Creating and Configuring User Accounts

The first time a user logs onto a Windows computer a profile is created. This profile remembers a user’s preferred desktop settings, display options, application settings etc. thus providing the user a desktop environment consistent with that of their last login. User Profiles are stored in %systemdrive%\Documents & Settings\%Username% (where Username is the user’s logon name).

Use the buttons below to navigate through the lesson


There are two default profile folders that are used and installed with Windows, the Default User Profile and the All Users Profile. N.B. The Default User folder is hidden by default.

Default User Profile

The user profile created at first logon is basically a copy of the Default User Profile. This copy is stored on the local machine to be a  a local user profile.

All Users Profile

The All Users profile has settings which apply to every user logging onto the local computer. For example program shortcuts to Calculator, Paint etc.

User Profiles

User profiles may either be local or roaming, and may be mandatory.

A local profile is stored on the local machine only. A user with a domain account would not have the same profile on each machine.

Roaming profiles are ones which are created by the Administrator but which users configure for themselves. They appear on any machine users log on to. Each profile must be held on a network share accessible from all the machines users might employ.

The advantage of this is that a user can begin working in a familiar environment straight away at any machine within the domain.

Mandatory profiles may be local or roaming. These are configured by the administrator on behalf of the enterprise. The profile specifies what appears on the desktop at log in and the settings for immediate use

A user might be able to change these settings for one particular session, but these changes are lost at log off, and the mandatory profile appears again at the next session.

Roaming Profiles

In this case all user profiles are stored on  a server (not necessarily a domain controller). The user logs onto the domain rather than his local workstation. When the user logs on, Windows checks the user’s account to see if a user profile path exists. If it does, the user profile is located by the system and copied to the local computer. Unlike the situation in a domain, a roaming profile in a workgroup has to be set up on every machine. It can also be arranged for a user’s home folder, desktop and My Documents folder to “roam” with that user. A shared folder must be created first. Into this can be placed a user’s profile and, if required,  the user’s home folder.

The NTUSER.DAT file is about to be renamed to NTUSER.MAN to make Ross’s a mandatory roaming profile. The .man extension makes the file read only. This change could also be made to a local profile.

Users are created using the Active Directory Users and Computers management console. Right-click on the container where you would like to create the user. Select New -> User. Fill out the details for the new user. The user will logon using the User logon name. The domain suffix can be changed if other domains are available. Although this is not recommended. The full user logon name is known as a Universal Principal Name (UPN). The pre-Windows 2000 logon name is used for backwards compatibility. This name has to be unique across the entire Active Directory forest. Click on Next to continue. Choose a password for the new user account. The User must change password at next logon will let the user choose his/her own password when they first logon. Click on Next to continue. Click on Finish to continue. The new user account has been created.

Right-click on the account to configure it. The number of available tabs will vary depending on which services you have installed on the server. The General tab displays general information about the user. The Member Of tab displays the user’s group memberships.

The Account Tab displays the information you entered when creating the user as well as password options. You can also restrict the user’s logon hours from here.

The Profile tab can be used to configure where this user’s profile is loaded from. This can be used to create a roaming user profile. e.g. This user’s profile will be stored on the server “server”. The “%username%” will be changed to the user’s name by the computer. This is known as an environmental variable.

User accounts can also be created from the command line by using the “dsadd” utility. This example will create a user called Charlie in the “office” organizational unit. Dsadd is a handy utility which can be used to create objects in Active Directory without using the GUI. Dsadd is also handy for creating large amounts of objects in Active Directory by using scripts. There are many other utilities available for creating a large number of users, the “csvde” utility can generate user information from a comma delimited file which can be created as a spreadsheet.  The Lightweight Data Interchange Format, Data Exchange (LDIFDE) utility is more advanced than CSVDE and can be used to modify user accounts as well as create them. LDIFDE has line-separated values between each record which means the data is not suitable for spreadsheets.

Although the account has been created it is disabled because no user information has been entered. You can modify the account here or use the “dsmod” utility. For information about “dsadd” and “dsmod” type in “dsadd /?” or “dsmod /?” from a command line.