Windows 7 / Security and Privacy

Troubleshooting User Accounts

When a user logs on to the network using their domain user account, the account credentials are validated by a domain controller. By default, users can log on using their domain user accounts even if the network connection is down or there is no domain controller available to authenticate the user's logon. However, the user must have previously logged on to the computer and have valid, cached credentials. If the user has no cached credentials on the computer and the network connection is down or there is no domain controller available, the user will not be able to log on to the domain.

Each member computer in a domain can cache up to 10 credentials by default. Authentication can also fail if the system time on the member computer deviates from the logon domain controller's system time more than is allowed in the Kerberos Policy: Maximum Tolerance For Computer Clock Synchronization. The default tolerance is 5 minutes for member computers.

Users' accounts can be disabled by administrators or locked out due to Account Lockout Policy. When a user tries to log on using an account that is disabled or locked out, he sees a prompt that notifi es him he cannot log on due to his account being disabled or locked out. The prompt also tells him to contact an administrator.

Active Directory Users And Computers shows disabled accounts with a red warning icon next to the account name. To enable a disabled account, right-click the account in Active Directory Users And Computers and then select Enable Account. You can search the entire domain for users with disabled accounts by typing dsquery user -disabled at a command prompt. To enable a disabled account from the command line, type dsmod user UserDN -disabled no.

When a user account has been locked out by the Account Lockout Policy, the account cannot be used for logging on until the lockout duration has elapsed or the account is reset by an administrator. If the account lockout duration is indefi nite, the only way to unlock the account is to have an administrator reset it. In Active Directory Users And Computers, you can unlock an account by right-clicking the locked account and then selecting Properties. On the Account tab of the Properties dialog box, clear the Unlock Account check box.

Additionally, when account logon failure auditing is enabled, logon failure is recorded in the security log on the logon domain controller. Auditing policies for a site, domain, or OU GPO are stored under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.

Managing User Profiles

User profiles contain global user settings and configuration information and are stored for each user account created on a server or in a domain. A user profile allows a user to maintain his or her desktop environment so it is the same whenever they log on. The profile is created the first time a user logs on. Different profiles are created for local user accounts and domain user accounts.

Profile Essentials

The following three types of user profiles can be used:

  • Local: Local user profiles are the means for saving user settings and restoring them when the user logs on to the local machine.
  • Roaming: Roaming profiles allow user settings to move with a user from computer to computer by storing the information on domain controllers and then downloading it when the user logs on to the domain. For an administrator, roaming profiles allow you to roam from server to server and not have to reconfigure the desktop each time you log on. For instance, in your roaming profile, Windows Explorer can be configured through the Default Domain Policy to show file details regardless of where you log on or whether it was the first time you logged on to a particular computer.
  • Mandatory: Mandatory profiles are roaming profiles, originated by you and kept on a server, that are applied to users or groups, and that can be changed only by system administrators. For instance, a company may want all its sales clerks to have the same desktop settings at every workstation. This requires the creation of a preconfigured profile.

When a user has a local profile, all the user data is stored locally on that user's machine. When a user has a roaming profile, all the user data is stored in the profile itself and can be located on a network share. You can examine the contents of the profile folders using Windows Explorer. However, many of the folders are hidden from view by default. To configure Windows Explorer so that you can view the additional folders, choose Folder Options from the Tools menu, and then click the View tab. Under Advanced Settings, select Show Hidden Files And Folders and then click OK.

On Windows XP and Windows Server 2003, local user profiles are stored by default in the %SystemDrive%\Documents and Settings folder. On Windows Vista and Windows Server 2008, local user profiles are stored by default in the %SystemDrive%\Users\ %UserName% folder. Like Windows Server 2003, Windows Server 2008 saves roaming profiles to a server when a user logs off, even if an application has the Registry open. When a user logs on to a domain or that user's profile is in use on the network, the Delete and Copy To buttons on the Advanced tab of the System Properties dialog box are not available.

Note:
You might need to delete a user profile that is in use. To delete a user profile while someone is using it, take ownership of it using Windows Explorer. Right-click the profile file (ntuser.dat), and then select Properties. Click the Advanced button on the Security tab. Then click the Owner tab in the Advanced Security dialog box to set ownership to your account. You can then delete the profile in Windows Explorer.

Policies for user profiles have their own node in Group Policy. They are located in Computer Configuration\Administrative Templates\System\User Profiles. These policies affect many aspects of how profiles are used. When working with the related policies, keep the following in mind:

  • To add roaming user profiles to the Administrators security group, use the Add The Administrator Security Group To Roaming User Profiles policy. This allows an administrator full control over the folder containing the user's profile. Only computers running Microsoft Windows XP Professional or later are affected by this policy.
  • To deny access to a user's roaming profile on a per-computer basis, use the Only Allow Local Users Profiles policy. This prevents a user from getting his or her roaming profile on a particular computer or in the domain. Only computers running Windows XP Professional or later are affected by this policy.
  • You can prevent changes to a user's roaming profile on a local machine from being sent back to the server when the user logs off. To do this, enable the Prevent Roaming Profile Changes From Propagating To The Server policy. Users will receive their roaming profile when they log on, but if they change anything on their desktop, those changes will not be retained when they log off. Only computers running Windows XP Professional or later are affected by this policy.
  • You can ensure profiles that haven't been used for a specifi ed number of days are deleted automatically to free up disk space. To do this, enable the Delete User Profiles Older Than... policy and then specify how long a profile should go unused before it is deleted, such as 60 days. When a profile hasn't been used for the specifi ed number of days, it is automatically deleted the next time you restart the computer.
  • You can set the roaming profile to the same folder path for all users logging on to a computer. To do this, enable the Set Roaming Profile Path... policy and then specify the desired profile path. Be sure to use the %UserName% variable as part of the path; this will ensure each user has a unique profile path.
Note: The Group Policy Management Editor has an Extended tab in the details pane. By selecting any of the user group policies and clicking the Extended tab in the details pane (if necessary), the description explains what the policy will do in each configuration and indicates which operating system supports the policy.
[Previous] [Contents] [Next]

In this tutorial:

  1. Managing Users, Groups, and Computers
  2. Managing Domain User Accounts
  3. Configuring User Account Policies
  4. Enforcing Password Policy
  5. Configuring Account Lockout Policy
  6. Creating Password Settings Objects and Applying Secondary Settings
  7. Understanding User Account Capabilities, Privileges, and Rights
  8. Assigning User Rights
  9. Creating and Configuring Domain User Accounts
  10. Configuring Account Options
  11. Configuring Profile Options
  12. Troubleshooting User Accounts
  13. Implementing and Creating Preconfigured Profiles
  14. Configuring Local User Profiles
  15. Implementing Mandatory User Profiles
  16. Managing User Data
  17. Using Offline Files
  18. Configuring Offline Files on Clients
  19. Maintaining User Accounts
  20. Moving User Accounts
  21. Resetting a User's Domain Password
  22. Creating a User Account Password Backup
  23. Managing Groups
  24. Understanding the Scopes of Groups
  25. Creating a Group
  26. Creating group accounts at the command line
  27. Modifying Groups
  28. Managing Computer Accounts
  29. Moving a Computer Account
  30. Configuring Properties of Computer Accounts
  31. Troubleshooting Computer Accounts