Creating and Configuring Domain User Accounts
As a member of the Account Operators, Enterprise Admins, or Domain Admins group, you can use Active Directory Users And Computers to create user accounts. Follow these steps:
- Click Start, Administrative Tools, and Active Directory Users And Computers. This starts Active Directory Users And Computers.
- By default, you are connected to your logon domain. If you want to create OUs in a different domain, right-click the Active Directory Users And Computers node in the console tree, and then select Change Domain. In the Change Domain dialog box, type the name of the domain to which you want to connect, and then click OK. Alternatively, you can click Browse to find the domain to which you want to connect in the Browse For Domain dialog box.
- You can now create the user account. Right-click the container in which you want
to create the user, point to New, and then select User. This will start the New Object-User Wizard.
When you create a new user, you're prompted for the first name, initials, last name, full name, and logon name. The pre-Windows 2000 logon name then appears automatically. This logon name is used when a user logs on to Windows NT, Microsoft Windows 95, or Microsoft Windows 98. - When you click Next, you can set the user's password and account options. The
password must meet the complexity requirements set in the group policy. These options are as follows:
- User Must Change Password At Next Logon
- User Cannot Change Password
- Password Never Expires
- Account Is Disabled
- Click Next, and then click Finish. If you use a password that doesn't meet the complexity requirements of group policy, you'll see an error and you'll have to click Back to change the user's password before you can continue.
Viewing and Setting User Account Properties
If you double-click a user account in Active Directory Users And Computers, a Properties dialog box appears, with tabs allowing you to configure the user's settings. Table-3 lists the tabs you see in the Properties dialog box.
Table-3 User Account PropertiesAccount Tab | Description |
---|---|
Account | Used to manage logon name, account options, logon times, and account lockout |
Address | Used to manage geographical address information |
Attribute Editor | Used to edit the attributes of the related user object |
COM+ | Used to select the user's COM+ partition set |
Dial-I | Used to set the user's dial-in or virtual private network (VPN) access controls as well as callback, IP address, and routing options for dialin or VPN |
Environment | sed to manage the Terminal Services startup environment |
General | Used to manage the account name, display name, e-mail address, telephone number, and Web page |
Member Of | Used to add the user to or remove the user from selected groups |
Object | Displays the canonical name of the user object with dates and Update Sequence Numbers |
Organization | Used to manage the user's title and corporate information (department, manager, direct reports) |
Profile | Used to manage the user profile configuration (profile path, logon script) and home folder |
Published Certificates | Used to install or remove user's X.509 certificates |
Remote Control | Used to manage remote control settings for Terminal Services |
Security | Used to configure advanced permissions for users and groups that can access this user object in Active Directory |
Sessions | Used to manage Terminal Services timeout and reconnection settings |
Telephones | Used to manage home phone, pager, fax, IP phone, and cell phone numbers |
Terminal Services Profile | Used to manage the user profile for Terminal Services |
Note:
The number of tabs in a user's Properties dialog box will vary depending upon the software installed. For example, adding Exchange mail services will add multiple property sheets (tabs) to each user's Active Directory account. Also, to view the Published Certificates, Objects, or Security property sheets, you must be in Advanced view. To access Advanced view, select Advanced Features from the View menu in Active Directory Users And Computers.
Most of the time, as the administrator, you will use a number of the account settings regularly. The General tab has the name and e-mail for the user. The Account tab has the user name and lets you configure logon hours or logon settings. There is also an area on the Account tab that allows the account to be unlocked. This latter setting is a quick way to unlock an account when a user has forgotten a password or is locked out of the account for some other reason. The Profile tab lets you set a user profile, logon script, and home folder. The Member Of tab lets you add the user to various groups. The Security tab lets you set the way permissions for groups or users are configured and provides access to the Effective Permissions tool via the Advanced button.
Obtaining Effective Permissions
In Active Directory, user accounts are defined as objects-as are group and computer accounts. This means that user accounts have security descriptors that list the users and groups that are granted access. Security descriptors also define ownership of the object and specify the permissions that those users and groups have been assigned with respect to the object.
Individual entries in the security descriptor are referred to as access control entries (ACEs). Active Directory objects can inherit ACEs from their parent objects. This means that permissions for a parent object can be applied to a child object. For example, all members of the Account Operators group inherit permissions granted to this group.
Because of inheritance, sometimes it isn't clear whether a particular user, group, or computer has permission to work with another object in Active Directory. This is where the Effective Permissions tool comes in handy. The Effective Permissions tool allows you to examine the permissions that a user, group, or computer has with respect to another object. For example, if you wanted to determine what permissions, if any, a user who has received delegated control has over another user or group, you could use Effective Permissions to do this.
The Effective Permissions tool is available in Active Directory Users And Computers- but only if you are in the Advanced Features view. Select Advanced Features from the View menu if necessary, and then double-click the user, group, or computer for which you are trying to determine the effective permissions of another user or group. In the Properties dialog box, click the Advanced button on the Security tab to open the Advanced Security Settings dialog box, and then click the Effective Permissions tab. Next, click Select, type the name of the user or group for which you want to see the effective permissions with regard to the previously selected object, and then click OK.
The effective permissions for the selected user or group in relation to the previously selected object appear. The Effective Permissions box will have check marks showing which permissions are in effect. If there are no effective permissions, none of the permissions' check boxes will be selected.
In this tutorial:
- Managing Users, Groups, and Computers
- Managing Domain User Accounts
- Configuring User Account Policies
- Enforcing Password Policy
- Configuring Account Lockout Policy
- Creating Password Settings Objects and Applying Secondary Settings
- Understanding User Account Capabilities, Privileges, and Rights
- Assigning User Rights
- Creating and Configuring Domain User Accounts
- Configuring Account Options
- Configuring Profile Options
- Troubleshooting User Accounts
- Implementing and Creating Preconfigured Profiles
- Configuring Local User Profiles
- Implementing Mandatory User Profiles
- Managing User Data
- Using Offline Files
- Configuring Offline Files on Clients
- Maintaining User Accounts
- Moving User Accounts
- Resetting a User's Domain Password
- Creating a User Account Password Backup
- Managing Groups
- Understanding the Scopes of Groups
- Creating a Group
- Creating group accounts at the command line
- Modifying Groups
- Managing Computer Accounts
- Moving a Computer Account
- Configuring Properties of Computer Accounts
- Troubleshooting Computer Accounts