Active Directory requires the verification of an
individual’s identity—a process called authentication—before that
individual can access resources. The cornerstone of authentication is
the user account, with its user logon name, password, and unique
security identifier (SID). During logon, Active Directory authenticates
the user name and password entered by the user. The security subsystem
can then build the security access token that represents that user. The
access token contains the user account’s SID, as well as the SIDs of
groups to which the user belongs. That token can then be used to verify
user rights assignments, including the right to log on locally to the
system, and to authorize access to resources secured by access control
lists (ACLs).
The
user account is integrated into the Active Directory user object. The
user object includes not just the user’s name, password, and SID, but
also contact information, such as telephone numbers and addresses;
organizational information including job title, direct reports and
manager; group memberships; and configuration such as roaming profile,
terminal services, remote access, and remote control settings. This
lesson will review and enhance your understanding of user objects in
Active Directory.
Creating User Objects with Active Directory Users and Computers
You
can create a user object with the Active Directory Users and Computers
snap-in. Although user objects can be created in the domain or any of
the default containers, it is best to create a user in an
organizational unit, so that administrative delegation and Group Policy
Objects (GPOs) can be fully leveraged.
To
create a user object, select the container in which you want to create
the object, click the Action menu, then choose New and choose User. You
must be a member of the Enterprise Admins, Domain Admins, or Account
Operators groups, or you must have been delegated administrative
permissions to create user objects in the container. If you do not have
sufficient permissions to create user objects, the New User command
will be unavailable to you.
The New Object–User dialog box appears, as shown in Figure 1. The first page of the New Object–User dialog box requests properties related to the user name. Table 3-1 describes the properties that appear on the first page of the dialog box.
Table 1. User Properties in the First Page of the New Object–User Dialog BoxProperty | Description |
---|
First Name | The user’s first name. Not required. | Initials | The middle initials of the user’s name. Not required. | Last Name | The user’s last name. Not required. | Full Name | The
user’s full name. If you enter values for the first or last name, the
full name property is populated automatically. However, you can easily
modify the suggested value. The field is required. The name entered
here generates several user object properties, specifically CN (common
name), DN (distinguished name), name, and displayName. Because CN must
be unique within a container, the name entered here must be unique
relative to all other objects in the OU (or other container) in which
you create the user object. | User Logon Name | The
user principal name (UPN) consists of a logon name and a UPN suffix
which is, by default, the DNS name of the domain in which you create
the object. The property is required and the entire UPN, in the format logonname@UPN-suffix, must be unique within the Active Directory forest. A sample UPN would be someone@contoso.com.
The UPN can be used to log on to any Microsoft Windows system running
Windows 2000, Windows XP, or Windows Server 2003. | User Logon Name (Pre–Windows 2000) | This
logon name is used to log on from down-level clients, such as Microsoft
Windows 95, Windows 98, Windows Millennium Edition (Windows Me),
Windows NT 4, or Windows NT 3.51. This field is required and must be
unique within the domain. |
Once
you have entered the values in the first page of the New Object–User
dialog box, click Next. The second page of the dialog box, shown in Figure 2, allows you to enter the user password and to set account flags.
Security Alert The
default account policies in a Windows Server 2003 domain, set in the
Default Domain Policy GPO, requires complex passwords that have a
minimum of seven characters. That means a password must contain three
of four character types: uppercase, lowercase, numeric, and
non-alphanumeric. When
you use Windows Server 2003 in a test or lab environment, you should
implement the same best practices that are required in a production
network. Therefore, in this book, you are encouraged to use complex
passwords for the user accounts you create; it will be left to you to
remember those passwords during exercises that require logging on as
those users. |
The properties available in the second page of the New Object-User dialog box are summarized in Table 3-2.
Table 2. User Properties in the Second Page of the New Object–User Dialog BoxProperty | Description |
---|
Password | The
password that is used to authenticate the user. For security reasons,
you should always assign a password. The password is masked as you type
it. | Confirm Password | Confirm the password by typing it a second time to make sure you typed it correctly. | User Must Change Password At Next Logon | Select
this check box if you want the user to change the password you have
entered the first time he or she logs on. You cannot select this option
if you have selected Password Never Expires. Selecting this option will
automatically clear the mutually exclusive option User Cannot Change
Password. | User Cannot Change Password | Select
this check box if you have more than one person using the same domain
user account (such as Guest) or to maintain control over user account
passwords. This option is commonly used to manage service account
passwords. You cannot select this option if you have selected User Must
Change Password At Next Logon. | Password Never Expires | Select
this check box if you never want the password to expire. This option
will automatically clear the User Must Change Password At Next Logon
setting, as they are mutually exclusive. This option is commonly used
to manage service account passwords. | Account Is Disabled | Select
this check box to disable the user account, for example, when creating
an object for a newly hired employee who does not yet need access to
the network. |
Off the Record When
creating objects for new users, choose a unique, complex password for
each user that does not follow a predictable pattern. Select the option
to enforce that the user must change password at next logon. If the
user is not likely to log on to the network for a period, disable the
account. When the user requires access to the network for the first
time, ensure that the user’s account is enabled. The user will be
prompted to create a new, unique password that only the user knows. |
Some of the account options listed in Table 3-2
have the potential to contradict policies set in the domain policies.
For example, the default domain policy implements a best practice of
disabling the storing of passwords using reversible encryption.
However, in the rare circumstances that require reversible encryption,
the user account property, Store Password Using Reversible Encryption,
will take precedence for that specific user object. Similarly, the
domain may specify a maximum password age, or that users must change
password at next logon. If a user object is configured such that
Password never expires, that configuration will override the domain’s
policies.
Managing User Objects with Active Directory Users And Computers
When
creating a user, you are prompted to configure the most common user
properties, including logon names and password. However, user objects
support numerous additional properties that you can configure at any
time using Active Directory Users And Computers. These properties
facilitate the administration of, and the searching for, an object.
To
configure the properties of a user object, select the object, click the
Action menu, and then choose Properties. The user’s Properties dialog
box appears, as shown in Figure 3.
An alternative way to view an object’s properties would be to
right-click the object and select Properties from the shortcut menu.
The property pages in the Properties dialog box expose properties that fall into several broad categories:
Account properties: the Account tab
These properties include those that are configured when you create a
user object, including logon names, password and account flags. Personal information: the General, Address, Telephones, and Organization tabs The General tab exposes the name properties that are configured when you create a user object. User configuration management: the Profile tab Here you can configure the user’s profile path, logon script, and home folder locations. Group membership: the Member Of tab You can add and remove user groups, and set the user’s primary group. Terminal services: the Terminal Services Profile, Environment, Remote Control, and Sessions tabs These four tabs allow you to configure and manage the user’s experience when they are connected to a Terminal Services session. Remote access: the Dial-in tab Allows you to enable and configure remote access permission for a user. Applications: the COM+ tab
Assigns Active Directory COM+ partition sets to the user. This feature,
new to Windows Server 2003, facilitates the management of distributed
applications.
Account Properties
Of
particular note are the user’s account properties, on the Account tab
of the user’s Properties dialog box. An example appears in Figure 4.
Several of these properties were discussed in Table 2.
Those properties were configured when creating the user object and can
be modified, as can a larger set of account properties, using the
Account tab. Several properties are not necessarily self-explanatory,
and deserve definition in Table 3.
Table 3. User Account PropertiesProperty | Description |
---|
Logon Hours | Click Logon Hours to configure the hours during which a user is allowed to log on to the network. | Log On To | Click
Log On To if you want to limit the workstations to which the user can
log on. This is called Computer Restrictions in other parts of the user
interface. You must have NetBIOS over TCP/IP enabled for this feature
to restrict users because it uses the computer name, rather than the
Media Access Control (MAC) address of its network card, to restrict
logon. | Store Password Using Reversible Encryption | This
option, which stores the password in Active Directory without using
Active Directory’s powerful, nonreversible encryption hashing
algorithm, exists to support applications that require knowledge of the
user password. If it is not absolutely required, do not enable this
option because it weakens password security significantly. Passwords
stored using reversible encryption are similar to those stored as
plaintext. Macintosh clients using the AppleTalk protocol require
knowledge of the user password. If a user logs on using a Macintosh
client, you will need to select the option to Store password using
reversible encryption. | Smart Card Is Required For Interactive Logon | Smart
cards are portable, tamper-resistant hardware devices that store unique
identification information for a user. They are attached to, or
inserted into, a system and provide an additional, physical
identification component to the authentication process. | Account Is Trusted For Delegation | This
option enables a service account to impersonate a user to access
network resources on behalf of a user. This option is not typically
selected, certainly not for a user object representing a human being.
It is used more often for service accounts in three-tier (or
multi-tier) application infrastructures. | Account Expires | Use the Account Expires controls to specify when an account expires. |
Managing Properties on Multiple Accounts Simultaneously
Windows
Server 2003 allows you to modify the properties of multiple user
accounts simultaneously. You simply select several user objects by
holding the CTRL key as you click each user, or using any other
multiselection options. Be certain that you select only objects of one
class, such as users. Once you have multiselected, on the Action menu,
choose Properties.
When you have multiselected user objects, a subset of properties is available for modification.
General tab Description, Office, Telephone Number, Fax, Web Page, E-mail Account tab UPN Suffix, Logon Hours, Computer Restrictions (logon workstations), all Account Options, Account Expires Address Street, PO Box, City, State/Province, ZIP/Postal Code, Country/Region Profile Profile Path, Logon Script, and Home Folder Organization Title, Department, Company, Manager
Tip Be
sure to know which properties can be modified for multiple users
simultaneously. Exam scenarios that suggest a need to change many user
objects’ properties as quickly as possible are often testing your
understanding of multiselect. There
are still many properties that must be set on a user-by-user basis.
Also, certain administrative tasks, including the resetting of
passwords and the renaming of accounts, can only be performed on one
user object at a time. |
Moving a User
If
a user is transferred within an organization, it is possible that you
might need to move his or her user object to reflect a change in the
administration or configuration of the object. To move an object in
Active Directory Users and Computers, select the object and, from the
Action menu, choose Move. Alternatively, you can right-click the object
and select Move from the shortcut menu.
Tip A
new feature of Windows Server 2003 is that drag-and-drop operations are
supported. You can move objects between OUs by dragging and dropping
them in the Active Directory Users And Computers Snap-in. |
|