCAL_MACHINE\SECURITY\SAM
These keys did not appear to contain any pertinent information on any of my machines, but they are all domain members so this may make a difference.
Adding User Accounts
User accounts can be added, edited and deleted from the Computer Management Microsoft Management Console plug-in. To open Computer Management, from the Start Menu click:
Programs | Administrative Tools | Computer Management
The following screen will be displayed:
Expand "Local Users and Groups" and select Users. Right-click the Users folder and select New User.
The User Name you provide here will become the logon name for the user. The default setting, as above, requires the user to set their own password the first time they log in. This can be deselected and, if required, the user may not changes their own password. If this option is selected it is reasonable to also set the password to never expire.
Local Policy Settings
The local policy includes options for User Rights Assignment. There are many possible rights that may be conferred and I don't intend to go into them here. To open the Local Policy Settings and have a look, from the Start menu click:
Programs | Administrative Tools | Local Security Policy
Expand Local Policies and select User Rights Assignment. The list of available rights will be displayed in the right-hand pane.