Professional Documents
Culture Documents
Managing Active Directory Users and Group Accounts User Accounts
Managing Active Directory Users and Group Accounts User Accounts
User accounts
Each user requires a user account to log on to window server 2003 domain
User accounts are used to authenticate a user on a network
User accounts refers to
o User name and
o Password assigned by the network administrator
Once the user logon they can access resources based on the permission that have been
assigned by the network administrator
Built in users in active directory
In windows server 2003 domain the active directory users and computers utility has a container
called users- which contains two built in user accounts, these are:
Administrator account
Administrators group
Domain admin
Enterprise admin
1
Group policy creators
The administrator account cannot be deleted /removed, for a security purpose it is recommended
to rename than disabling. If the administrator account is disabled it can still be used when the
server is booted in safe mode, that is why renaming the administrator account increase
computers’ security level
Guest Account
Allow users to access the computer even if they don not have a unique user name and
password
Because of a security risk associated with this account, this account is disabled by default
This account is given very limited privileges
User name and password rules
The real requirements for creating a new user is providing a valid user name and
password to logon
User name and password assignment must follow windows server 2003 rules and
conventions
It is a good idea to have your own rules for user name
Windows server 2003 rules for user names
Are based on domain security settings defined through administrative tools of the
operating system i.e. password policy
These password policies are configured by the network administrator
Password policies
2
Enforce password history: specify how many passwords are remembered in a single
domain
o Used to prevent users from reusing the same password
o The default password to be remembered by win server 2003 OS is 24
o The network administrator can configure the password to be remembered as more
or less than 24
Maximum password age:
o Define how many days a user can keep the same password before to create a new
password/before resetting/
o It refers to password expiration date
o Default password age is 42 days and the minimum password age is 1-day
Minimum password length:
o Specify minimum number of characters a password can contain
o Default number of characters/password length/ are 7 characters
Password must meet complexity requirement:
o Specifies that password must not contain user’s account name
o Must be a minimum of six characters
o Must contain characters from three of the following groups:
Upper case letters
Lower case letters and
Numbers/none alphanumeric characters i.e. $, %)
o By default it is enabled/active/
Creating new users using active directory:
o The main tools for managing users, groups and computers is active directory users
and computers utility
o You can access this utility through administrative tools on win server 2003
domain controller(after dcpromo)
Options that can be configured for new users:
First name, initials, last name and full name- to provide more detail about the user
3
User logon name: define the user name for the new account that will be used during the
logon process
o User logon names are not case sensitive as passwords
o User principal name(UPN)is the real user logon name stored on the server or
domain controller
o UPN is not used during the logon process by the user at client computer
o UPN is made up of user logon name and the principal name suffix (domain
controllers name) connected with @ sign
o If the user logon name is Kman and the domain controller is wuni.local, the UPN
will be Kman@wuni.local
Password: assigned by the network administrator to the user initially
User must change password at next logon :
o If selected, it allows the user to change his own password
o This is to increase level of security
o It moves password responsibility to the user and away from the administrator
User cannot change password:
o If this option is selected, it prevents a user from changing the password
o Password responsibility is in the hand of network administrator
Password never expires:
o Specify that the password will never expire, even if a password policy has been
specified
Account is disabled:
o Specify that this account cannot be used for logon purpose
Disabling/deleting user account
4
Eg. An employee is going on vacation/taking a leave of absence
If the network administrator planning to put another user in the same function(with
the same user account)
Eg. When your company hires a new engineering manager-Tadesse, because of the
previous engineering-Lemma, quits, In this case if you disable Lemma’s account before,
now you can enable the account and simply rename the user account from Lemma to
Tadesse.
This method ensures that the new user will have all of the user properties and all the
resources used by the previous one.
Disabling an account also provides a security mechanism(for special situations)
Eg. If your company laying off a group of people from their job- the network
administrator must be informed to take action for a security purpose, then he would be
disable the account of those people before they get their layoff notices.
You should delete a user account if you are sure that the account will never be needed
again.
Changing a forgotten user’s password:
The Network administrator can change the password for those users who forget their
password and can’t logon.
This is common when a user changes a password on Friday afternoon or before a
holiday.
5
The network administrator is not requested to type the old password to give a new
one. He can change the user’s password and then the user can use the new password
Configuring user properties
In the active directory users you can configure variety of properties-by using
active directory users and computers utility.
Steps:
>double click the user account you want in the right panel
6
o The logon to option
o Account expire options
User logon name & principal name suffix:
Enable the network administrator to change user logon name or to configure the
server that the user want to access in the net work environment
The logon hours:
By default users are allowed to log on 24 hours a day and 7 days a week.
The network administrator can adjust or restrict the hour in which the user can log
on
You can change the log on hours by selecting the hours you want to modify and
clicking the log on permitted radio button- to permit the user to log on to the
computer on the specific time.
Eg.
The network administrator can configure the day and hour to block the user to logon
& access the resources by clicking on log on denied option
Logon to Option:
This option is used to configure the computers that the user is allowed to logon
The network administrator can restrict the user to logon using defined or limited
computers
When you click the log on tab the log on workstation will be displayed with the
following options:
o This user can log on to:-
All computers
The following computers
7
In case of the following computers option the network administrator must
specify/select the computer to which the user can logon to
Account expire options:
This option is used to configure the expiration date, month and year for the user
account created in the active directory by selection end of option or
To make an account never expire by selecting never expire option
This option is configured through domain security settings for password policy
and account lockout policy
Options under account lockout policies:
o Specify how long the account will be locked in the event that the
account lockout threshold is exceeded(after invalid attempts)
Account lockout threshold:
8
o Used to display the remaining time for the next threshold (specify after
how many minutes the user can attempt to log on for the second
round).
If you configure account lockout policies and the user violets the account
lockout policy, the account will be come disabled
If a user can’t logon there are many possible causes of logon failure
2. Incorrect password:
a. Check the proper case (caps lock key is not on)
b. Check the password has not expired
c. Check the account has not been locked out
If the password still doesn’t work assign a new password to the user
9
5. The computer is not part of the domain:
If the computer is not part of/member of the domain the user will not be able to logon
Understanding Group type and scope:
Group type is used to organize users, computers, and other groups in to logical objects for
management purpose (to assign different configuration/settings, permission--). You can use
groups to control access to resources or to logically categorized people in your company. For
example, you may have different groups for your marketing, sales, finance, accounting, IT, HR,
and operations employees. Within each of those departments, you may have teams.
These teams may access different resources (e.g. printers or shared folders) that require different
active directory security settings.
1. Security groups:
They are security enabled groups ( listed under access control list)
They need to access specific resources(secured resources of an organization)
They need permission to have a security access rights.
2. Distribution groups
They have common characteristics in accessing resources (eg. Computing e-mail
and application programs)
They are not security enabled(have no security access rights)
They need permission to access resources
1. Account Operators:
Members of this group can create and manage domain users, groups and computer
accounts
Account operators don’t have rights to modify administrators groups
10
This group has no default members unless the network administrator create in the
directory
2. Administrators:
The members of this group has full rights and privileges on all domain controllers
Its members can grant themselves any permissions they don’t have by default to
manage objects(users and computers)
By default the members of this group includes:
o Administrator account
o Domain admin and
o Enterprise admin
3. Backup operators:
The members of this group have rights to backup and restore the file system
They can access the file system only through backup utilities
They can not modify files
4. Print operators:
Print administrators group members can administer, create, delete and share printers
connected to domain controller
5. Remote desktop users:
This group allows its members to logon to the server remotely by using a remote
desktop connection
By default the user can not log on to the server computer through desktop connection
6. server operators:
The members of this group can administer domain server
The administration task of server operator includes:
o Creating and deleting shared resources
o Starting and stopping services(remote desktop connection services, license
login services …)
o Formatting hard disk
o Backup and restoring file system
11
Crating New groups
You can identify what groups a user belongs to by viewing the users properties and
clicking the “member of” tab
You can also add/remove users to/from a group by using add/remove button from
properties dialog box
12