Configuring Account Options
Every user account created in Active Directory has account options that control logon hours, the computers to which a user can log on, account expiration, and so on. To manage these settings for a user, double-click the user account in Active Directory Users And Computers, and then select the Account tab.
Below the general account name fields, the available options are divided into three main areas. The first area that you can configure controls the Logon Hours and Log On To options.
- Setting logon hours: Click Logon Hours to configure when a user can log on to the domain. By default, users can log on 24 hours a day, seven days a week. To deny a user a specific day or time, select the area that you want to restrict them from logging on, and then select the Logon Denied option. For example, this option can be used to restrict shift workers to certain hours or to restrict working days to weekdays.
- Configuring logon computer: When you click Log On To, you can restrict which computers a user can log on from. The default setting allows users to log on from all computers. To restrict which computers a user can log on from, click The Following Computers. Type a host name or a fully qualified domain name in the Computer Name field, such as Workstation18 or Workstation.cpandl.com. Click Add. Repeat this procedure to set other logon computers.
Note: Earlier releases of Windows required the NetBIOS protocol to restrict which computers a user can log on from. In Windows Server 2008, this requirement has been phased out.
Below the Logon Hours and Log On To buttons is a check box called Unlock Account. If the user has locked herself or himself out by trying to log on with the wrong password too many times, you can unlock the account by clearing this check box. Next is the Account Options list, which includes a number of account options you can configure. These options include the following:
- User Must Change Password At Next Logon: This is the default setting when a user is created. It requires the user to change the password the first time he or she logs on. This allows the user to be the only person with the knowledge of the password, though you as the administrator can change it.
- User Cannot Change Password: This setting prevents the user from changing the password and gives the administrator more control over accounts like the Guest account. This is a good setting for service and application accounts.
- Password Never Expires: This prevents passwords from ever expiring. It is a good idea to use this on service accounts. This is another good setting for an application or service account where a password is hard-coded into an application or service.
- Store Password Using Reversible Encryption: Saves the user password as encrypted clear text. Select this check box if you have computers from Apple Computer, Inc., in your domain, because they store passwords as plain text.
- Account Is Disabled This prevents a user from logging on to his or her account. It enables network administrators to immediately disable an account for security reasons.
- Smart Card Is Required For Interactive Logon: To ensure higher security on a network, smart card technology can be implemented. Enabling the setting requires all users to use a smart card and reader to log on and to be authenticated. This domain setting also requires a personal identification number (PIN) configured on the smart card. This option also sets the Password Never Expires option to be enabled.
- Account Is Trusted For Delegation: If a service is running under a user account rather than as a local system, you can set a user account to execute procedures on behalf of a different account on the network. By enabling this option, you can mimic a client to gain access to network resources on the local computer.
- Account Is Sensitive And Cannot Be Delegated: Select this option if this account cannot be assigned for delegation by another account. This is the opposite of the preceding setting, and could be used in a high-security network environment.
- Use Kerberos DES Encryption Types For This Account: Data Encryption Standard (DES) is used for many encryption protocols, including Microsoft Point-to-Point Encryption (MPPE) and Internet Protocol Security (IPSec) and supports up to 128-bit strong encryption. Enable this option if you want to use DES encryption.
- This Account Supports Kerberos AES 128 Bit Encryption: Advanced Encryption Standard (AES) is more secure than DES and increasingly preferred over DES. Enable this option if you want to use AES 128-bit encryption with this account when applicable and available. Before selecting this option ensure the user will only log on to computers running Windows Vista or later or other computers that support AES 128-bit encryption.
- This Account Supports Kerberos AES 256 Bit Encryption: Advanced Encryption Standard (AES) is more secure than DES and increasingly preferred over DES. Enable this option if you want to use AES 256-bit encryption with this account when applicable and available. Before selecting this option ensure the user will only log on to computers running U.S. domestic releases of Windows Vista or later or other computers that support AES 256-bit encryption.
- Do Not Require Kerberos Preauthentication: You should enable this if the account uses a different implementation of the Kerberos protocol.
Finally, the Account Expires panel lets you set expiration options for the account. The default is Never, but you might need to configure this setting for some users. For example, temporary or contract users, summer help, or consultants may be working on your network for only a specified amount of time. If you know how long they need access to resources in your domain, you can use the Account Expires settings to automate the disabling of their account.
Disabling Accounts: In most network environments, administrators to whom managing users has been delegated will not be able to remove users immediately upon their leaving the company, creating a window of vulnerability. Yet, when accounts have scheduled end points, you can schedule them to be disabled on a specific date. So, it is a good idea to schedule accounts to be disabled if you are sure that the user will no longer be working. If the account is automatically disabled, but the user needs access, he or she will let you know. But, if the account is not disabled automatically, it can represent a big security problem. To handle this on an enterprise level, many businesses are reviewing (or implementing) provisioning applications to automate the process of taking away access to company resources when employees leave the company.
In this tutorial:
- Managing Users, Groups, and Computers
- Managing Domain User Accounts
- Configuring User Account Policies
- Enforcing Password Policy
- Configuring Account Lockout Policy
- Creating Password Settings Objects and Applying Secondary Settings
- Understanding User Account Capabilities, Privileges, and Rights
- Assigning User Rights
- Creating and Configuring Domain User Accounts
- Configuring Account Options
- Configuring Profile Options
- Troubleshooting User Accounts
- Implementing and Creating Preconfigured Profiles
- Configuring Local User Profiles
- Implementing Mandatory User Profiles
- Managing User Data
- Using Offline Files
- Configuring Offline Files on Clients
- Maintaining User Accounts
- Moving User Accounts
- Resetting a User's Domain Password
- Creating a User Account Password Backup
- Managing Groups
- Understanding the Scopes of Groups
- Creating a Group
- Creating group accounts at the command line
- Modifying Groups
- Managing Computer Accounts
- Moving a Computer Account
- Configuring Properties of Computer Accounts
- Troubleshooting Computer Accounts