Windows Server 2003 : Creating and Managing User Objects

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
10/10/2010 4:10:24 PM
Active Directory requires the verification of an individual’s identity—a process called authentication—before that individual can access resources. The cornerstone of authentication is the user account, with its user logon name, password, and unique security identifier (SID). During logon, Active Directory authenticates the user name and password entered by the user. The security subsystem can then build the security access token that represents that user. The access token contains the user account’s SID, as well as the SIDs of groups to which the user belongs. That token can then be used to verify user rights assignments, including the right to log on locally to the system, and to authorize access to resources secured by access control lists (ACLs).

The user account is integrated into the Active Directory user object. The user object includes not just the user’s name, password, and SID, but also contact information, such as telephone numbers and addresses; organizational information including job title, direct reports and manager; group memberships; and configuration such as roaming profile, terminal services, remote access, and remote control settings. This lesson will review and enhance your understanding of user objects in Active Directory.

Creating User Objects with Active Directory Users and Computers

You can create a user object with the Active Directory Users and Computers snap-in. Although user objects can be created in the domain or any of the default containers, it is best to create a user in an organizational unit, so that administrative delegation and Group Policy Objects (GPOs) can be fully leveraged.

To create a user object, select the container in which you want to create the object, click the Action menu, then choose New and choose User. You must be a member of the Enterprise Admins, Domain Admins, or Account Operators groups, or you must have been delegated administrative permissions to create user objects in the container. If you do not have sufficient permissions to create user objects, the New User command will be unavailable to you.

The New Object–User dialog box appears, as shown in Figure 1. The first page of the New Object–User dialog box requests properties related to the user name. Table 3-1 describes the properties that appear on the first page of the dialog box.

Figure 1. The New Object–User dialog box

Table 1. User Properties in the First Page of the New Object–User Dialog Box
First NameThe user’s first name. Not required.
InitialsThe middle initials of the user’s name. Not required.
Last NameThe user’s last name. Not required.
Full NameThe user’s full name. If you enter values for the first or last name, the full name property is populated automatically. However, you can easily modify the suggested value. The field is required. The name entered here generates several user object properties, specifically CN (common name), DN (distinguished name), name, and displayName. Because CN must be unique within a container, the name entered here must be unique relative to all other objects in the OU (or other container) in which you create the user object.
User Logon NameThe user principal name (UPN) consists of a logon name and a UPN suffix which is, by default, the DNS name of the domain in which you create the object. The property is required and the entire UPN, in the format logonname@UPN-suffix, must be unique within the Active Directory forest. A sample UPN would be The UPN can be used to log on to any Microsoft Windows system running Windows 2000, Windows XP, or Windows Server 2003.
User Logon Name (Pre–Windows 2000)This logon name is used to log on from down-level clients, such as Microsoft Windows 95, Windows 98, Windows Millennium Edition (Windows Me), Windows NT 4, or Windows NT 3.51. This field is required and must be unique within the domain.

Once you have entered the values in the first page of the New Object–User dialog box, click Next. The second page of the dialog box, shown in Figure 2, allows you to enter the user password and to set account flags.

Figure 2. Second page of the New Object–User dialog box

Security Alert

The default account policies in a Windows Server 2003 domain, set in the Default Domain Policy GPO, requires complex passwords that have a minimum of seven characters. That means a password must contain three of four character types: uppercase, lowercase, numeric, and non-alphanumeric.

When you use Windows Server 2003 in a test or lab environment, you should implement the same best practices that are required in a production network. Therefore, in this book, you are encouraged to use complex passwords for the user accounts you create; it will be left to you to remember those passwords during exercises that require logging on as those users.

The properties available in the second page of the New Object-User dialog box are summarized in Table 3-2.

Table 2. User Properties in the Second Page of the New Object–User Dialog Box
PasswordThe password that is used to authenticate the user. For security reasons, you should always assign a password. The password is masked as you type it.
Confirm PasswordConfirm the password by typing it a second time to make sure you typed it correctly.
User Must Change Password At Next LogonSelect this check box if you want the user to change the password you have entered the first time he or she logs on. You cannot select this option if you have selected Password Never Expires. Selecting this option will automatically clear the mutually exclusive option User Cannot Change Password.
User Cannot Change PasswordSelect this check box if you have more than one person using the same domain user account (such as Guest) or to maintain control over user account passwords. This option is commonly used to manage service account passwords. You cannot select this option if you have selected User Must Change Password At Next Logon.
Password Never ExpiresSelect this check box if you never want the password to expire. This option will automatically clear the User Must Change Password At Next Logon setting, as they are mutually exclusive. This option is commonly used to manage service account passwords.
Account Is DisabledSelect this check box to disable the user account, for example, when creating an object for a newly hired employee who does not yet need access to the network.

Off the Record

When creating objects for new users, choose a unique, complex password for each user that does not follow a predictable pattern. Select the option to enforce that the user must change password at next logon. If the user is not likely to log on to the network for a period, disable the account. When the user requires access to the network for the first time, ensure that the user’s account is enabled. The user will be prompted to create a new, unique password that only the user knows.

Some of the account options listed in Table 3-2 have the potential to contradict policies set in the domain policies. For example, the default domain policy implements a best practice of disabling the storing of passwords using reversible encryption. However, in the rare circumstances that require reversible encryption, the user account property, Store Password Using Reversible Encryption, will take precedence for that specific user object. Similarly, the domain may specify a maximum password age, or that users must change password at next logon. If a user object is configured such that Password never expires, that configuration will override the domain’s policies.

Managing User Objects with Active Directory Users And Computers

When creating a user, you are prompted to configure the most common user properties, including logon names and password. However, user objects support numerous additional properties that you can configure at any time using Active Directory Users And Computers. These properties facilitate the administration of, and the searching for, an object.

To configure the properties of a user object, select the object, click the Action menu, and then choose Properties. The user’s Properties dialog box appears, as shown in Figure 3. An alternative way to view an object’s properties would be to right-click the object and select Properties from the shortcut menu.

Figure 3. The user's Properties dialog box

The property pages in the Properties dialog box expose properties that fall into several broad categories:

  • Account properties: the Account tab These properties include those that are configured when you create a user object, including logon names, password and account flags.

  • Personal information: the General, Address, Telephones, and Organization tabs The General tab exposes the name properties that are configured when you create a user object.

  • User configuration management: the Profile tab Here you can configure the user’s profile path, logon script, and home folder locations.

  • Group membership: the Member Of tab You can add and remove user groups, and set the user’s primary group.

  • Terminal services: the Terminal Services Profile, Environment, Remote Control, and Sessions tabs These four tabs allow you to configure and manage the user’s experience when they are connected to a Terminal Services session.

  • Remote access: the Dial-in tab Allows you to enable and configure remote access permission for a user.

  • Applications: the COM+ tab Assigns Active Directory COM+ partition sets to the user. This feature, new to Windows Server 2003, facilitates the management of distributed applications.

Account Properties

Of particular note are the user’s account properties, on the Account tab of the user’s Properties dialog box. An example appears in Figure 4.

Figure 4. The user Account tab

Several of these properties were discussed in Table 2. Those properties were configured when creating the user object and can be modified, as can a larger set of account properties, using the Account tab. Several properties are not necessarily self-explanatory, and deserve definition in Table 3.

Table 3. User Account Properties
Logon HoursClick Logon Hours to configure the hours during which a user is allowed to log on to the network.
Log On ToClick Log On To if you want to limit the workstations to which the user can log on. This is called Computer Restrictions in other parts of the user interface. You must have NetBIOS over TCP/IP enabled for this feature to restrict users because it uses the computer name, rather than the Media Access Control (MAC) address of its network card, to restrict logon.
Store Password Using Reversible EncryptionThis option, which stores the password in Active Directory without using Active Directory’s powerful, nonreversible encryption hashing algorithm, exists to support applications that require knowledge of the user password. If it is not absolutely required, do not enable this option because it weakens password security significantly. Passwords stored using reversible encryption are similar to those stored as plaintext. Macintosh clients using the AppleTalk protocol require knowledge of the user password. If a user logs on using a Macintosh client, you will need to select the option to Store password using reversible encryption.
Smart Card Is Required For Interactive LogonSmart cards are portable, tamper-resistant hardware devices that store unique identification information for a user. They are attached to, or inserted into, a system and provide an additional, physical identification component to the authentication process.
Account Is Trusted For DelegationThis option enables a service account to impersonate a user to access network resources on behalf of a user. This option is not typically selected, certainly not for a user object representing a human being. It is used more often for service accounts in three-tier (or multi-tier) application infrastructures.
Account ExpiresUse the Account Expires controls to specify when an account expires.

Managing Properties on Multiple Accounts Simultaneously

Windows Server 2003 allows you to modify the properties of multiple user accounts simultaneously. You simply select several user objects by holding the CTRL key as you click each user, or using any other multiselection options. Be certain that you select only objects of one class, such as users. Once you have multiselected, on the Action menu, choose Properties.

When you have multiselected user objects, a subset of properties is available for modification.

  • General tab Description, Office, Telephone Number, Fax, Web Page, E-mail

  • Account tab UPN Suffix, Logon Hours, Computer Restrictions (logon workstations), all Account Options, Account Expires

  • Address Street, PO Box, City, State/Province, ZIP/Postal Code, Country/Region

  • Profile Profile Path, Logon Script, and Home Folder

  • Organization Title, Department, Company, Manager


Be sure to know which properties can be modified for multiple users simultaneously. Exam scenarios that suggest a need to change many user objects’ properties as quickly as possible are often testing your understanding of multiselect.

There are still many properties that must be set on a user-by-user basis. Also, certain administrative tasks, including the resetting of passwords and the renaming of accounts, can only be performed on one user object at a time.

Moving a User

If a user is transferred within an organization, it is possible that you might need to move his or her user object to reflect a change in the administration or configuration of the object. To move an object in Active Directory Users and Computers, select the object and, from the Action menu, choose Move. Alternatively, you can right-click the object and select Move from the shortcut menu.


A new feature of Windows Server 2003 is that drag-and-drop operations are supported. You can move objects between OUs by dragging and dropping them in the Active Directory Users And Computers Snap-in.

Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Video Sports
programming4us programming4us