Each site has a user, and part of the administrator's job is to make sure that the site's users have appropriate access to the site. To grant permissions to a Web site, you must add users to the site (either individually or as part of a cross-site group) and assign to a site group. In Microsoft Windows SharePoint services, you can add users and cross-site groups in one of two modes:
Domain account mode is used within an organization to grant permissions to users who have a ready-made domain account.
Active Directory account mode is used by Internet service providers to create unique accounts for customers.
When you first install and configure Windows SharePoint Services, you determine which mode to use and you cannot switch modes later. Regardless of the mode you use, you can add users and cross-site groups to a Web site using the command line tool or the HTML Administration page for the Web site.
About domain account mode
If you use Windows SharePoint Services within an organization that uses a Microsoft Windows domain account, you can use domain account mode for users and Cross-site group accounts. If you are using domain account mode, you can add the existing domain account information (including its user name and e-mail address) to the Web site using the user and Cross-site group. The domain account mode is the standard mode for Windows SharePoint Services. Note that you can use the Active Directory directory service to manage domain accounts-Two modes differ in the type of account you are using, not the tools you use to manage them.
About Active Directory account mode
If you are managing a Web site based on Windows SharePoint Services on the World Wide Web for use by customers, you can configure Windows SharePoint Services to automatically create Active directory catalogs for new users and Cross-site groups Service account. When you first configure Windows SharePoint Services, you must enable Active Directory account mode. Domain accounts cannot be used when using Active Directory account mode.
Creating users and Cross-site groups by using Active Directory account mode is the same as creating users by using domain account mode, except that when you add a user or cross-site group to a Web site, you only enter an e-mail address, not a domain account. Windows SharePoint Services checks Active Directory to see if an account with that e-mail address already exists. If a user or cross-site group already has an account in Active Directory, the account is used. If a user or cross-site group is new, an account is created for that user or group of users in Active Directory using Windows SharePoint Services credentials, and the account name and password are notified to the user by e-mail.
Note: When in Active Directory account mode, some administrative tasks are not available in HTML administration pages. For example, you cannot create a top-level Web site, you cannot enable self-service Site creation, and you cannot add users to a site from the Central Administration page. To perform these actions in Active Directory account mode, you must use the object model.
You must set the Minimum password age Group Policy on a domain controller to 0 days. Otherwise, users will not be able to change their passwords unless they have administrator privileges on the server. For more information about setting the Minimum password age Group Policy, see the Microsoft Windows 2003 Server online Help.