Windows 2000 provides two types of user accounts: local user accounts and domain user accounts. With a local user account, an account is created in the local security database, with this type of account, a user has access to only the resources on that computer, this is typical in a workgroup. With a domain user account, a user can log on to the domain to access network resources. A user with a domain account can access all of the resources in the domain.

Local User Accounts

     To gain access to resources on a local computer, a user needs to have a local user account on the computer. There are two kinds of local user accounts: user-defined accounts and built-in accounts.

User-defined Local User Accounts

     User-defined local user accounts are those that an administrator creates to allow a user to gain access to only those computers where his or her user account exists. You cannot create user-defined local user accounts on a Windows 2000 domain controller. It is possible to have an account on the local computer and another account in the domain; however, the user can use only one of the accounts at a time.

Built-in Local User Accounts

     In addition to user-defined accounts, Windows 2000 provides two built-in user accounts to aid administrators in performing administrative taks and in providing users with temporary access to a local computer. Upon installation, Windows 2000 automatically creates two built-in user accounts - Administrator and Guest.

Domain User Accounts

     To access resource on the network, you need to use a domain user account. When a domain user account is created, it exists in Active Directory and is accessible from anywhere in the domain.

User-defined Domain Accounts

     User-defined domain accounts are those that an administrator creates to allow users to log on to a domain and access resources anywhere on the network. User-defined domain accounts are created on a domain controller. The domain controller replicates the new user account information to all domain controllers in the domain.

Built-in Domain User Accounts

     Windows 2000 provides two built-in domain user accounts - Administrator and Guest. These built-in user accounts are similar to the built-in user accounts available on local computers in workgroups. The main difference is that these accounts enable access to the entire doamin.


Groups

     A group is a collection of user accounts. You can assign access permisssions to all members of a group at one time, so that you do not need to assign the permissions individually. A group can exist on a local computer only, on computers within a single domain, or on computers across multiple domains.

Groups on a Local Computer

     On local computers (computers that are not domain controllers), you can create only local groups in the local security database. A group located on a computer that is not a domain controller provides security and access for the local computer only.

Groups on a Domain Controller

     On a domain controller, you create groups in Active Directory. A group that exists on a domain controller can include users throughout the entire domain or across multiple domains.


Local User Accounts - Users on local computer
Domain User Accounts - Stored in Active Directory.

Username Rules:
	1-20 characters
	no meta characters, periods, or spaces

Initial user accounts - Administrator, Guest, Initial User

Local User Profile - stored in \Documents and Settings\
	also contains NTUSER.DAT
Mandatory Profile - NTUSER.MAN
	Only Roaming Profiles can use Mandatory Profiles.
	To create, rename NTUSER.DAT to NTUSER.MAN.
	Use "Copy To" feature as all other profiles
		System Properties, Profiles, CopyTo

Power Users can setup printers, can't modify NTFS Permissions unless like
any user, Full Control.