Chapter 7, Managing Active Directory User and Computer Objects
|1| Chapter Overview
A. Creating User and Computer Objects
B. Maintaining User Accounts
C. Creating User Profiles
Chapter 7, Lesson 1
|2| Creating User and Computer Objects
1. Introduction
A. Each user needs a user account to
1. Log on to a computer and access resources on that computer
2. Log on to a domain and access network resources
B. Everyone who regularly uses the network should have his or her own unique user account.
|3| 2. Introducing User Accounts
A. Windows 2000 has three types of user accounts:
1. Local user accounts
2. Domain user accounts
3. Built-in user accounts
|4| B. Local user accounts
1. Let users log on to and access resources on only the computer where the user account is located
2. Are created and reside in the computer’s local security database
3. Remain local; they are not replicated to other computers or domain controllers
4. Do not use local user accounts on computers that require access to domain resources because the domain does not recognize local user accounts.
|5|
|6| C. Domain user accounts
1. Let users log on to the domain and access resources anywhere on the network
2. When a user logs on
a. The user provides a logon name and password
b. Windows 2000 authenticates the user
c. Windows 2000 builds an access token for the user
|7| 3. You create a domain user account by creating a user object in an Active Directory folder or organizational unit (OU).
a. Active Directory folders and OUs are objects in Active Directory.
4. The Active Directory database is located on computers running Windows 2000 Server that have been designated as domain controllers.
5. Domain user accounts are replicated to all other domain controllers in the domain.
8|
a. Because replicating the domain user account information to all domain controllers can take a few minutes, a user may not be able to log on immediately using a newly created domain user account.
b. By default, directory information is replicated every five minutes.
|9| D. Built-in user accounts
1. Built-in user accounts are created automatically by Windows 2000.
2. Two of the most commonly used are
a. Administrator: used to manage the overall computer and domain configuration
(1) If you are the administrator of the network, you should create a user account for yourself that you use to perform nonadministrative tasks. Then, log on using the Administrator account only when you need to perform administrative tasks.
(2) You can rename the Administrator account, but you cannot delete it.
b. Guest: allows occasional users to log on and access resources
(1) The Guest account is disabled by default.
(2) Enable the Guest account only in low-security networks.
(3) You can rename and disable the Guest account, but you cannot delete it.
|10| 3. Other built-in user accounts include
a. IUSR_computername, which is automatically created when Microsoft Internet Information Services (IIS) is installed on the domain controller
b. IWAM_computername, which is automatically created when IIS is installed on the domain controller
c. TsInternetUser, which is automatically created when Terminal Services is installed on the domain controller
|11| 3. Creating Domain User Accounts
A. Use the Active Directory Users And Computers console to create and manage domain user accounts.
1. You can
a. Create, delete, or disable user objects
b. Manage the attributes of user objects
B. This tool is automatically installed on all domain controllers.
C. You can install this tool on other computers running Windows 2000 that are not domain controllers.
|12|
1. To install Active Directory Users And Computers on a computer running Windows 2000 that is not a domain controller, use Windows Installer to run the Adminpak.msi package (found on the Windows 2000 Server CD-ROM in the \I386 folder).
|13| D. Creating a user object in a domain
1. Select Start, point to Programs, point to Administrative Tools, and then click Active Directory Users And Computers.
|14| 2. In the scope pane, right-click the Users folder, click New, and then click User to open the New Object – User dialog box.
a. Windows 2000 creates a Users folder by default in every new Active Directory domain. On a live network, you should create user objects in OUs that form the Active Directory domain hierarchy, rather than in the Users folder.
3. Configure the options in the New Object – User dialog box, and then click Next.
a. First Name
b. Initials
c. Last Name
d. Full Name
e. User Logon Name
f. User Logon Name (Pre–Windows 2000)
|15| 4. Configure the password options, and then click Next.
a. Password
(1) You should require new users to change their passwords the first time they log on. This prevents a user account from existing without a password. Also, after the user logs on and changes the password, only the user knows it.
b. Confirm Password
c. User Must Change Password At Next Logon
d. User Cannot Change Password
e. Password Never Expires
f. Account Is Disabled
5. Click Finish to create the new user object.
|16| E. If you regularly create user objects with the same properties, create a user template object to simplify your work.
1. A user template object is a user object that you have configured with the property values you want all new user objects to have.
2. To use the template to create a new user object, copy the template to create the new user object, and then specify the user name, logon name, and password.
|17| 4. Setting User Account Attributes
A. A set of default attributes is associated with each user object you create.
B. After you create a user account, you can configure its attributes.
1. Use the Properties dialog box for the user object in Active Directory Users And Computers.
a. You open the Properties dialog box either by double-clicking the user object or by right-clicking the user object and then clicking Properties.
|18| 2. Tabs in the default Properties dialog box
a. General
b. Address
c. Account
d. Profile
e. Telephones
f. Organization
g. Remote Control
h. Terminal Services Profile
i. Member Of
j. Dial-In
k. Environment
l. Sessions
3. If you install other software products that use Active Directory, additional tabs could be added to the Properties dialog box.
|19| C. Setting personal attributes
1. Four of the tabs in the Properties dialog box (General, Address, Telephones, and Organization) contain personal information about the user but are not directly related to the operation of the user object or Active Directory.
|20|
|21| D. Setting account properties
1. The Account tab contains several configurable user account attributes, including
a. User logon name
b. Password options
c. Account expiration options
d. Logon hours
|22| 2. You can modify the values for the attributes on the Account tab and set values for other attributes.
a. Store Password Using Reversible Encryption
b. Smart Card Is Required For Interactive Logon
c. Account Is Trusted For Delegation
d. Account Is Sensitive And Cannot Be Delegated
e. Use DES Encryption Types For This Account
f. Do Not Require Kerberos Preauthentication
g. Account Expires
|23| E. Setting logon hours
1. You can restrict the times that users can log on to the domain.
2. By default, Windows 2000 permits access for all hours on all days.
3. There may be valid reasons for you to restrict a user’s logon hours.
4. When you click Logon Hours in the Account Tab, the Logon Hours dialog box appears.
|24| 5. To set the logon hours for a user object:
a. Open Active Directory Users And Computers.
b. Locate the user object you want to modify, right-click the object, and then click Properties.
c. Click the Account tab.
d. Click Logon Hours.
(1) A blue box indicates the user can log on during that hour.
(2) A white box indicates the user cannot log on during that hour.
e. Select the rectangles on the days and hours that you want to allow or deny the user to log on, and then select Logon Permitted or Logon Denied, as appropriate.
f. Click OK to close the Logon Hours dialog box.
g. Click OK to close the Properties dialog box.
6. Windows 2000 does not disconnect users from the domain when their logon hours expire; it only prevents them from logging on during the hours they are denied access.
|25| F. Setting the computers that users can log on from
1. You can restrict the computers a user can log on to the domain from.
2. By default, a user can log on from any computer in the domain.
3. To control the computers from which a user can log on to a domain, you must enable NetBIOS over Transmission Control Protocol/Internet Protocol (TCP/IP).
4. When you click Log On To on the Account tab, the Logon Workstations dialog box appears.
|26|
5. How to specify the workstations a user can log on from:
a. Open Active Directory Users And Computers.
b. Locate the user object you want to modify, right-click the object, and then click Properties.
c. Click the Account tab.
d. Click Log On To to display the Logon Workstations dialog box.
e. In the Logon Workstations dialog box, select The Following Computers option.
f. In the Computer Name box, type the NetBIOS name of a computer you want to permit the user to log on from, and then click Add.
(1) Repeat this process to add more computers to the list.
g. Click OK to close the Logon Workstations dialog box.
h. Click OK to close the Properties dialog box.
5. Lesson Review
A. The lesson review questions are located on page 237 of the textbook.
|27| 6. Lesson Summary
A. There are three types of Windows 2000 user accounts:
1. Local user accounts
2. Domain user accounts
3. Built-in user accounts
B. Use Active Directory Users And Computers to create and manage domain user accounts.
C. You can configure numerous user account attributes, including
1. Personal attributes
2. Account properties
3. Logon hours
4. The computers a user can log on from
Chapter 7, Lesson 2
|28| Maintaining User Accounts
1. Introduction
A. User accounts require periodic maintenance due to changes in personnel, users’ personal information, and so on.
B. In order to maintain and modify user accounts, you need permission to administer the user objects.
|29| 2. Disabling, Enabling, Renaming, and Deleting User Accounts
A. Disabling and enabling a user account
1. A user account can be disabled when a user will not need the account for an extended period of time, such as for a leave of absence.
2. When the user returns to work, the disabled account can be enabled.
B. Renaming a user account
1. You perform this task if a user’s name has changed or if you want to reassign the account to a different user.
C. Deleting a user account
1. You typically perform this task when an employee leaves the company and you do not plan to rename the user account.
|30| D. To disable, enable, rename, or delete a user account using Active Directory Users And Computers:
1. Open Active Directory Users And Computers, and then expand the console tree until the user account is visible.
2. Click the user account, and then from the Action menu, click the appropriate command.
|31|
a. If a user account is currently enabled, the Disable Account command appears.
b. If the user account is currently disabled, the Enable Account command appears.
|32| 3. Resetting Passwords and Unlocking User Accounts
A. You perform these tasks when a user cannot log on to the domain or the local computer because of a password or account lockout problem.
B. To perform these tasks, you must have administrative privileges for the object that the user account resides in.
1. Members of the Administrators group, by default, have the permissions necessary to reset passwords and unlock user accounts.
|33| C. Resetting passwords
1. After a password is set for a user account, it is not visible to anyone, including administrators.
2. You may need to reset a user’s password if a user’s password has expired or if a user forgets his or her password.
3. To reset a user’s password:
|34|
a. In Active Directory Users And Computers, expand the console tree until the user account is visible.
b. Click the user account, and then from the Action menu, click Reset Password.
c. In the Reset Password dialog box, type a new password for the user, and then retype it in the Confirm Password box.
d. Select the User Must Change Password At Next Logon check box, and then click OK.
|35| D. Unlocking user accounts
1. Many Windows 2000 networks use group policies to enforce password restrictions, such as a limit on the number of failed logon attempts permitted for a user account.
2. When a user enters an incorrect password too many times, Windows 2000 locks the account, preventing further logon attempts.
3. To unlock a user account:
a. In Active Directory Users And Computers, expand the console tree until the user account is visible.
(1) The red X on the user object indicates that the user account is currently locked.
b. Right-click the user account, click Properties, and then click the Account tab.
c. Clear the Account Is Locked Out check box.
d. Click OK to close the Properties dialog box.
4. Lesson Review
A. The lesson review questions are located on page 244 of the textboook.
|36| 5. Lesson Summary
A. Use Active Directory Users And Computers to disable, enable, rename, and delete user accounts.
B. Disabling a user account prevents the user from logging on but leaves all of the account information intact.
C. Use Active Directory Users And Computers to reset user account passwords and to unlock user accounts.
Chapter 7, Lesson 3
|37| Creating User Profiles
1. Introduction
A. A user profile is a collection of folders and data that stores a user’s current desktop environment, application settings, and personal data.
B. A user profile also contains all of the user’s Start menu items and mapped drives to network servers.
C. A home folder is a folder on a server that is assigned to a user for storing personal data.
|38| 2. Understanding User Profiles
A. On computers running Windows 2000, user profiles automatically create and maintain desktop settings for each user’s work environment on the local computer.
B. A new user profile is created for each user logging on to the computer for the first time.
|39| C. Advantages of user profiles to users
1. More than one user can work on the same computer, with all users maintaining their own desktop settings each time they log on.
2. When users log on to their workstations, they receive the same desktop settings they had when they last logged off.
3. If one user customizes the desktop environment, another user’s settings are not affected.
4. User profiles can be stored on a server so they can follow users to any computer running Windows 2000 or Microsoft Windows NT 4.0 on the network.