Step-by-Step: Adding a New User Account in Windows 2000 (Professional/Server/Advanced Server)
May 5, 2001

By creating a new user account for each person who has access to change things (not for visitors to your website) on your webserver, you add another layer of security to your server.  Each user account can be added to one of several default user groups from "Administrator" down to "User".  Each user group has a specific level of authority to access system files and make configuration changes.  However, the user group settings does not control where and what the user has control over.  You have to set this with the NTFS security settings AND make them FTP and Web operators in the IIS configuration.

For security reasons, it is a good idea to make the account of the lowest possible value (make them "Users" not "Administrators") and then use the NTFS and IIS configuration to give them more access (or limit their access).  The user groupings aren't as useful as you might think in this situation.  If you do not have other people with web space on your server, you probably don't need to create new accounts.

Also, you do not need to create user accounts for people to visit your website anonymously.  One is automatically created for you when you install IIS called "IUSR_servername".  The "servername" is the name of your server.  DO NOT delete this account.  Without this account, nobody can visit your website.

Here we will show how to setup the account and picking a user group.

Start -> Settings -> Control Panel -> Administrative Tools -> Computer Management

Double click on "Local Users and Groups".  Right click on "Users" and select "New User".

Here you fill out the first three lines with the user's information.  You also set the user's password.  There are four options with the account:

  • User must change password at next login
  • User cannot change password
  • Password never expires
  • Account is disabled
You can set these as you wish.

In our example, the account name is "dslcableguest" and the rest is for reference only.  After you are done configuring the settings to your liking, click on "Create".

The computer prompts you if want to create another account.  If you do not, click "Close".

Now we can configure some of the properties of the account.  Right click on the user name you want to configure and select "Properties".  You will see 4 tabs with several options for you to choose from.  This first tab has the same information that we entered when we first created this account.

This second tab "Members Of" allows us to make this account a member of several preset groups.  Each group has different levels of authority and privileges for what they can do to the server.  If you are adding an account for somebody who is going to be a full administrator, then you need to add him/her to the "Administrator" group.  For somebody who has web space and needs web and FTP access, you should probably leave them in the "Users" group and instead use NTFS and IIS Configuration to give them access to their section of the webserver.  You don't want to give them Administrative access since they would then be able to control the whole webserver.  You just want them to have control of their section and NTFS and IIS configuration is the best way to localize their sphere of control.

However, if you did want to add them to a different group other than the default "User", click the "Add" button.

Select the group which you want them to be a member of and then click "Add".  Now you're pretty much done.  Like I said before, don't give your users more privileges than necessary.  I would suggest leaving them as "Users".  Only if you have very specific reasons should you promote them to have greater privileges.  Be careful.

This third tab has more options.  You can leave these alone.

The fourth tab is for "Dial-in" options for users who dial in and login to your webserver.  Set these accordingly.  If you don't have dial in for your users, don't worry about it.


Step by Step Menu