Chapter 3

Managing active directory users and group accounts

User accounts

 Each user requires a user account to log on to window server 2003 domain
 User accounts are used to authenticate a user on a network
 User accounts refers to
o User name and
o Password assigned by the network administrator
 Once the user logon they can access resources based on the permission that have been
assigned by the network administrator
Built in users in active directory

In windows server 2003 domain the active directory users and computers utility has a container
called users- which contains two built in user accounts, these are:

 Administrator account and

 Guest account
Each built in account has rights and permissions that has been automatically assigned by default

Administrator account

 Created locally when you install windows server 2003

 It is a special account that has full control over the computer/domain/
Administrator’s account default settings:

 Full rights: to control users and computers

 Assign users’ access rights
Administrator is the member of the following groups:

 Administrators group
 Domain admin
 Enterprise admin

1
  Group policy creators
The administrator account cannot be deleted /removed, for a security purpose it is recommended
to rename than disabling. If the administrator account is disabled it can still be used when the
server is booted in safe mode, that is why renaming the administrator account increase
computers’ security level

Guest Account

 Allow users to access the computer even if they don not have a unique user name and
password
 Because of a security risk associated with this account, this account is disabled by default
 This account is given very limited privileges
User name and password rules

 The real requirements for creating a new user is providing a valid user name and
password to logon
 User name and password assignment must follow windows server 2003 rules and
conventions
 It is a good idea to have your own rules for user name
Windows server 2003 rules for user names

 The user name must be unique to the user

 It cannot contain the following characters
o * ? / \ () : ; [ ] = + < > “
 Cannot contain period(.) and space
Password rules

 Are based on domain security settings defined through administrative tools of the
operating system i.e. password policy
 These password policies are configured by the network administrator
Password policies

2
  Enforce password history: specify how many passwords are remembered in a single
domain
o Used to prevent users from reusing the same password
o The default password to be remembered by win server 2003 OS is 24
o The network administrator can configure the password to be remembered as more
or less than 24
 Maximum password age:
o Define how many days a user can keep the same password before to create a new
password/before resetting/
o It refers to password expiration date
o Default password age is 42 days and the minimum password age is 1-day
 Minimum password length:
o Specify minimum number of characters a password can contain
o Default number of characters/password length/ are 7 characters
 Password must meet complexity requirement:
o Specifies that password must not contain user’s account name
o Must be a minimum of six characters
o Must contain characters from three of the following groups:
 Upper case letters
 Lower case letters and
 Numbers/none alphanumeric characters i.e. $, %)
o By default it is enabled/active/
 Creating new users using active directory:
o The main tools for managing users, groups and computers is active directory users
and computers utility
o You can access this utility through administrative tools on win server 2003
domain controller(after dcpromo)
Options that can be configured for new users:

 First name, initials, last name and full name- to provide more detail about the user

3
 User logon name: define the user name for the new account that will be used during the
logon process
o User logon names are not case sensitive as passwords
o User principal name(UPN)is the real user logon name stored on the server or
domain controller
o UPN is not used during the logon process by the user at client computer
o UPN is made up of user logon name and the principal name suffix (domain
controllers name) connected with @ sign
o If the user logon name is Kman and the domain controller is wuni.local, the UPN
will be Kman@wuni.local
 Password: assigned by the network administrator to the user initially
 User must change password at next logon :
o If selected, it allows the user to change his own password
o This is to increase level of security
o It moves password responsibility to the user and away from the administrator
 User cannot change password:
o If this option is selected, it prevents a user from changing the password
o Password responsibility is in the hand of network administrator
 Password never expires:
o Specify that the password will never expire, even if a password policy has been
specified
 Account is disabled:
o Specify that this account cannot be used for logon purpose
Disabling/deleting user account

 When a user account is no longer needed the account should be disabled

 If you choose to disable an account you can enable later
 An account that is deleted can never be recovered
Reasons to disable user account

 If the user will not be using it for a period of time

4
 Eg. An employee is going on vacation/taking a leave of absence

 If the network administrator planning to put another user in the same function(with
the same user account)
Eg. When your company hires a new engineering manager-Tadesse, because of the
previous engineering-Lemma, quits, In this case if you disable Lemma’s account before,
now you can enable the account and simply rename the user account from Lemma to
Tadesse.

 This method ensures that the new user will have all of the user properties and all the
resources used by the previous one.
 Disabling an account also provides a security mechanism(for special situations)
Eg. If your company laying off a group of people from their job- the network
administrator must be informed to take action for a security purpose, then he would be
disable the account of those people before they get their layoff notices.

 This prevents the company’s file from damage.

 You disable the user account by right clicking on the user account and selecting the
disable account option.
 After an account has been disabled it will be displayed with a red circle and an X-sign
over the user account icon-with in the active directory.
Deleting user account

 You should delete a user account if you are sure that the account will never be needed
again.
Changing a forgotten user’s password:

 The Network administrator can change the password for those users who forget their
password and can’t logon.
 This is common when a user changes a password on Friday afternoon or before a
holiday.

5
  The network administrator is not requested to type the old password to give a new
one. He can change the user’s password and then the user can use the new password
Configuring user properties

 In the active directory users you can configure variety of properties-by using
active directory users and computers utility.
Steps:

Start>programs>administrative tools> active directory users and computers

>click users folder to open

>double click the user account you want in the right panel

 The user account properties dialog box will appear

 There are 13 main tabs in the properties dialog box to configure. But in our case
we are going to discuss about general tab and account tab
General tab

 Used to record contact information for the user

o Telephone
o E-mail
o Full name
o Description
o Office location etc
 It contains the information that you supplied when you set up the new user account
to identify the user uniquely.
Account tab

 It shows the logon name information that you supplied

It allows configuring the following settings

o User logon name and principal name suffix

o The logon hours for the user

6
 o The logon to option
o Account expire options
User logon name & principal name suffix:

 Enable the network administrator to change user logon name or to configure the
server that the user want to access in the net work environment
The logon hours:

 By default users are allowed to log on 24 hours a day and 7 days a week.
 The network administrator can adjust or restrict the hour in which the user can log
on
 You can change the log on hours by selecting the hours you want to modify and
clicking the log on permitted radio button- to permit the user to log on to the
computer on the specific time.
Eg.

 Select all day-to permit the user to log on 24hrs a day.

 Select Monday 8:00 AM to 10:00 AM – to permit the user for the
specified day and time only
Logon denied:

 The network administrator can configure the day and hour to block the user to logon
& access the resources by clicking on log on denied option
Logon to Option:

 This option is used to configure the computers that the user is allowed to logon
 The network administrator can restrict the user to logon using defined or limited
computers
 When you click the log on tab the log on workstation will be displayed with the
following options:
o This user can log on to:-
 All computers
 The following computers

7
  In case of the following computers option the network administrator must
specify/select the computer to which the user can logon to
Account expire options:

 This option is used to configure the expiration date, month and year for the user
account created in the active directory by selection end of option or
 To make an account never expire by selecting never expire option

Account Lockout options:

 This option is configured through domain security settings for password policy
and account lockout policy
Options under account lockout policies:

o Account lockout duration

o Account lockout threshold
o Account lockout counter
Account lockout duration:

o Specify how long the account will be locked in the event that the
account lockout threshold is exceeded(after invalid attempts)
Account lockout threshold:

o Specify that the user gets(permitted with) a specific number of invalid

log in attempts before the account is locked
o Invalid log on attempts are decided by Network administrator
Account lockout counter after:

o Specify how long the account lockout threshold will be tracked

(blocked) after the invalid logon attempts
o Account lockout counter starts after the last invalid logon attempt

8
 o Used to display the remaining time for the next threshold (specify after
how many minutes the user can attempt to log on for the second
round).
 If you configure account lockout policies and the user violets the account
lockout policy, the account will be come disabled

Trouble shooting user Authentication

If a user can’t logon there are many possible causes of logon failure

1. incorrect user log on name:

The network administrator checks the active directory users and computers utility to
verify the name was spelled correctly.

2. Incorrect password:
a. Check the proper case (caps lock key is not on)
b. Check the password has not expired
c. Check the account has not been locked out
If the password still doesn’t work assign a new password to the user

3. prohibitive user right:

a. Does the user have permission to logon locally at the computer(domain
controller)? The user logon locally to the computer using his own local user name
and password and then attempt to log on to the domain controller-in this case
access will deny.
b. Regular users(local users) don’t have permission to log on to domain controller
c. The users will log on to the domain from network workstation using the user log
on name and password assigned by network administrator
d. If the user has a reason to log on locally at the domain the user should be assigned
the logon locally user right in domain controller security policy by the network
administrator
4. disabled/deleted account:
 Verify whether an account has been disabled or deleted

9
5. The computer is not part of the domain:

 If the computer is not part of/member of the domain the user will not be able to logon
Understanding Group type and scope:

Group type is used to organize users, computers, and other groups in to logical objects for
management purpose (to assign different configuration/settings, permission--). You can use
groups to control access to resources or to logically categorized people in your company. For
example, you may have different groups for your marketing, sales, finance, accounting, IT, HR,
and operations employees. Within each of those departments, you may have teams.

These teams may access different resources (e.g. printers or shared folders) that require different
active directory security settings.

Groups can be either a security group or a distribution group.

1. Security groups:

 They are security enabled groups ( listed under access control list)
 They need to access specific resources(secured resources of an organization)
 They need permission to have a security access rights.
2. Distribution groups
 They have common characteristics in accessing resources (eg. Computing e-mail
and application programs)
 They are not security enabled(have no security access rights)
 They need permission to access resources

Built in groups in windows server 2003 domain

1. Account Operators:
 Members of this group can create and manage domain users, groups and computer
accounts
 Account operators don’t have rights to modify administrators groups

10
  This group has no default members unless the network administrator create in the
directory
2. Administrators:
 The members of this group has full rights and privileges on all domain controllers
 Its members can grant themselves any permissions they don’t have by default to
manage objects(users and computers)
 By default the members of this group includes:
o Administrator account
o Domain admin and
o Enterprise admin
3. Backup operators:
 The members of this group have rights to backup and restore the file system
 They can access the file system only through backup utilities
 They can not modify files
4. Print operators:
 Print administrators group members can administer, create, delete and share printers
connected to domain controller
5. Remote desktop users:
 This group allows its members to logon to the server remotely by using a remote
desktop connection
 By default the user can not log on to the server computer through desktop connection
6. server operators:
 The members of this group can administer domain server
 The administration task of server operator includes:
o Creating and deleting shared resources
o Starting and stopping services(remote desktop connection services, license
login services …)
o Formatting hard disk
o Backup and restoring file system

11
Crating New groups

To create new group accounts:

 Logon to computer as an administrator or account operator or as a member of

administrators group
 Start>administrative tools>active directory users and computers
 Right click on users folder>select new>and select group
 Follow the steps & complete it

Identifying group members:

 You can identify what groups a user belongs to by viewing the users properties and
clicking the “member of” tab
 You can also add/remove users to/from a group by using add/remove button from
properties dialog box

12