257 Chapter 17: Administering Windows Server 2008: The Basics In the second dialog box, shown in Figure 17-3, you enter the initial password that the account will use. You also select several options that apply to the account, as follows: N User Must Change Password at Next Logon Selecting this checkbox forces users to choose their own password when they first log in to the system. N User Cannot Change Password You might select this option for resource accounts if you do not want to allow users to change their passwords. (For instance, you might have a specific user account established for a particular computer that performs a particular function that many people employ.) Generally, however, you should not select this option; most sites allow users to change their own passwords, and you want to permit them to do so if you’ve also set passwords to automatically expire. N Password Never Expires Choose this option to allow the password to remain viable for as long as the user chooses to use it. Activating this option for most users is generally considered a poor security practice. N Account Is Disabled Selecting this option disables the new account. The administrator can enable the account when needed by clearing the checkbox. Figure 17-2. Use the New Object – User dialog box to add a new user. 258 Networking: A Beginner’s Guide After entering the password and selecting the options you want, click Next to continue. You will then see a confirmation screen. Click Next a final time to create the account, or click Back to return to either dialog box to make changes. Modifying a User Account The dialog box in which you modify the information about a user account contains many other fields than the ones to create the account. You can use these to document the account and to set some other security options. To modify an existing user account, right-click the user object you wish to modify and choose Properties from the pop-up menu. You then see the tabbed dialog box shown in Figure 17-4. In the first two tabs, General and Address, you can enter some additional information about the user, such as job title, mailing address, telephone number, e-mail account, and so forth. Because Active Directory also integrates with Exchange Server, this information might be important to enter for your network. In the Account tab, shown in Figure 17-5, you can set some important user account options. At the top of the tab, you can see the user’s logon name, as well as the Windows domain in which the user has primary membership. Below that is the user’s Windows NT Figure 17-3. Setting the user’s password 259 Chapter 17: Administering Windows Server 2008: The Basics logon name (called the pre-Windows 2000 logon name), which the user can optionally use to log in to the domain from a Windows NT computer or to use an application that doesn’t yet support Active Directory logins. (Although you can set these two logon names to be different, doing so rarely is a good idea.) Clicking the Logon Hours button displays the dialog box shown in Figure 17-6. In this dialog box, you select different blocks of time within a standard week, and then click the appropriate option button to permit or deny access to the network for that time period. In Figure 17-6, the settings permit logon times for a normal workday, with some cushion before and after those times to allow for slightly different work hours. By default, users are permitted to log on to the network at any time, any day of the week. For most networks, particularly smaller networks, permitting users to log on at any time is generally acceptable. Figure 17-4. Setting properties for a user’s account 260 Networking: A Beginner’s Guide Clicking the Log On To button on the Account tab opens the Logon Workstations dialog box, as shown in Figure 17-7. By default, users can log on to any workstation in the domain, and the domain authenticates them. In some cases, a system might require stricter security, where you specify the computers to which a user account can log on. For example, you might set up a network backup account that you use to back up the network, and then leave this account logged on all the time in your locked computer room. Because the backup account has access to all files on the network (necessary to do its job), a good idea is to limit that account to log on only to the computer designated for this purpose in the computer room. You use the Log On To feature to set up this type of Figure 17-5. The Account tab of a user’s Properties dialog box lets you set some important user account options. 261 Chapter 17: Administering Windows Server 2008: The Basics Figure 17-6. Setting logon time restrictions for a user Figure 17-7. Restricting the computers to which a user can log on . either dialog box to make changes. Modifying a User Account The dialog box in which you modify the information about a user account contains many other fields than the ones to create the account account. The administrator can enable the account when needed by clearing the checkbox. Figure 17-2. Use the New Object – User dialog box to add a new user. 258 Networking: A Beginner’s Guide After. passwords, and you want to permit them to do so if you’ve also set passwords to automatically expire. N Password Never Expires Choose this option to allow the password to remain viable for as