Review account properties settings active in each user's individual profile via User Manager Utility.

Account Properties Settings

Full name - should be used to facilitate identifying management

Description - job, department, etc.

Change password at next log in - should be used for new users initial log in

User cannot change password - forces administrator to manage password; may be used for vendor and other their party accounts

Password never expires - may be used to override global restriction in Accounts Policy

Account disabled

Account locked out

Groups - cross reference to groups audit procedures

Profile - each user should have a home directory, path statement, and log in script

Hours - log in time restrictions

Log on to - restricts workstations from which the user may log in from

Account - specifies local or global and may specify an expiration date

Assess user rights assigned to groups and individual users Membership in Groups

Membership in Groups

Assess membership in sensitive built-in groups (administrators, domain administrators, account operators) using User Manager utility

User Access

Document user membership in groups allowed access to resources with audit significance using User Manager utility

Cross reference to review file system security audit steps, and assess appropriateness of each users membership in groups