When many IT pros first think of Windows 2000 user administration, they think of domains, network accounts, and share permissions. Yet there’s another side to user administration that’s equally important: local workstation administration. Without adequate workstation administration, end users can wreak havoc on a Windows machine. Here are two administration tips to help keep your workstations running smoothly. Learn how to keep user profile changes after logging off and how to prevent end users from creating user accounts.

Retain changes to user profiles after they’ve logged off
A user’s desktop and working environment are stored in the user’s profile in Windows 2000. When users log off, the changes they make to their profiles are usually saved in order for their profiles to be updated the next time they log on.

If you run across a situation where the profile changes are being lost, the culprit could be that the user’s account isn’t a member of the local Users group. When users log on from accounts that don’t belong to the Users group, Windows 2000 treats them as guests and therefore doesn’t save the user’s profile changes. This doesn’t apply if the user logs on with an account that is a member of the Administrators group. In this case, the changes will be retained.

The solution to this problem is simple: add the user’s account to the local Users group. To make the change, go through the Local Users And Groups snap-in in the Computer Management console. After making the change, log on as the user, change a profile setting, log off, and then log back on to verify that the problem is resolved.

Prevent users from creating user accounts
Windows 2000 Professional offers two methods for creating Local User accounts. You can use either the Users And Passwords object in the Control Panel or the Local Users And Groups snap-in in the Computer Management console. Both allow you to create and modify accounts, but there are differences between the two.

One primary difference is in the access that users have to these tools. Members of the Users group who open the Users And Passwords object in the Control Panel are prompted to specify credentials for an account in the Administrators group. Depending on your system’s configuration, members of the Users group can open the Local Users And Administrators snap-in through the Computer Management console, create new accounts, and set the password for those accounts without being prompted for an Administrator account. However, members of the Users group cannot make an account for a member of the Administrators group or change passwords for other accounts.

You can prevent members of the Users group from creating accounts through the Local Users And Groups snap-in by following these steps:

  1. Log on as an Administrator.
  2. Open the Local Users And Groups snap-in from the Computer Management console.
  3. Click the Groups folder and double-click Power Users in the right pane to open the group’s properties.
  4. Click NT AUTHORITY\INTERACTIVE, select Remove, and then click OK.

When this built-in group no longer appears in the Power Users properties, members of the Users group will no longer be able to create accounts.

Get great Windows 2000 tips like these sent directly to your inbox!

Our Windows 2000 Professional TechMail contains valuable information that can save you time and effort. Get valuable tips, links to Windows resources, and much more, all delivered straight to your inbox—absolutely free. Sign up for the Windows 2000 TechMail today! Let us know what you think about this article by sending us an e-mail or by posting a comment below.