The following optional features define how Windows NT Workstation 4.0 will be installed and administered in your organization. These features are recommended for your preferred configuration.
User-level security is based on user account lists stored on servers running Windows NT Server or Novell NetWare. The user accounts specify which users have access rights on the network. Windows NT Workstation 4.0 passes on a user's request for access to the servers for validation. Pass-through user-level security protects shared network resources by requiring that a security provider authenticate a user's request to access resources.
Users and groups have access to local shared resources (including the Registry). User-level security is required for remote administration of the Registry and for network access to full user profiles. User-level security includes the following features:
User Manager allows you to edit and control individual user accounts and policies from a central location. A user with Administrative privileges can use the User Rights Policy Editor to define policies for the local workstation, such as which user accounts can be used to access the local workstation from the network.
Use the Account Policy Editor to set password restrictions and account lockouts.
User profiles allow multiple users sharing a single computer to customize their desktops and have those custom settings loaded at logon. Conversely, a single user can move between computers using the same profile if the administrator stores that profile on the server.
The administrator can control whether the users can change profile settings (that is, the appearance of the desktop, automatic network connections, etc.). An administrator can also use profiles to require that a mandatory desktop configuration be loaded each time a user logs on.
A local profile is created by default when a workstation user account is created. User profiles are not needed when only one person uses the computer, or when a custom desktop adds no value. If user profiles are not enabled, the logon process is shortened slightly, because the system does not need to locate and load the profile.
To use the User Profile Editor, a Windows NT Server must be available.
To administer a computer's Registry from a remote computer, you must join a Windows NT Domain and log on with an account that is part of a Domain Admins group. Remote administration capabilities allow you to conduct a variety of tasks remotely over the network. These include administering the file system, sharing or restricting directories, and querying and making changes to the Registry.
Only members of the Domain Admins Group can use the Remote Registry service of Windows NT Workstation 4.0.
Peer resource sharing services allow a client computer to share files and resources such as printers and CD-ROM drives with other computers. Peer resource sharing can reduce the traffic and disk space required on central servers by leveraging the power of individual computers. If users are allowed to share local resources on their computers, then peer resource sharing can save network traffic and hard disk space on the server. Remember, however, that Windows NT Workstation has a limit of 10 possible inbound connections to other client computers.
Whether to use peer resource sharing services depends on your site's security needs. For central control, or to prevent users from turning on this feature, use the User Rights Policy Editor.
Security for peer resource sharing services takes the form of user-level security based on the user accounts on a Windows NT Server or NetWare network. If you don't have servers to provide security validation or don't want to use user-level security, you can use share-level security, with each user implementing security and a password scheme on the local computer. Share-level security is set on a directory-by-directory basis.
A Microsoft Windows NT Client Access License is required if the computer will be connecting to servers running Windows NT Server. For information on client access licenses, contact your Microsoft reseller.
If you want, you can maintain centralized control. You can prevent users from turning on peer-to-peer networking. To do so, use the following procedure to disable peer resource sharing.
1. On the Windows NT Server, start the User Rights Policy Editor in the User Manager for Domains Utility.
2. Select the Show Advanced User Rights checkbox.
3. Select Create Permanent Shared Objects.
4. Remove any groups from the Grant To box.
5. Click OK.
The new Windows Messaging feature in Windows NT Workstation 4.0 manages all messaging information in one place, with a single inbox for electronic mail and other messages. In addition, Windows NT Workstation 4.0 comes with a complete small-business mail system — that is, a mail client and a post office — which allows users to exchange electronic mail through a single post office. This mail client integrates well with Microsoft Mail servers, and the post office can be upgraded to provide an enterprise-wide mail system.
You can also use a variety of other mail or messaging systems through Windows Messaging, as long as they use a MAPI 1.0 driver. If you have an existing mail system that doesn't use a MAPI 1.0 driver, you can continue to use that mail system without running the Windows Messaging capability.
Windows NT Workstation allows you to run all 16-bit applications in Multiple Virtual DOS Machines (MVDMs). This ensures that an error in one application will not affect other applications, or bring down the entire operating system.
For compatibility issues, some older applications may need to run in shared memory spaces. Test your older line of business applications against MVDMs to decide whether to keep this feature in your ideal client configuration.