Creating User Objects with Active Directory Users and Computers
You can create a user object with the Active Directory Users and Computers snap-in. Although user objects can be created in the domain or any of the default containers, it is best to create a user in an organizational unit, so that administrative delegation and Group Policy Objects (GPOs) can be fully leveraged.
To create a user object, select the container in which you want to create the object, click the Action menu, then choose New and choose User. You must be a member of the Enterprise Admins, Domain Admins, or Account Operators groups, or you must have been delegated administrative permissions to create user objects in the container. If you do not have sufficient permissions to create user objects, the New User com¬mand will be unavailable to you.
The New Object–User dialog box appears, as shown in below Figure. The first page of the New Object–User dialog box requests properties related to the user name.
Property Description
First Name: The user’s first name. Not required.
Initials: The middle initials of the user’s name. Not required.
Last Name: The user’s last name. Not required.
Full Name: The user’s full name. If you enter values for the first or last name, the full name property is populated automatically. However, you can easily modify the sug¬gested value. The field is required. The name entered here generates several user object properties, specifically CN (common name), DN (distinguished name), name, and display Name. Because CN must be unique within a container, the name entered here must be unique relative to all other objects in the OU (or other container) in which you create the user object.
User Logon Name: The user principal name (UPN) consists of a logon name and a UPN suffix Which is, by default, the DNS name of the domain in which you create the object. The property is required and the entire UPN, in the format logon¬name@UPN-suffix, must be unique within the Active Directory forest. A sample UPN would be anyone@mcseweb.com. The UPN can be used to log on to any Microsoft Windows system running Windows 2000, Windows XP, or Windows Server 2003.
User Logon Name (Pre-Windows 2000): This logon name is used to log on from down-level clients, such as Microsoft Name (Pre– Windows 95, Windows 98, Windows Millennium Edition (Windows Me), Windows 2000) Windows NT 4, or Windows NT 3.51. This field is required and must be unique within the domain. Once you have entered the values in the first page of the New Object–User dialog box, click Next. The second page of the dialog box, shown in below Figure, allows you to enter the user password and to set account flags.
Once you have entered the values in the first page of the New Object–User dialog box, click Next. The second page of the dialog box, shown in Below Figure, allows you to enter the user password and to set account flags.
Password: The password that is used to authenticate the user. For security reasons, you should always assign a password. The password is masked as you type it.
Confirm Password: Confirm the password by typing it a second time to make sure you typed it correctly.
User Must Change Password At Next Logon: Select this check box if you want the user to change the password you have entered the first time he or she logs on. You cannot select this option if you have selected Password Never Expires. Selecting this option will automatically clear the mutually exclusive option User Cannot Change Password.
User Cannot Change Password: Select this check box if you have more than one person using the same domain user account (such as Guest) or to maintain control over user account passwords. This option is commonly used to manage service account pass-words. You cannot select this option if you have selected User Must Change Password At Next Logon.
Password Never Expires: Select this check box if you never want the password to expire. This option will automatically clear the User Must Change Password At Next Logon setting, as they are mutually exclusive. This option is commonly used to manage ser¬vice account passwords.
Account Is Disabled: Select this check box to disable the user account, for example, when creating an object for a newly hired employee who does not yet need access to the network.
Managing User Objects with Active Directory Users And Computers
When creating a user, you are prompted to configure the most common user properties, including logon names and password. However, user objects support numerous additional properties that you can configure at any time using Active Directory Users And Computers. These properties facilitate the administration of, and the searching for, an object.
To configure the properties of a user object, select the object, click the Action menu, and then choose Properties. The user’s Properties dialog box appears, as shown in below Figure. An alternative way to view an object’s properties would be to right-click the object and select Properties from the shortcut menu
Account properties: the Account tab These properties include those that are configured when you create a user object, including logon names, password and account flags.
Personal information: the General, Address, Telephones, and Organization tabs The General tab exposes the name properties that are configured when you create a user object.
User configuration management: the Profile tab Here you can configure the user’s profile path, logon script, and home folder locations.
Group membership: the Member Of tab You can add and remove user groups, and set the user’s primary group.
Terminal services: the Terminal Services Profile, Environment, Remote Control, and Sessions tabs These four tabs allow you to configure and man-age the user’s experience when they are connected to a Terminal Services session.
Remote access: the Dial-in tab Allows you to enable and configure remote access permission for a user.
Applications: the COM+ tab Assigns Active Directory COM+ partition sets to the user. This feature, new to Windows Server 2003, facilitates the management of distributed applications.
Account Properties
Of particular note are the user’s account properties, on the Account tab of the user’s Properties dialog box. An example appears in below Figure
Property Description
Logon Hours: Click Logon Hours to configure the hours during which a user is allowed to log on to the network.
Log On To: Click Log On To if you want to limit the workstations to which the user can log on. This is called Computer Restrictions in other parts of the user interface. You must have NetBIOS over TCP/IP enabled for this feature to restrict users because it uses the computer name, rather than the Media Access Control (MAC) address of its network card, to restrict logon.
Store Password using reversible encryption:This option, which stores the password in Active Directory without using Active Directory’s powerful, nonreversible encryption hashing algorithm, exists to support applications that require knowledge of the user pass-word. If it is not absolutely required, do not enable this option because it weakens password security significantly. Passwords stored using reversible encryptions are similar to those stored as plaintext.
Macintosh clients using the AppleTalk protocol require knowledge of the user password. If a user logs on using a Macintosh client, you will need to select the option to Store password using reversible encryption.
Smart Card Is Required For Interactive Logon: Smart cards are portable, tamper-resistant hardware devices that store unique identification information for a user. They are attached to, or inserted into, a system and provide an additional, physical identification component to the authentication process.
Account Is Trusted For Delegation: This option enables a service account to impersonate a user to access network resources on behalf of a user. This option is not typically selected, certainly not for a user object representing a human being. It is used more often for service accounts in three-tier (or multi-tier) application infrastructures.
Account Expires: Use the Account Expires controls to specify when an account expires.
Managing Properties on Multiple Accounts Simultaneously
Windows Server 2003 allows you to modify the properties of multiple user accounts simultaneously. You simply select several user objects by holding the CTRL key as you click each user, or using any other multi selection options. Be certain that you select only objects of one class, such as users. Once you have multi selected, on the Action menu, choose Properties.
When you have multi selected user objects, a subset of properties is available for modification.
General tab: Description, Office, Telephone Number, Fax, Web Page, E-mail
Account tab: UPN Suffix, Logon Hours, Computer Restrictions (logon workstations), all Account Options, Account Expires
Address: Street, PO Box, City, State/Province, ZIP/Postal Code, Country/Region
Profile: Profile Path, Logon Script, and Home Folder
Organization: Title, Department, Company, Manager
Moving a User
If a user is transferred within an organization, it is possible that you might need to move his or her user object to reflect a change in the administration or configuration of the object. To move an object in Active Directory Users and Computers, select the object and, from the Action menu, choose Move. Alternatively, you can right-click the object and select Move from the shortcut menu
No comments:
Post a Comment