Windows Server 2003 : Building an Active Directory Structure (part 3) - Managing Users and Groups - Creating users and groups

9/14/2012 1:00:38 AM

5. Managing Users and Groups

Of course, critical to a multiuser system are user accounts and groups, which you can create within Active Directory using the Active Directory Users and Computers tool, which we previewed two sections ago. (In this section I'll use the acronym ADUC to refer to this tool to save me from having to type out "Active Directory Users and Computers" over and over.) Within ADUC, you can create, change, and delete user accounts, manage groups and their members, and configure Group Policies .

5.1. Creating users and groups

Let's look at creating users and groups within ADUC. It's a simple process to create a user or a group. First, you ought to decide on a username or group name. You can select almost any username or group name for a particular person or group in Windows Server 2003, but you must keep the following restrictions in mind:

Figure 17. Providing a name for the new child domain

  • The name must be unique within a domain (if you are creating a domain user) or on a machine (if you are creating a local user).

  • The name can be a maximum of 20 characters.

  • The name cannot contain any of the following characters: " / \ [ ] : ; | = , + * ? < >.

  • The name cannot consist of all spaces or all periods, though individual spaces or periods within a name are acceptable.

Group names have the same restrictions.

So, to create a user, follow these steps:

  1. Open ADUC.

  2. In the left pane, select the container in which you want the new user to reside. Right-click it and select User from the New menu.

  3. The New Object - User screen appears, as shown in Figure 18. Enter the user's first name, middle name, and last name in the appropriate boxes and the Full name field will populate automatically. Enter the user's preferred logon name in the User logon name box, and then click Next.

    Figure 18. Entering a new user
  4. The next screen is where you enter the user's initial password and a few properties for his account. This is shown in Figure 19. Enter and confirm the password, and then decide whether the new user will be prompted to change this password when he logs on, whether he can change his password at all, whether the password will follow the domain's expiration policy, and finally, whether the account is disabled. (Disabled accounts cannot log in.) Click Next.

  5. Confirm the information you have just entered, and click OK to create the user.

To create a new group, follow these steps:

  1. Open ADUC.

  2. In the left pane, select the container in which you want the new user to reside. Right-click it and select Group from the New menu.

  3. The New Object - Group screen appears, as shown in Figure 20. Enter a name from the group, its scope as a domain local, global, or universal group, and the type of group (either security or distribution). Click OK.

That's it! You've created a new group.

Figure 19. Entering a new user's password

Figure 20. Creating a new group

If you are creating a user, your work is not done yet. You need to configure several additional properties before the user account is ready for use. Right-click the new user within ADUC and select Properties from the context menu. Here's a rundown of each option on the properties sheet's various tabs:


On the General tab, you can input information such as the user's first, middle, and last name, a description of the user, and his or her office location, main telephone number, email address, and home page. The General tab is shown in Figure 21.

Figure 21. The General tab


The Address tab allows you to enter the user's postal service address information and his or her geographic location. Figure 22 shows the Address tab.


On the Account tab, you can modify the user's logon name, the suffix for his or her principal name (a concept which I'll explain in a bit), logon hours, and the workstations he or she is permitted to use. To set logon hours, click the Logon Hours button and then select the block of time you want to either permit or deny. To set permitted workstations, click the Logon To button—but note that you need to have the NetBIOS protocol on your network for that restriction to be enforced.

Figure 22. The Address tab

You also see several options. You can specify that a user must change his password the next time he logs in, that he cannot change his password, that his password never expires, that Windows should store his password using a weaker, reversible encryption scheme, that his account is disabled, that a smart card must be used in conjunction with his password to log on, that the account is to be used for a software service such as Exchange and ought to be able to access other system resources, that the account is not trusted, that DES encryption should be used for the account, or that an alternate implementation of the Kerberos protocol can be used.

The Account tab is shown in Figure 23.


On the Profile tab, you can specify the path to the user's profile. A user's profile contains the contents of his or her Desktop and Start menu and other customizations (such as wallpaper and color scheme). You can specify where that profile is stored with the Profile Path option. You also can designate the path to the user's home folder, which is the default location within most Windows applications for a particular user's data to be stored. Plus, you can choose to automatically map a specific drive letter to the user's home folder that you have set up. Figure 24 shows the Profile tab.

Figure 23. The Account tab


On the Telephones tab, you can enter different numbers corresponding to this particular user's home, pager, mobile, fax, and IP telephones. The Telephones tab is shown in Figure 25.


The Organization tab gives you a place to specify the user's official title, the department in which he works, the name of the company where he works, his direct reports, and his manager's name. The Organization tab is shown in Figure 26.

Remote control

This tab specifies Terminal Services properties.  The Remote control tab is shown in Figure 27.

Figure 24. The Profile tab
Figure 25. The Telephones tab
Figure 26. The Organization tab
Figure 27. The Remote control tab

Terminal Services Profile

This tab specifies Terminal Services properties. The Terminal Services Profile tab is shown in Figure 28.

Figure 28. The Terminal Services Profile tab


On the COM+ tab, you can assign users to applications on COM+ partitions that you have set up on different servers. The COM+ tab is shown in Figure 29.

Member Of

The Member Of tab shows a user's group memberships. All users by default are a member of the Domain Users group. You can click the Add button to add groups of which this user is a member. To remove a user from a current group membership, click Remove. The Member Of tab is shown in Figure 30.


The Dial-in tab is where you configure several remote access options and properties for the user. The Dial-in tab is shown in Figure 31.

Figure 29. The COM+ tab
Figure 30. The Member Of tab


This tab specifies Terminal Services properties.  The Environment tab is shown in Figure 32.

Figure 31. The Dial-in tab


This tab specifies Terminal Services properties.  The Sessions tab is shown in Figure 33.

You have fewer properties to configure when you create a new group. Those group-specific properties are profiled in the next section.


On the General tab, you can specify the name of the group, a friendly description of the group, the group's email address, the group's scope and type, and any notes you want to write to yourself or to other administrators. Figure 5-35 shows the General tab.


The Members tab shows the current members of the group. Click the Add and Remove buttons to add and remove members from the group, respectively. Figure 35 shows the Members tab.

Figure 32. The Environment tab

Member Of

On the Member Of tab, you specify the groups of which this current group is a member. You can click Add and Remove to change this group's membership. The Member Of tab is shown in Figure 36.

  •  Windows Server 2003 : Active Directory Objects and Concepts
  •  Connecting To A Virtual Private Network From Your MAC
  •  Tips, Tricks And Tweaks For Microsoft's Mighty, Windows 7
  •  Maintaining Your Windows XP System : Backing Up Your Files
  •  Maintaining Your Windows XP System : Defragmenting Your Hard Disk
  •  Asus P8Z77-V Premium : Loads Up Every Conceivable Feature
  •  Brother DCP-J140W
  •  Intel 330 Series – SSD For Mid-rang Market
  •  Iomega StorCenter PX4-300D 4TB - New Small Business NAS Box
  •  Install Android on Your PC
  •  Ivy League All Stars : Acer Aspire S5, Apple MacBook Air, Samsung 900X4C
  •  Linux from Scratch
  •  Meet The New Benchmarks : Adobe Premiere Pro CS6, Gigapan Stitch.EFX 2.0, Techarp X264 HD 5.0, Proshow Producer 5.0
  •  Reliving the Commodore 64 Glory Days (Part 1)
  •  Reliving the Commodore 64 Glory Days (Part 2)
  •  SAM PowerPC With AmigaOS 4.1
  •  Speed Up Boot Times with Startup Delayer
  •  File Grinder - Rename Files Easily
  •  Back Up With Clonezilla (Part 1) - Prepare For Backup
  •  Back Up With Clonezilla (Part 2) - Start Clonezilla, Select The Backup Device
    Top 10
    Windows Vista : Installing and Running Applications - Launching Applications
    Windows Vista : Installing and Running Applications - Applications and the Registry, Understanding Application Compatibility
    Windows Vista : Installing and Running Applications - Practicing Safe Setups
    Windows Server 2003 : Domain Name System - Command-Line Utilities
    Microsoft .NET : Design Principles and Patterns - From Principles to Patterns (part 2)
    Microsoft .NET : Design Principles and Patterns - From Principles to Patterns (part 1)
    Brother MFC-J4510DW - An Innovative All-In-One A3 Printer
    Computer Planet I7 Extreme Gaming PC
    All We Need To Know About Green Computing (Part 4)
    All We Need To Know About Green Computing (Part 3)
    Most View
    Troubleshooting Reference: Printers
    Booting on HP 9000 Servers (part 2) - The setboot Command, Boot Console Handler (BCH) and Processor Dependent Code (PDC)
    SQL Server 2005 : Dynamic T-SQL - Supporting Optional Parameters (part 4) - sp_executesql: A Better EXECUTE
    Programming the iPhone User : UX Anti-Patterns - Memory Lapse
    BenQ XL2420T : Holy Swivelling Monitor!
    OLED Technology Casts A Spell On Big Screen TV
    Best Of The Year 2012 (Part 3)
    Active Directory Domain Services 2008 : Block & Remove Block Inheritance of Group Policy Objects, Change the Order of Group Policy Object Links
    Group Policy Basics : Creating Additional GPOs
    Windows 7 : Getting Help and Giving Others Assistance
    BizTalk 2006 : Managing Exceptions in Orchestrations (part 3) - Running the EAIProcess
    Web Security : Attacking AJAX - Observing Live AJAX Requests
    The Ubuntu Server Project (Part 2) - Web access
    SQL Server 2008 : Explaining Advanced Query Techniques - Controlling Execution Plans (part 1)
    Building Your First Windows Phone 7 Application (part 2) - Using Your First Windows Phone Silverlight Controls
    Windows Server 2008 : Active Directory Federation Services
    Home Security On A Budget (Part 2)
    Which MacBook Is Right For You (Part 3)
    SQL Server 2005 : Working with SQL Server Management Objects in Visual Studio (part 2) - Retrieving Server Settings
    IIS 7.0 : Managing Application Pools (part 2) - Managing Application Pool Identities