Professional Documents
Culture Documents
Paul Hill - : Creating An Organizational Unit
Paul Hill - : Creating An Organizational Unit
Paul Hill - : Creating An Organizational Unit
com
In this lecture, you are going to learn how you can create and manage user accounts within Active Directory. Creating
and managing user accounts within Active Directory is a common task that you will need to fully understand to have a
successful career as a Windows Server administrator.
When it comes to creating and managing user accounts you really have two options, first use the Active Directory Users
and Computers console or secondly the PowerShell command line. In this lecture, you are going to learn how to use the
Active Directory GUI for Active Directory.
You can access the Active Directory console from Server Manager by selecting Tools > Active Directory Users and
Computers.
Right-click on this OU and again create sub OU’s called “Administrators” and “Users”.
Let’s create a new user account under the Administrators OU. Right-click the OU and select New > User.
So far we have been using the Administrator account that was setup by default on Windows Server. This practice is
generally frowned upon in the security world as shared user accounts are considered a bad practice. I am going to create
a user account for myself by entering my first and last name. I am going to use the user logon name format of first name
dot last name.
You will notice that there is a separate logon for pre-windows 2000. This field adapts your User Logon Name to a format
that is acceptable by older server operating systems (before Server 2000 as the name implies). For example, if your User
Logon Name is longer than 20 characters it will be truncated in the pre-windows 2000 logon name. Click Next.
On the next screen, you need to setup your user’s password. I am going to enter the password I want to use for my
account, and I am going to uncheck the checkbox that reads User must change password at next logon.
Generally, how a new account creation works is that you will create their account within Active Directory using a
temporary password (like “Password1” or hopefully something a little more complex). Once you create the account you
will provide them with the username and temporary password. When they log into a domain computer they will be
asked to create a new password that they will hopefully be able to remember.
Since we are creating the user account for ourselves, we do not need to use a temporary password and will not want to
change it once we log in. I have had people come by my desk when I am creating their account and I just have them
enter their desired password straight into active directory and if this is the case I will uncheck this checkbox again so
they will not be asked to change it when they first log in.
The User cannot change password option if you do not want the user to be able to set their password to something
else. This can be useful for service accounts or if you have a particular need to prevent people from changing their
passwords. This option obviously makes your account less secure, so if security is a concern at all, do not check this
checkbox.
The Password never expires is also useful for service accounts or any account that you do want to reset the passwords
on the accounts for. Again, this introduces another security vulnerability as if someone gets the password it will work
indefinitely.
The Account is disabled checkbox is good if you are creating a user account ahead of time but it is not ready to be used.
Of course, if an account is disabled, you will not be able to use it at all.
Memberships
Now we have the user account created. Right now, the account is sitting inside of the Administrators OU, but that does
not make the account an administrator account. What determines the permissions and roles of a user account is its
memberships. To manage the memberships of a user account, right-click on the user and choose Properties. Go to the
Member Of tab.
To make this user account a domain administrator, we need to add the Domain Admins membership. Click the Add
button, and when the Select Groups dialog appears, search for Domain Admins and click Check Names.
Once the name becomes underlined, you know that the group was found within Active Directory. Click OK.
Now we can see that the user has been added to the Domain Admins group. Click OK to close the dialog box.
Once the window appears, you first need to decide what type of object you are searching for. You can click the Find
dropdown list and view the available options. Since we are going to look for user accounts, leave the default option of
Users, Contacts and Groups selected. The In drop down list allows you to choose what OU you want to search. Most of
the time, it is best to simply select Entire Directory so you will be running the search as broad as you possibly can. In
some cases where you have several large domains joined, it may be better to select the domain you want to search in (in
our case, itflee.com). Type in the name of the user account that you created and click Find Now.
In the search results, you can see that our user account was found. We can now right-click on the user and do whatever
we need to do (reset the password, disable or delete the account, etc…). Here is a useful tip, if you need to find the
location of the user within Active Directory, enable the Advanced Features view before searching for the user. Once you
find the user in your search, right-click and choose Properties. Next, navigate to the Object tab. You will see the exact
location of the user listed under Canonical name of object.
This process is the same as creating a new user account. You can require the user to reset their password at the next
login or unlock their account if it is locked out. Accounts can get locked out if there have been multiple failed login
attempts. Administrators can change whether accounts are locked out and how many failed attempts before an account
is locked using Group Policy. If a person locks out their account, you will need to check the Unlock the user’s account. I
am not going to change the password for this account, so I am going to hit Cancel to close the window.
Of course, in some scenarios you may not be asked you to reset a user’s password but only but simply unlock the
account. To do this, you can right-click on the user account and choose Properties. Navigate to the Account tab and
select the Unlock account checkbox then click Apply or OK.