5. Managing Users and Groups
Of course, critical to a multiuser system are user accounts and groups, which you can create within Active Directory
using the Active Directory Users and Computers tool, which we previewed
two sections ago. (In this section I'll use the acronym ADUC
to refer to this tool to save me from having to type out "Active
Directory Users and Computers" over and over.) Within ADUC, you can
create, change, and delete user accounts, manage groups and their
members, and configure Group Policies
.
5.1. Creating users and groups
Let's look at
creating users and groups within ADUC. It's a simple process to create a
user or a group. First, you ought to decide on a username or group
name. You can select almost any username or group name for a particular
person or group in Windows Server 2003, but you must keep the following
restrictions in mind:
The name must be unique within a domain (if you are creating a domain user) or on a machine (if you are creating a local user). The name can be a maximum of 20 characters. The name cannot contain any of the following characters: " / \ [ ] : ; | = , + * ? < >. The name cannot consist of all spaces or all periods, though individual spaces or periods within a name are acceptable.
Group names have the same restrictions. |
|
So, to create a user, follow these steps:
In
the left pane, select the container in which you want the new user to
reside. Right-click it and select User from the New menu. The New Object - User screen appears, as shown in Figure 18.
Enter the user's first name, middle name, and last name in the
appropriate boxes and the Full name field will populate automatically.
Enter the user's preferred logon name in the User logon name box, and
then click Next.
The next screen is where you enter the user's initial password and a few properties for his account. This is shown in Figure 19.
Enter and confirm the password, and then decide whether the new user
will be prompted to change this password when he logs on, whether he can
change his password at all, whether the password will follow the
domain's expiration policy, and finally, whether the account is
disabled. (Disabled accounts cannot log in.) Click Next. Confirm the information you have just entered, and click OK to create the user.
To create a new group, follow these steps:
In
the left pane, select the container in which you want the new user to
reside. Right-click it and select Group from the New menu. The New Object - Group screen appears, as shown in Figure 20.
Enter a name from the group, its scope as a domain local, global, or
universal group, and the type of group (either security or
distribution). Click OK.
That's it! You've created a new group.
If you are creating a user,
your work is not done yet. You need to configure several additional
properties before the user account is ready for use. Right-click the new
user within ADUC and select Properties from the context menu. Here's a
rundown of each option on the properties sheet's various tabs:
General On the General
tab, you can input information such as the user's first, middle, and
last name, a description of the user, and his or her office location,
main telephone number, email address, and home page. The General tab is
shown in Figure 21.
Address The Address tab allows you to enter the user's postal service address information and his or her geographic location. Figure 22 shows the Address tab.
Account On the Account tab,
you can modify the user's logon name, the suffix for his or her
principal name (a concept which I'll explain in a bit), logon hours, and
the workstations he or she is permitted to use. To set logon hours,
click the Logon Hours button and then select the block of time you want
to either permit or deny. To set permitted workstations, click the Logon
To button—but note that you need to have the NetBIOS protocol on your
network for that restriction to be enforced.
You also see
several options. You can specify that a user must change his password
the next time he logs in, that he cannot change his password, that his
password never expires, that Windows should store his password using a
weaker, reversible encryption scheme, that his account is disabled, that
a smart card must be used in conjunction with his password to log on,
that the account is to be used for a software service such as Exchange
and ought to be able to access other system resources, that the account
is not trusted, that DES encryption should be used for the account, or
that an alternate implementation of the Kerberos protocol can be used.
The Account tab is shown in Figure 23.
Profile On the Profile tab,
you can specify the path to the user's profile. A user's profile
contains the contents of his or her Desktop and Start menu and other
customizations (such as wallpaper and color scheme). You can specify
where that profile is stored with the Profile Path option. You also can
designate the path to the user's home folder, which is the default
location within most Windows applications for a particular user's data
to be stored. Plus, you can choose to automatically map a specific drive
letter to the user's home folder that you have set up. Figure 24 shows the Profile tab.
Telephones On the Telephones
tab, you can enter different numbers corresponding to this particular
user's home, pager, mobile, fax, and IP telephones. The Telephones tab
is shown in Figure 25.
Organization The Organization
tab gives you a place to specify the user's official title, the
department in which he works, the name of the company where he works,
his direct reports, and his manager's name. The Organization tab is
shown in Figure 26.
Remote control This tab specifies Terminal Services properties. The Remote control tab is shown in Figure 27.
Terminal Services Profile This tab specifies Terminal Services properties. The Terminal Services Profile tab is shown in Figure 28.
COM+ On the COM+
tab, you can assign users to applications on COM+ partitions that you
have set up on different servers. The COM+ tab is shown in Figure 29.
Member Of The Member Of tab
shows a user's group memberships. All users by default are a member of
the Domain Users group. You can click the Add button to add groups of
which this user is a member. To remove a user from a current group
membership, click Remove. The Member Of tab is shown in Figure 30.
Dial-in The Dial-in
tab is where you configure several remote access options and properties
for the user. The Dial-in tab is shown in Figure 31.
Environment This tab specifies Terminal Services properties. The Environment tab is shown in Figure 32.
Sessions This tab specifies Terminal Services properties. The Sessions tab is shown in Figure 33.
You have fewer
properties to configure when you create a new group. Those
group-specific properties are profiled in the next section.
General On the General
tab, you can specify the name of the group, a friendly description of
the group, the group's email address, the group's scope and type, and
any notes you want to write to yourself or to other administrators. Figure 5-35 shows the General tab.
Members The Members tab
shows the current members of the group. Click the Add and Remove buttons
to add and remove members from the group, respectively. Figure 35 shows the Members tab.
Member Of On
the Member Of tab, you specify the groups of which this current group
is a member. You can click Add and Remove to change this group's
membership. The Member Of tab is shown in Figure 36.
|
