LabMice.net - The Windows 2000\XP\.NET Resource Index
Home | About Us | Search

Last Updated December 16, 2003

Windows 2003
Windows 2000

  Active Directory
  Administration
  Backup & Restore
  Clustering
  Deployment
  Disk Management
  File Management
  Install & Setup
  Interoperability
  MMC Resources
  Printer Mgmt
  Registry
  Terminal Services
  Time Synch
  Troubleshooting
  User Management
Windows XP
BackOffice
Book Reviews
Career Tools
Device Drivers
Hardware Guides
MCSE Toolkit
Networking
Scripting
Security
Service Packs
Utilities
Cybercheese

_______________

 

 

 

 

 

 

Windows 2000 User Management icon

Windows 2000 User Management

User Management can be one of the most time consuming tasks for network administrators. Automation, good policies, and an educated user community are the keys to keeping your support calls to a minimum. And with Windows 2000 you can now grant more specific permissions to support staff without giving them full Administrator privileges.

Recommended Books

Windows 2000 User Management
By Lori Sanders. Published by New Riders, March 2000. Paperback 239 pages. ISBN 156205886X Help desk managers and administrators who spend much of their time managing users will find this book invaluable. Although this topic is covered in many Windows 2000 references, this book is by far more practical, comprehensive, and easier to read. The author writes from her own experiences, relating real world examples, pitfalls, criticisms, and advice that any administrator can benefit from. Divided into three sections, the book begins with an overview of the new user management functions in Windows 2000, as well as an overview of Active Directory. The mid section covers User management including group management, migrating users from other directory structures, ADSI scripting, and creating users. The final section focuses on managing the users environment and desktop. 
Where to start...

Step-by-Step Guide to User Data and User Settings
This guide includes scenarios showing the benefits of User Data Management and User Settings Management. It is designed to help administrators understand how they can use these features in their organizations. Source: Microsoft.com (March 2, 2000)

Useful articles

Administration

Creating User and Group Reports in Windows NT 
Microsoft Knowledge Base Article: 137848 - There are no graphical or command line utilities that produce comprehensive reports on groups, users and permissions included with the Windows NT Operating System or the Windows NT Resource Kit. The NET commands and the Windows NT 3.5 Resource Kit ADDUSERS.EXE and PERMS.EXE utilities can be used to create limited administrative reports by piping the output to a text file. 

HOW TO: Assign a Home Directory to a User 
Microsoft Knowledge Base Article: 320043 - This step-by-step article describes how to assign a home directory to a user by using the Active Directory Users and Computers MMC, the Computer Management MMC, a logon script, or the command line. 

HOW TO: Change a User Name in a Domain in Windows 2000 
Microsoft Knowledge Base Article: 323000 - This step-by-step article describes how to change a user name in Windows 2000 Active Directory. 

How to Determine the Currently Logged on User with Windows NT 4.0 and Windows 2000
Microsoft Knowledge Base Article: 156694 - In Windows NT Server version 3. x , you can use the title bar of Program Manager to determine the name of the currently logged-on user. This information is not immediately available in Windows NT Server 4.0, but you can obtain it by using one of the... 

How to Display and Administer All Users in Active Directory 
Microsoft Knowledge Base Article: 237548 - An administrator may want to generate a list of users in Active Directory. Once the users are displayed, the administrator can select multiple accounts to administer. 

How to Generate a List of Users 
Microsoft Knowledge Base Article: 149781 - The User Manager application does not provide a method for generating a list of user accounts for a Microsoft Windows NT server or domain. 

How to Modify the Right to Display Users in User Manager
Microsoft Knowledge Base Article: 180782 - When you use the User Manager tool on a computer running Windows NT, domain users or Guest account users may be able to display the list of user accounts and group accounts. This article describes how to use the Listacct.exe tool to modify 

HOW TO: Rename the Administrator and Guest Account in Windows 2000 
Microsoft Knowledge Base Article: 320053 - This step-by-step article describes how to change the administrator account and guest account names by using Group Policy. 

HOW TO: Restore a User Profile in Windows 2000 
Microsoft Knowledge Base Article: 314045 - This step-by-step article describes how to restore a user profile as well as the following user profile items: 

Installing Usrmgr.exe and Srvmgr.exe in Windows 2000 Professional 
Microsoft Knowledge Base Article: 237995 - Microsoft Windows NT 4.0 domain controllers (DCs) cannot be fully administered from Windows 2000 Professional workstations without Usrmgr.exe and Srvmgr.exe. These services are not provided on Windows 2000 Professional workstations. 

Redirecting the My Documents Folder for All Users in Windows 2000
Microsoft Knowledge Base Article You can use Group Policy to redirect the My Documents folder to a different network path on the domain for all users without having to set up an individual policy for each user. 

Using Usrmgr.exe with Windows 2000 Terminal Services on Windows NT 4.0 Domain
Microsoft Knowledge Base Article: 261099 - This article describes how to use User Manager in Windows 2000 to gain access to additional user properties that are available for use with Terminal Services in a Windows NT 4.0-based domain. 

Usrmgr Not Just for Domains
Use User Manager for Domains to manage workstation and member server accounts. Source: Windows & .NET Magazine (August 2002)


Creating Accounts

AddUsers Automates Creation of a Large Number of Users 
Microsoft Knowledge Base Article: 199878 - The Addusers.exe tool for Windows NT is a 32-bit administrative utility that uses a comma-delimited text file to create, modify, and delete user accounts. Addusers is most beneficial when the information to be manipulated is maintained in a spreadsheet, such as one created with Microsoft Excel, that can be converted to a comma-delimited file. You must be a member of the Administrators group on the target computer to add accounts and a member of the Users group to write to accounts.

Basic User Account Creation with ADSI Scripting 
Microsoft Knowledge Base Article: 230750 - The Active Directory Services Interface (ADSI) tool provides a single consistent set of interfaces that can be called in scripts using the Microsoft Windows Script Host, or other scripting languages (VBScript and JScript are supported natively). 

Creating a Workstation only Administrator 
Microsoft Knowledge Base Article: 125782 - Describes how to add a pseudo-administrative account to a domain to allow a user to administer and maintain Windows NT workstations but not servers.


Configuring Accounts

Batch Process to Create and Grant Access to Home Directories
Microsoft Knowledge Base Article: 155449 - When administrators need to create large numbers of users and corresponding home directories, the task can be simplified by using a batch process rather than creating each home directory individually through Windows NT File Manager or Windows 

How to Add a Master Domain Administrator Account to the Local Administrators Group of a Resource Workstation 
Microsoft Knowledge Base Article: 297307 - This article describes how to add a master domain Administrator account to the local Administrators group on a workstation in a resource domain. 

How to Allow Normal Users Temporary Access to Local Administrator Tasks 
Microsoft Knowledge Base Article: 231270 - Describes how to let normal users perform a task or run a program on their computers that requires administrative privileges without changing the users' current security settings.

HOW TO: Configure User and Group Access on a Windows NT 4.0-Based or Windows 2000-Based Intranet
Microsoft Knowledge Base Article: 300985 - The World Wide Web (WWW) and FTP services that are included with Microsoft Internet Information Server and Microsoft Internet Information Services are fully integrated with Windows 2000 user accounts and file access permissions. 

HOW TO: Configure a User Account to Log on to Windows 2000-Based Computer from a NetWare Client 
Microsoft Knowledge Base Article: 316100 - This step-by-step article describes how to configure a domain user account so that it can log on to a Windows 2000 Server-based computer (on which File and Print services for NetWare is installed) from a NetWare client computer. After you do so, the user account will be able to access resources on this server from a NetWare client computer. 

How to Create User Shares for All Users in a Domain with ADSI 
Microsoft Knowledge Base Article: 234746 - This article contains a sample script that demonstrates how to create user folders and share them for each user in the domain in which you are logged on. 

HOW TO: Delegate Administrative Authority in Windows 2000 
Microsoft Knowledge Base Article: 315676 - This step-by-step article describes how to delegate administrative authority in Windows 2000. An administrator can use this feature in Windows 2000 to delegate administrative authority over one or more organizational units (OUs) to a user or group, without giving that user or group administrative authority throughout the domain. This increases the flexibility with which administrators can assign responsibility over a specified set of user/group accounts, printers, or other resources that can be placed into an organizational unit. 

How To Delegate the Unlock Account Right
Microsoft Knowledge Base Article: 294952 - This article describes the process to delegate the right to unlock locked user accounts to a particular group or user in Active Directory. 

How to Enable Automatic Logon in Windows NT/2000 
Microsoft Knowledge Base Article: 97597 - Windows NT allows you to automate the logon process by storing your password and other pertinent information in the Registry database. 

How to Enable User Environment Event Logging in Windows 2000 
Microsoft Knowledge Base Article: 186454 - This article describes how to enable the user environment event logging features available in Windows 2000.

How the Local User Accounts Are Handled When a Server Is Promoted to a Domain Controller 
Microsoft Knowledge Base Article: 296561 - This article describes how local user accounts are handled when a server is promoted to a domain controller.
 

How to Run Programs Automatically When a User Logs On 
Microsoft Knowledge Base Article: 240791 -  Describes how to use group policies in Windows 2000 to configure a program to run automatically when a user logs on. 

How to Set User Rights in Windows 2000 
Microsoft Knowledge Base Article: 220019 - This article describes how to set user rights in Windows 2000. 

Limiting a User's Concurrent Connections in Windows 2000 and Windows NT 4.0 
Microsoft Knowledge Base Article: 237282 - Describes how to limit concurrent connections for all users in a Windows 2000 or Windows NT 4.0 environment. 

User Rights 
Windows NT Magazine article assigning or removing rights to customize your network, by Michael Reilly.


Group Membership

Group Type and Scope Usage in Windows 2000
Microsoft Knowledge Base Article: 231273 - Microsoft Windows 2000 extends the Microsoft Windows NT 4.0 concept of user groups by adding Universal and Distribution groups. In Windows NT 4.0, there are only Global and Local groups, and both are considered Security groups. 

How to Add Special Groups to Built-In Groups
Microsoft Knowledge Base Article: 292781 - If you, as the administrator, delete one of the memberships of a special group, such as Authenticated Users, from a Built-in Domain Local Users group on a domain controller in Windows 2000, you cannot re-add the group by using the Active Directory Users and Computers tool. To add one of the special groups to a domain local group on a domain controller, use the net localgroup command.

HOW TO: Add Users to the Pre-Windows 2000 Compatible Access Group 
Microsoft Knowledge Base Article: 303973 - This step-by-step article describes how the Pre-Windows 2000 Compatible Access group is used, why it is needed in a mixed-mode domain, and how to set up the group up by using the Active Directory Users and Computers snap-in and command line 


Profiles

Differences in the User Profiles of Windows 95, Windows 98, Windows NT, and Windows 2000
Microsoft Knowledge Base Article: 269378 - Microsoft Windows 95, Windows 98, Windows NT and Windows 2000 all contain and support user profiles and in many respects, they behave the same. However, there are some differences. These differences may cause a Windows 95 or Windows 98  user profile to not be used or transferred to a Windows NT 4.x or Windows 2000 user profile with the exception of Windows 95 and Windows 98 clients that have been upgraded to Windows 2000 Professional. In this case, their user profile are converted.

Differences in the User Profiles in Windows 
Microsoft Knowledge Base Article: 269378 - Windows 95, Windows 98, Windows NT and Windows 2000 contain and support user profiles, and in many respects, they behave the same. However, there are some differences. These differences may prevent a Windows 95 or Windows 98 user profile from being used or transferred to a Windows NT 4. x or Windows 2000 user profile with the exception of Windows 95 and Windows 98 clients that have been upgraded to Windows 2000 Professional. In this case, their user profile are converted.

Duplicating User Profiles in Windows 2000
Microsoft Knowledge Base Article: 255095 - This article describes how to duplicate user profiles in Microsoft Windows 2000.

How to Assign a Logon Script to a Profile for a Local User 
Microsoft Knowledge Base Article: 258286 - This article describes how to assign a logon script to a profile for a local user's account on a Windows 2000 Professional workstation or a Windows 2000 Server. This logon script runs when the local user logs on locally to the computer.

How to Assign the Administrator Profile to Other Users
Microsoft Knowledge Base Article: 156568 - In Windows NT 4.0 and in Windows 2000, if you log on as an administrator and make some changes to your desktop, such as moving the taskbar, creating a shortcut, or installing software, and then log off and log on again as another user who has equivalent access right as administrator, you will find that all the changes made by the administrator are not available. 

HOW TO: Assign a Mandatory User Profile in Windows 2000 
Microsoft Knowledge Base Article: 323368 - This step-by-step article describes how to assign a mandatory user profile for Windows 2000-based client computers in a Windows 2000 domain.

HOW TO: Change the Default Location of User Profiles and Program Settings 
Microsoft Knowledge Base Article: 322014 - This article describes how to move a user's Documents and Settings folder.

HOW TO: Configure Client User Profile Information for a Roaming User on Windows 2000
Microsoft Knowledge Base Article: 307964 - Roaming users move between different computers on a network. This article describes the procedures that you have to use to enable and configure profile information for each of the roaming users in your organization. This article assumes the operating system on your primary domain controller (PDC) is Windows 2000

How to Create and Copy Roaming User Profiles in Windows NT 4.0 and Windows 2000
Microsoft Knowledge Base Article: 142682 - On occasions, it may be necessary for an administrator to copy a defined User Profile to a number of Users, which will present each of them with an identical initial profile for their first logon, which they will then be able to modify as required.

HOW TO: Create a Custom Default User Profile 
Microsoft Knowledge Base Article: 305709 - This article describes how to create a custom default user profile in Windows 2000. A custom default user profile is helpful if several people use the same computer but each user wants a separate profile along with access to shared resource.

HOW TO: Create a Roaming User Profile 
Microsoft Knowledge Base Article: 302082 - This step-by-step article describes how to create a roaming user profile. Roaming user profiles provide the user with the same working environment, no matter which Microsoft Windows NT-based computer to which the user logs on. 

HOW TO: Delete a User Profile 
Microsoft Knowledge Base Article: 313918 - This step-by-step article describes how to delete a user profile from a local computer. If you use this method, you delete the %SystemRoot%\Documents and Settings.

How to Move the Location of a Locally Cached Profile 
Microsoft Knowledge Base Article: 214470 -
By default, the locally cached copy of a profile is stored in %SystemRoot%\Profiles\, which may be an issue if you have a large number of people logging on to a computer. If you have a large number of people logging on to a computer (which creates a large number of profiles), disk space on the operating system partition may become scarce. You can move the locally cached copy of a profile to another local partition

How to Migrate User Profiles to Windows 2000 
Microsoft Knowledge Base Article: 234548 - This article describes how to migrate your user profile settings in Microsoft Windows 95/98 when you upgrade to Windows 2000. 

How to Prevent a User from Changing the User Profile Type
Microsoft Knowledge Base Article: 150919 - If roaming user profiles are used with Windows NT 4.0 systems, system administrators may wish to not allow users to change the profile type to local. To do this, remove the read permission from the %systemroot%\System32\Sysdm.cpl file for the users or groups that should not be able to modify profile settings. This removes the System icon from Control Panel. As a result, those users cannot change system settings. 

HOW TO: Prevent Folders from Roaming with a Profile in Windows 2000 
Microsoft Knowledge Base Article: 315415 - This step-by-step article describes how to use a group policy to prevent specific folders that are contained in a roaming-user profile from being copied to the server. 

HOW TO: Restore a User Profile 
Microsoft Knowledge Base Article: 314045 - This step-by-step article describes how to restore a user profile as well as the following user profile items: 

How to Use %LOGONSERVER% to Distribute User Profiles
Microsoft Knowledge Base Article: 141714 - If you want to specify a domain server that validates a user logon, use the environment variable %LOGONSERVER% in a PATH statement. This article describes how you can use %LOGONSERVER% to distribute user profiles. 

How to Use Windows 95 and Windows 98 Roaming User Profiles with Windows 2000 Server 
Microsoft Knowledge Base Article: 264866 - Windows 95 and Windows 98 clients support the use of roaming user profiles; however, they behave differently from the user profiles found in Windows NT 4 and Windows 2000. This article explains how to implement roaming user profiles for Windows 95 and Windows 98 clients connecting to a computer running Windows 2000 Server 

Roaming Profile Creation in Windows Using the "Copy To" Command 
Microsoft Knowledge Base Article: 243420 - Roaming profiles contain user work environments, which include the desktop items and settings. Some examples of these environments are screen colors, mouse settings, window size and position, and network and printer connections. Roaming profiles... 

User Profile FAQ 
From the Microsoft Support Center.

User Profile Storage in Windows 2000
Microsoft Knowledge Base Article: 228445 - The naming convention for user profile folders in Windows 2000 is different from that used in Microsoft Windows NT 4.0 and earlier versions. This article describes the location for user profile folders and how subfolders are created for individual user profiles. 

WebCast: User Profiles in Microsoft Windows 2000  
Level:200 This presentation describes the changes and enhancements included in roaming user profiles in Windows 2000.


Security

14 Day Password Change Notification Cannot be Changed 
Microsoft Knowledge Base Article: 135403 - In Windows NT 3.x, when your password is 14 days from expiration, you receive a Password Change Notification when logging on requesting you to change your password. If the Maximum Password Age is set to 30 days, you receive the notice when your password is only half way through its life span. Although you may wish to change the advance time of the reminder, the Password Change Notification is hard coded at 14 days in Windows NT 3.x and is not configurable. In Windows NT 4.0, a new registry parameter is available to allow administrators to configure the number of days at which the Password Change Notification is presented. The implementation of this new parameter requires that the registry change be made on the client computer. 

Behavior of SAM Account Names and UPN Suffixes Containing At Signs
Microsoft Knowledge Base Article: 276424 - If you create a user whose Security Accounts Manager (SAM) account name contains the at sign (@), or if you specify a User Principal Name (UPN) suffix which contains the at sign, you may encounter unexpected behavior. 

How to Enable User Environment Event Logging in Windows 2000 
Microsoft Knowledge Base Article: 186454 - This article describes how to enable the user environment event logging features available in Windows 2000.

HOW TO: Monitor for Unauthorized User Access 
Microsoft Knowledge Base Article: 300958 - This article describes how to monitor your system for unauthorized user access. There are two main steps: Enabling security auditing and viewing the security logs. Note that different systems have different security needs, and the security topic is complex. Any user who sets up security audits on your system must be assigned to administrative groups or be given security rights and privileges
.

HOW TO: Prevent Users From Changing a Password Except When Required in Windows 2000 Microsoft Knowledge Base Article: 309799 - This step-by-step article describes how to prevent users from changing their password except when they are required to do so. Centralized control of user passwords is a cornerstone of a well-crafted Windows 2000 Security scheme. 

How to Prevent a User from Changing the User Profile Type
Microsoft Knowledge Base Article: 150919 - If roaming user profiles are used with Windows NT 4.0 systems, system administrators may wish to not allow users to change the profile type to local. To do this, remove the read permission from the %systemroot%\System32\Sysdm.cpl file for the users or groups that should not be able to modify profile settings. This removes the System icon from Control Panel. As a result, those users cannot change system settings. 

How to Prevent Windows 2000 Users from Changing Personal Detail Information
Microsoft Knowledge Base Article: 292304 - This article describes how you can prevent a user from changing your personal detail information on Windows 2000.

Limiting a User's Concurrent Connections in Windows 2000 and Windows NT 4.0 
Microsoft Knowledge Base Article: 237282 - Describes how to limit concurrent connections for all users in a Windows 2000 or Windows NT 4.0 environment. 

Account Lockout Is Not Audited for Local/SAM User Accounts 
Microsoft Knowledge Base Article: 314786 - If a local Security Accounts Manager (SAM) account on a workstation or server (either a workgroup or domain member) is automatically locked because the bad password count passes the threshold, the event is not audited even if auditing is turned on

Troubleshooting Articles
"Access Denied" Error Message When Updating Roaming User Profile
Microsoft Knowledge Base Article: 257848 - When a user with a roaming user profile logs off, the following error message may be displayed: Windows cannot update your roaming profile. Contact your network administrator. DETAIL - Access is denied The same user may have no problem when logging off a Microsoft Windows NT 4.0-based client using the same roaming profile. With Windows 2000-based clients, the behavior is the same whether the roaming profile server is a Windows NT 4.0-based or Windows 2000-based server.

Account Lockout Because BadPasswordCount Not Reset to 0
Microsoft Knowledge Base Article: 263821 - User accounts may get locked out in a mixed environment with Windows 2000-based domains and Microsoft Windows NT 4.0-based domains. 

Administrative Limit Exceeded When You Are Adding Users or Groups 
Microsoft Knowledge Base Article: 255013 - When you attempt to add users or groups on a domain controller, you may receive the following error message: Administrative Limit Exceeded  

AddUsers Automates Creation of a Large Number of Users 
Microsoft Knowledge Base Article: 199878 - The Addusers.exe tool for Windows NT is a 32-bit administrative utility that uses a comma-delimited text file to create, modify, and delete user accounts. Addusers is most beneficial when the information to be manipulated is maintained in a spreadsheet, such as one created with Microsoft Excel, that can be converted to a comma-delimited file. You must be a member of the Administrators group on the target computer to add accounts and a member of the Users group to write to accounts. 

Cannot Add Local Users Using "Users and Passwords" Tool 
Microsoft Knowledge Base Article: 221759 - When you are logged on to a computer that is part of a Windows 2000 domain, you cannot create local machine accounts using the "Users and Passwords" tool in Control Panel. 

Cannot Copy Current User Profile
Microsoft Knowledge Base Article: 227575 - When you are logged on as a user and you use the System tool to copy your current profile, you may receive the following error message: 

Cannot Delete Cloned User Accounts that Include Security Identifier History from Local Groups
Microsoft Knowledge Base Article: 278693 - When you use a tool, such as, the Active Directory Migration Tool (ADMT), to migrate user accounts from a Microsoft Windows NT 4.0 domain to a Microsoft Windows 2000-based system, and then you add these users to a Local group, the accounts cannot be deleted. 

Cannot Use Administrative Tools to Manage User Accounts If UsernameContains a Slash Mark 
Microsoft Knowledge Base Article: 255003 - When you are using administrative tools that call the MprAdminUserSetInfo function to change user account settings, the function call may not work if the account name that you are configuring contains a slash character (/). This causes the tool not to succeed. 

Cannot Use "/" Character in Local Group Names 
Microsoft Knowledge Base Article: 218925 - You cannot use the forward slash character (/) in group names in Windows 2000. Note that group names created in Microsoft Windows NT 4.0 do allow the forward slash character. 

Cannot Use Users and Passwords Wizard After Installing Multilanguage Pack
Microsoft Knowledge Base Article: 285790 - After you install Multilanguage Pack (MUI) and choose a preferred language (such as French) for menus and dialog boxes, the Users and Passwords Wizard does not create new standard users, and generates the following error message: The user could not be added because the following error occurred: the group name cannot be found (updated 6/20/2001) 

Cannot Use "Copy To" Button for a Domain User Profile from Windows 2000 Professional
Microsoft Knowledge Base Article: 255573 - Administrators cannot use the Copy To button on the User Profiles tab in System properties to copy a domain user profile from a Windows 2000 Professional-based computer that is a member of a Microsoft Windows NT 4.0-based domain. When you attempt to do so, the Look in box in the Select User or Group dialog box does not display the list of domains. Instead, the Look in box is unavailable, and the name of the local computer is the only available name. (updated 2/22/2001)

Domain Users Cannot Join Workstation or Server to a Domain
Microsoft Knowledge Base Article: 251335 - When you attempt to join a Windows 2000 domain from a computer running Windows NT 4.0 Workstation or Windows NT 4.0 Server, the following error message may be displayed: 

Error Message May Occur When You Add User Names in Windows 2000 
Microsoft Knowledge Base Article: 266633 - When you attempt to add users or computers, you may receive the following error message: 

Groups with Certain Characters Cannot Be Created in Windows 2000 
Microsoft Knowledge Base Article: 301222 - In Microsoft Windows NT version 4.0 a bug exists that permits the creation of groups with restricted characters. In Windows 2000 this bug is corrected by adding a check on the server before a group can be created with these characters. Although an upgrade is not blocked nor are any existing groups with these names modified in any way, it is recommended that groups with these names be renamed to conform to the normal group-naming convention. 

Guest Account Is a Member of the Domain Users Group 
Microsoft Knowledge Base Article: 312136 - In a Windows 2000 domain where anonymous access has been turned on for the Guest account, the Guest account has access to resources that Domain Users are granted permissions to. The Guest account is a member of the Domain Users group. 

Folder Redirection Does Not Work After You Delete a Profile 
Microsoft Knowledge Base Article: 309144 - If you delete a user's profile and then later re-create the profile, the folder-redirection portion of a policy may not be reapplied when the user logs on to a workstation. The rest of the policy is applied correctly. If you then change the 

Hair Color of the "Person" Icon for a User Group Becomes Gray If the Group Contains More Than 500 Users
Microsoft Knowledge Base Article: 281923 - If a user group contains more than 500 users, the hair color of the "person" icon for the group changes to gray. This does not affect the functionality of the group or the users for whom the hair color of the icon changes. This issue affects built-in groups, local groups, and global groups. 

Increased Account Lockout Frequency in Windows 2000 Domain
Microsoft Knowledge Base Article: 264678 - In a domain that contains Windows 2000-based domain controllers and Windows 2000-based servers or clients, users may experience account lockouts with fewer incorrect authentication attempts than the domain's Account Lockout policy might indicate. 

Logon Time Restrictions Prevent Users on Windows NT 4.0 from Remotely Accessing Windows 2000 Resources 
Microsoft Knowledge Base Article: 263006 - In an environment with a Microsoft Windows NT 4.0-based primary domain controller (PDC) and Windows 2000-based computers, non-administrative users who are logged on to Windows NT 4.0-based computers may not be able to gain access to Windows 2000 Resources remotely. 

Membership From the Local Group Cannot Be Deleted for Migrated Users that Have an SID History Field
Microsoft Knowledge Base Article: 266673 - When you try to use Clonepr.vbs to clone users from Microsoft Windows NT 4.0-based domain to Windows 2000-based domain and the users from the Windows NT 4.0-based domain are members of any local group on a Windows 2000-based computer, you cannot remove the users from the local group. 

No Domains Listed in "Copy to" Dialog Box for Profiles
Microsoft Knowledge Base Article: 257489 - When you copy user profiles to another location, you can optionally change who is permitted to use a profile by selecting from a list of users and groups from the local computer account database (for a member server or Windows 2000 Professional 

Office Shortcuts May Not Migrate for Users Who Have Roaming Profiles 
Microsoft Knowledge Base Article: 305466 - Under the following conditions, Office Windows Installer shortcuts (.msi shortcuts) that you create from a roaming Windows 2000-based user profile may not point to the correct location or may not run correctly: 

Permissions for Distribution Group Are Not in the Standard Format 
Microsoft Knowledge Base Article: 290801 - When you use Active Directory Users and Computers to view permissions for a distribution group whose membership is hidden, the Special Security message box is displayed. The following message is displayed in the message box:

Problems if You Log On When a Program That Runs as a Service Loads User Hive 
Microsoft Knowledge Base Article: 314290 - If a program that is running as a service tries to load your user hive while your computer is starting and you try to log on to the computer at the same time, Windows may create a new profile for you.

Invalid Network Home Directory Specified in User Manager 
Microsoft Knowledge Base Article: 128795 - If you specify an invalid network Home Directory for a User Environment Profile in the user object properties, an error message appears: Windows can not edit the permissions on 'Group Name' because they have been written in a nonstandard format by another application. To enable editing, you must use the application to restore the permissions to a standard format. After you click OK, the permissions are displayed. 

Roaming Profile Folders Do Not Allow Administrative Access
Microsoft Knowledge Base Article: 222043 - When a roaming profile is written for the first time, permissions for the created folder

Roaming User Profiles Do Not Unload 
Microsoft Knowledge Base Article: 253820 - When you log off of your Windows 2000-based computer, you may receive an error message that indicates that your user profile cannot be unloaded. You may also receive the following event in the event log: 

Roaming Profile Accumulates Extra .tmp Files
Your roaming profile may accumulate extra files named Prf*.tmp, and the following error message may be logged in the Application event log: 

Start Menu Links Missing After User Profile Is Upgraded from Windows NT 4.0 to Windows 2000 Microsoft Knowledge Base Article: 316877 - When a profile is upgraded from Microsoft Windows NT 4.0 to Windows 2000, Command Prompt.lnk and Windows Explorer.lnk may be missing from the Start menu. 

Unable to Bring Up the User List from a Windows NT 4.0 Trusted Domain on a Windows 2000-Based Server
Microsoft Knowledge Base Article: 291684 - When you attempt to add users from a Microsoft Windows NT 4.0 trusted domain to a local group on a Windows 2000-based member server that is a member of a Windows NT 4.0 domain, you may receive the following error message even though Windows NT 4.0-based computers in the same domain are able to bring up the list: The specified domain does not exist.

User Accounts Added to Local Administrators Group After Upgrade 
Microsoft Knowledge Base Article: 182734 - When you upgrade from Microsoft Windows 95 or Microsoft Windows 98 to Windows 2000, all user accounts are added to the local Administrators group in Windows 2000

User Manager Does Not Display Horizontal Scroll Bars with Long Group Names 
Microsoft Knowledge Base Article: 317308 - If you are using the User Manager tool in Windows 2000 to administer users in a Microsoft Windows NT 4.0-based domain, and you are managing a user's group membership, the group names may be truncated. It may be difficult to differentiate among groups. 

User Names That Begin with "!" May Not Work with a Domain Controller 
Microsoft Knowledge Base Article: 303145 - User names that begin with an exclamation point (!) and are presented in their User Principle Name (UPN) format (for example, such as !test@ Domain .com) may not work when they are used to connect to a domain controller.

Users with Roaming Profiles Cannot Use EFS On Domain Controllers 
Microsoft Knowledge Base Article: 311513 - If the Encrypting File System (EFS - feature is configured for use in a Windows 2000-based domain environment and the "Delete cached copies of roaming profiles" policy is enabled, users with roaming profiles can encrypt files on Windows 2000 

This site and its contents are Copyright 1999-2003 by LabMice.net. Microsoft, NT, BackOffice, MCSE, and Windows are registered trademarks of Microsoft Corporation. Microsoft Corporation in no way endorses or is affiliated with LabMice.net. The products referenced in this site are provided by parties other than LabMice.net. LabMice.net makes no representations regarding either the products or any information about the products. Any questions, complaints, or claims regarding the products must be directed to the appropriate manufacturer or vendor.